Group-based Permissions in Team Foundation Server

  • Article

Two scenarios will be discussed in this post:  Single Hat and Multiple Hats.

 

 

Base Scenario:

You have 3 people:  Joe, Sally, and Dave

You have 3 main roles: Developer, Tester, Reviewer

You also have 3 projects: Project A, Project B, and Project C

 

 

Scenario #1: Single Hats

Team members wear only one hat in the enterprise.  A Developer for one project is a developer for all projects – the same for Tester and Reviewer.

 

The roles that Joe, Sally and Dave play are the same for every project:

 

Developer

Tester

Reviewer

Project A

Joe

Sally

Dave

Project B

Joe

Sally

Dave

Project C

Joe

Sally

Dave

 

The simple setup for this in Team Foundation Server is to use generic role-based groups:

 

Team Foundation Server

      \Developers

            \Joe

      \Testers

            \Sally

      \Reviewers

            \Dave

 

When configuring your Team Project’s permissions, simply grant each group the desired rights.  This will allow any subsequent users to be added to the environment with ease (just add them to the group that fits their role).

 

 

Scenario #2: Multiple Hats

Your team may have roles that vary by project.  A good way to support this in Team Foundation Server is to create role-based groups on a per-project basis.

 

The roles that Joe, Sally and Dave play vary with each project:

 

Developer

Tester

Reviewer

Project A

Joe

Sally

Dave

Project B

Dave

Joe

Sally

Project C

Sally

Dave

Joe

 

 

The inherent problem with using generic role-based groups (as in Scenario #1) is that in this scenario, everyone would have full rights to each of the three projects because each person belongs to each group:

 

Team Foundation Server

      \Developers

            \Joe

            \Sally

            \Dave

      \Testers

            \Joe

            \Sally

            \Dave

      \Reviewers

            \Joe

            \Sally

            \Dave

 

A more practical approach is to use project-specific, role-specific groups.  This adds several extra groups, but more effectively manages access control at the project level:

 

Team Foundation Server

      \Project A - Developers

            \Joe

      \Project A - Testers

            \Sally

      \Project A - Reviewers

            \Dave

      \Project B - Developers

            \Dave

      \Project B - Testers

            \Joe

      \Project B - Reviewers

            \Sally

      \Project C - Developers

            \Sally

      \Project C - Testers

            \Dave

      \ Project C - Reviewers

            \Joe