TFS 2015 User needs Checkin permission(s) for $/p0/folder/*.

  • Article

Hi!
I had been working with some issues with customers not being able to apply Checkin process when working with TFS 2015
I take advantage of this space to share some references that may work for you

Common issues for scenarios like this are directly related to failing DOMAIN\alias not having required Checkin permission configurations.
this could be related to the following scenarios:
. The Checkin permission is explicitly denied on a parent of the folder for DOMAIN\alias or a group/subgroup:>> If this permission is not overridden at a lower level, the path will have inherit the deny entry.
. The Checkin permission needs to be set for the resource you are pointing to, and all parent folders that it’s inheriting permissions from, for the ALIAS or any groups/subgroups he belongs to(permission inheritance turned off for the resources you are pointing to or one of it’s parents)
. The Checkin permission explicitly denied for the folder for DOMAIN\alias or one of the group/subgroup alias belongs to.
. If there are multiple applicable entries, denies will override allows. This may fail also:

- If Contributors are denied Read access, and the user belongs to Contributors, giving the user Read access will not actually give him Read access >> if this is the case, just scope the deny down to a smaller group that the user does not belong to, or turn off inheritance and leave permissions unset instead of using deny entries at all.

Some troubleshooting you can try for discovering the permission entries are blocking the operation:

- Authenticate as "as a member of the Team Foundation Administrators group (for the entire instance) or the Team Project Collection Administrators group" as you can have visibility to see all paths and permissions
- Open Visual Studio Command Prompt, run
tfssecurity /imx DOMAIN\alias/server:https://SERVER:8080/tfs to get the list of groups alias belongs to, directly, or indirectly, this is by inheritance or not
- Run
tf permission $/p0/folder /recursive > Info.txt, check this Info.txt : this is fore the quantity of entries we may get
- Search for paths that include the entries:
“Inherit: No” where there is no explicit Allow: Read entry for the user or one of the groups he belongs to directly/indirectly
“Deny.*Read” for alias or any groups that tfssecurity showed.
- Update permissions
- Test!

Hope it helps!

Rosana