“We need to configure the server to grant all users the ability to create a Team Project and manage the users of that specific project. However, a user must not be allowed to delete/modify/access a project which he or she does not belong to. Also, since users will belong to the Sharepoint administration group and SQL Server content management groups, I am hoping these can also be configured in such a way as to deny access accordingly. If anyone knows the ideal permissions configuration for this scenario, please let me know as soon as possible.”
Team Foundation Server Groups, Permissions, and Roles are not small subjects for discussion.
Authorization for user actions, such as workspace administration and project creation, are determined by permissions. When you create a new project in Team Foundation Server, new project-level groups are created for that project, by default, and are assigned permissions to access resources appropriate to that group. Obviouly I cannot give you the end-all-be-all best practice for your needs. The article “Team Foundation Server Default Groups, Permissions, and Roles” discusses Team Foundation security is based upon users and groups and how you can manage users and groups to implement a security model for your organization that enables users to access the data and functionality that they require while protecting confidential information. The article “Team Foundation Server Permissions” discusses the types of permissions and their accepted settings.
Good luck Mike, and thanks for the request.