How to: grant “Manage Build Resources” Privilege to users with tfssecurity.exe

  • Article

TFS allows flexible setup. It can be customized to address most peoples requirements.

Everything that can be changed with TFS Explorer in the UI can also be modified using the API and command line tools.

TFSSECURITY.EXE is one of those allowing to batch script modifications to TFS’s security interface.

However, for some scenarios the tool application is pretty complicated as the required input parameters are hard to figure out due to  their low level.

A customer asked me how to grant or deny a set o users the privilege to manage build resources via shell script.

the syntax looks pretty straight forward:

    1: tfssecurity /a+ Namespace, Token and Action <user/group> Allow /collection:<collectionURI>

But how do you get all three parameters Namespace, Token and Action?

To get the namespace use TFSSecurity /a against the collection:

    1: tfssecurity /a /collection:<collectionURI>

Output [Namespaces]:

WorkItemQueryFolders Registry VersionControlItems Identity Job Server Collection BuildAdministration VersionControlPrivileges Workspaces Project EventSubscription CSS TeamLabSecurity Iteration Build

Reading the token is the most tricky part and neither my EE colleague nor the WWW cam up with a better solution than running a SQL query against the confid DB:

    1: select distinct SecurityToken
    2: from Tfs_DefaultCollection..tbl_SecurityAccessControlEntry 
    3: where (SecurityToken not like '%/%' )and (SecurityToken not like '%$%')

Output [Tokens] :

BuildPrivileges FrameworkGlobalSecurity Global NAMESPACE:

The action can be queried with tfssecurity once more (syntax):

    1: :  tfssecurity /a Namespace Token /collection:<collectionURI>

Example:

    1: tfssecurity /a BuildAdministration BuildPrivileges /collection:<collectionURI>

Output [Build Management Privileges]

ViewBuildResources ManageBuildResources UseBuildResources

Notice: This post focuses on build management privileges and does not cover all possible scenarios.

There is a pretty detailed forum answer in the MSDN forums which covers alternative ways to retrieve tokens for other tasks:

https://social.msdn.microsoft.com/Forums/en-US/tfsadmin/thread/f55d218f-03be-4825-ae1b-3988152a805d/

I’d love to read your feedback if this article helped you solve your problem!