Use TFS API to add or update ACEs in the ACL for the provided token

  • Article

I worked on an interesting issue recently,

Issue: TFS Service account lost admin rights on a collection.

One of the Symptom: Facing access denied issue while trying to upload TFS process template by logging in to machine using TFS service account.

The User account is part of Team project collection administrators group and Manage process template permission set to Allow, which are required permissions to modify a process template.

We ended up using the below TFS API to regain the permissions of TFS service account on Team project collection.

Use API to add or update ACEs in the ACL for the provided token:
https://www.visualstudio.com/en-us/docs/integrate/api/security/aces

Steps to use the API:

1. Install Advanced Client API from chrome web store
https://advancedrestclient.com/

2. Create oAuth token for user account which is part of TFS admin group : https://www.visualstudio.com/en-us/docs/integrate/get-started/auth/overview

3. Convert token to Base64 string: Code to convert is in above article

4. Open Advanced Rest Client tool (Use below screenshot as reference)

Select POST and give following URL https://tfsserver:8080/tfs/DefaultCollection/_apis/accesscontrolentries/5a6cd233-6615-414d-9393-48dbb252bd23/?api-version=1.0

Use Basic Omw1Z294dHpqb3hkN3l6NmZxcDN4YzRmNjVmNWpqM3dpMmtwcWRpd3MyYTZyNXZ3Ynlsc3E= (Replace this with Base64 string created from above step)

{
"token": "$",
"merge": false,
"accessControlEntries": [
{
"descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
"allow": 1,
"deny": 0,
"extendedinfo": {}
}
]
}

5. Replace the SID S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1 in above payload to the actual SID of the project collection administrator. You can get this SID by running this query on the collection db.

SELECT [SID]
FROM dbo.Constants
WHERE PartitionId = 1
AND DisplayPart LIKE '%DefaultCollection%Project Collection Administrators%'

restapi

Successful execution of API resolved the issue.

Incase if you want to use the same API with TFS 2015 which doesn’t have oAuth token, you can use the Advanced Client API browser plug in. make sure that you connected to TFS on the same browser and API will use the same credentials.

raju

Content: Venkatappala Raju Chakravaram
Review: Romit Gulati