How to allow access to a child folder without allowing access to the parent folder in TFS Source Control

With TFS 2008, say I have the following path:

$/Team Project/Project/Source/Images

You have a new user in that team project who is not a member of any groups and will need to be added directly to Source Control security. You want to add that user to the "Source" folder for check-in and check-out permissions including the folders below, but deny them everything above.

You proceed to add them directly to "Source" folder with "Check- Out" and "Check In" permission and deny "Read" permission on the folders above. You then leave inheritance on for all the folder below(in this example "Images").

But when you test, you will notice it fails. The user can’t check out anything unless they have read permission on the Team Project folder.  Without "Read" permission, they receive the error message “The item $/Team Project does not exist on the server.”

The way I got this to work was to allow "Read" access to the “Team Project”. Next, on the "Project" folder, I had to uncheck "Inherit security settings" and add that account with Deny for "Read". I also had to re-add all of the default groups since they were no longer inherited from the Team Project.

As you move down a folder, I will leave "Inherit security settings" on since I was inheriting the deny read permission until I got to the folder that I wanted to grant them access. In this example, on folder "Source", I will uncheck "Inherit security settings" on that folder and manually add that user with the "Check In", "Check out", "Read", etc, permissions that I wanted. I also proceed to add default groups as well.

The user will now have the permissions required for that folder and below only.


Comments (4)
  1. MK says:

    Can I just right click on the Source folder, select Properties, go to Security and add the user using Windows User or Group options? Which I hope by then I can skip all the workaround steps you’d mentioned.

  2. CSSTFSBLOG says:

    Thank you MK for your comment.

    Unfortunately this is how the security model for the Team Foundation Server Source Code Control Explorer works. A user must have at least ‘READ’ permission to the Team Project to be able to access any folders underneath.

    Please keep in mind they will only need ‘READ’ on the Team Project and the folder you wish to give them access to. For all other folders in between the Team Project and the folder you wish to grant access to, you can deny ‘READ’ access for that user. I hope that helps.


  3. Shankar says:

    Hi, I have deny the read permission for one folder for one group(Project admin), after that the folder was not viewable even for Project admin group. Kindly provide ur help to resolve this.

  4. Metehan says:

    So complicated. I have team project on TFS. Under Team Project, I have projectONE and ProjectTWO, I like tempUser to Read,check in,checkout ONLY projectTWO. Not be able to see ProjectOne at all. How difficult is this. I losing my hair over this

Comments are closed.

Skip to main content