Automate Security Management for VSTF Source Control

Kathy Shieh here. I am the dev lead for the Information Security Tools team in the US.

Visual Studio Team Foundation server (VSTF)  provides a pretty good GUI interface for security management. Within the VSTF UI you can create custom roles, manage membership for each role and manage security for source control at folder and/or file level. It’s really handy when it comes to one time individual access change.

When managing applications (especially for SOX applications which requires SAS70 compliant) with standard roles and source folder structures. We have found that if you use the same windows security groups for multiple applications and multiple versions, the access management becomes tedious and time consuming. We create batch files with TFS commands. Below is an example.

Standard source control folder structure:

- [Project Name]

 [Version Number]






Test & Training

Example of standard TFS roles and access to Source folder from above:


Allow: All but manipulate security settings

Deny: N/A


Allow: Read

Deny: N/A


Allow: Read

Deny: N/A


Allow: Read

Deny: N/A


Allow: Read

Deny: N/A


Allow: Read

Deny: N/A

[Project]\Project Administrators:

Allow: All

Deny: N/A


Allow: Read

Deny: N/A

Specific access control to all other standard folders is similar to the above Source folder control. As you can see through Visual Studio UI to set up permission for a new project or a new version you will need 8(roles) X 6(folders) =48 multiple clicks by using VS UI. Using TFS command in batch file all you need is the modification to the project name and source control path parameters. Below is sample code of a batch file for setting up source control folder access for your reference. The first parameter is the TFS project name and the second parameter is the main version folder path.



@rem - @SET Path=%SystemDrive%\Program Files\Microsoft Visual Studio 9\Common7\IDE\

SET TFS=YourTFSServerName



SET TP=###%TP%###

SET TP=%TP:"###=%

SET TP=%TP:###"=%

SET TP=%TP:###=%

SET VER=###%VER%###

SET VER=%VER:"###=%

SET VER=%VER:###"=%

SET VER=%VER:###=%


@REM Set security permissions for %TP% %VER%

tf Permission /remove:* /Group:"[%TP%]\Build Services" /Server:%TFS% "$/%TP%"

tf Permission /allow:Read /Group:"[%TP%]\Contributors" /Server:%TFS% "$/%TP%"

TF Permission /allow:* /remove:AdminProjectRights /Group:"[%TP%]\Testers" /Server:%TFS% "$/%TP%/%VER%/DropToProduction"

tf Permission /allow:* /remove:AdminProjectRights /Group:"[%TP%]\Developers" /Server:%TFS% "$/%TP%/%VER%/DropToTest"

tf Permission /allow:* /remove:AdminProjectRights /Group:"[%TP%]\Developers" /Server:%TFS% "$/%TP%/%VER%/source"

tf Permission /allow:Label /remove:AdminProjectRights /Group:"[%TP%]\Testers" /Server:%TFS% "$/%TP%/%VER%/DropToTest"

tf Permission /allow:* /remove:AdminProjectRights /Group:"[%TP%]\Testers" /Server:%TFS% "$/%TP%/%VER%/Test"

tf Permission /allow:* /remove:AdminProjectRights /Group:"[%TP%]\Support" /Server:%TFS% "$/%TP%/%VER%/SOX Docs"

tf Permission /allow:* /remove:AdminProjectRights /Group:"[%TP%]\Support" /Server:%TFS% "$/%TP%/%VER%/Support"

tf Permission /allow:Read,PendChange,Checkin,Label,Lock /remove:AdminProjectRights /Group:"[%TP%]\PMs" /Server:%TFS% "$/%TP%/%VER%/SOX Docs"


All functional roles such as Developers, Testers etc. were added into the contributors role ahead of time so that giving contributors read permission has taken care of all the read access.

With the same approach, you can create batch file for custom role creation and membership management as well.

Comments (0)

Skip to main content