I was reading Chris Rathjen’s blog today (Known Issue: Project Creation Wizard (PCW) still says I need to be a Sharepoint Administrator after I become one) and it reminded me of an issue that I found late last year, but never fixed (I just filed the bug. Mea maxima culpa.), in the Team Foundation Installation Guide.
Managing Security Roles for Team Foundation Server in the Installation Guide says:
To create a new team project in Team Foundation Server, you must be a member of the Team Foundation Administrators group, a member of the Windows SharePoint Services Administrator role, and a member of the SQL Server Reporting Services Content Manager role.
When configuring permissions for a user to create a team project, that user needs to belong to the SharePoint Administration group, which is a group specified in SharePoint Central Administration. It’s not enough to be a member of the Administrator role of a top-level site. The user must be able to perform administrative functions for Windows SharePoint Services; specifically, they need permission to create a top-level site. For more background on top-level sites and Team Foundation Server, see this post I wrote earlier this year: Viewing All Team Project Portal Sites.
The Team Foundation Administrator’s Guide (online) has the correct information. See Team Foundation Server Administrator Permissions, and How to: Set Administrator Permissions for Windows SharePoint Services.
If you never encountered this problem before, perhaps the users you permit to create team projects are also local administrators on the server, which is how this issue eluded me when writing the Installation Guide. Managing the SharePoint Administration Group in the SharePoint docs says:
Two sets of users are allowed to perform administrative functions for Microsoft Windows SharePoint Services: members of the administrators group for the local server computer and members of the SharePoint administration group.
The question left in my head is, if you configure Self-Service Site Creation, does that forego the need to add team project-creating users to the SharePoint administration group? Has anyone tried that?