Group-based Permissions in Team Foundation Server


Two scenarios will be discussed in this post:  Single Hat and Multiple Hats.


 


 



Base Scenario:


You have 3 people:  Joe, Sally, and Dave


You have 3 main roles: Developer, Tester, Reviewer


You also have 3 projects: Project A, Project B, and Project C


 


 



Scenario #1: Single Hats


Team members wear only one hat in the enterprise.  A Developer for one project is a developer for all projects – the same for Tester and Reviewer.


 


The roles that Joe, Sally and Dave play are the same for every project:
























 


Developer


Tester


Reviewer


Project A


Joe


Sally


Dave


Project B


Joe


Sally


Dave


Project C


Joe


Sally


Dave


 


The simple setup for this in Team Foundation Server is to use generic role-based groups:


 


Team Foundation Server


      \Developers


            \Joe


      \Testers


            \Sally


      \Reviewers


            \Dave


 


When configuring your Team Project’s permissions, simply grant each group the desired rights.  This will allow any subsequent users to be added to the environment with ease (just add them to the group that fits their role).


 


 



Scenario #2: Multiple Hats


Your team may have roles that vary by project.  A good way to support this in Team Foundation Server is to create role-based groups on a per-project basis.


 


The roles that Joe, Sally and Dave play vary with each project:
























 


Developer


Tester


Reviewer


Project A


Joe


Sally


Dave


Project B


Dave


Joe


Sally


Project C


Sally


Dave


Joe


 


 


The inherent problem with using generic role-based groups (as in Scenario #1) is that in this scenario, everyone would have full rights to each of the three projects because each person belongs to each group:


 


Team Foundation Server


      \Developers


            \Joe


            \Sally


            \Dave


      \Testers


            \Joe


            \Sally


            \Dave


      \Reviewers


            \Joe


            \Sally


            \Dave


 


A more practical approach is to use project-specific, role-specific groups.  This adds several extra groups, but more effectively manages access control at the project level:


 


Team Foundation Server


      \Project A – Developers


            \Joe


      \Project A – Testers


            \Sally


      \Project A – Reviewers


            \Dave


      \Project B – Developers


            \Dave


      \Project B – Testers


            \Joe


      \Project B – Reviewers


            \Sally


      \Project C – Developers


            \Sally


      \Project C – Testers


            \Dave


      \ Project C – Reviewers


            \Joe