Required SharePoint Permissions for Creating a Team Project

I was reading Chris Rathjen's blog today (Known Issue: Project Creation Wizard (PCW) still says I need to be a Sharepoint Administrator after I become one) and it reminded me of an issue that I found late last year, but never fixed (I just filed the bug. Mea maxima culpa.), in the Team Foundation Installation Guide.

Managing Security Roles for Team Foundation Server in the Installation Guide says:

To create a new team project in Team Foundation Server, you must be a member of the Team Foundation Administrators group, a member of the Windows SharePoint Services Administrator role, and a member of the SQL Server Reporting Services Content Manager role.

When configuring permissions for a user to create a team project, that user needs to belong to the SharePoint Administration group, which is a group specified in SharePoint Central Administration. It's not enough to be a member of the Administrator role of a top-level site. The user must be able to perform administrative functions for Windows SharePoint Services; specifically, they need permission to create a top-level site. For more background on top-level sites and Team Foundation Server, see this post I wrote earlier this year: Viewing All Team Project Portal Sites.

The Team Foundation Administrator's Guide (online) has the correct information. See Team Foundation Server Administrator Permissions, and How to: Set Administrator Permissions for Windows SharePoint Services.

If you never encountered this problem before, perhaps the users you permit to create team projects are also local administrators on the server, which is how this issue eluded me when writing the Installation Guide. Managing the SharePoint Administration Group in the SharePoint docs says:

Two sets of users are allowed to perform administrative functions for Microsoft Windows SharePoint Services: members of the administrators group for the local server computer and members of the SharePoint administration group.

The question left in my head is, if you configure Self-Service Site Creation, does that forego the need to add team project-creating users to the SharePoint administration group? Has anyone tried that?


Tags:  | | |

Comments (4)
  1. CRathjen says:

    Rob, I just tried Self-Service Site Creation, and it fails the same way 🙁

    It was worth a shot, though.

    I think the problem is that PCW comes in via the Central Admin website – even if the only permissions it needs to create a site are granted by the Admin role, just having that role doesn’t grant you access to Central Admin (it’s a separate website – only BuiltinAdministrators and the Sharepoint Admin Group, if designated, are granted access).

  2. Tolong on An overview on Team Foundation Server Architecture.

    Aaron Hallberg on Building a Specific…

  3. JB says:

    I could not find the “Set SharePoint Administration Group” under Administrative Tools on my server, even when running as a local administrator. TFS does seem to work ok and we who are local administrators on the macine can create projects.

  4. RobCaron says:

    It’s located in SharePoint Central Administration.

Comments are closed.

Skip to main content