Security in Team Foundation Server, Part 1
Mickey covers the basics of project-level and server-level security in TFS.
For any Team Foundation Server (TFS) administrator, providing easy yet safe and secure access to TFS should be a top priority. To do this, an administrator should have a good understanding of both the TFS security concepts
and the TFS security architecture
In general, TFS security is based on the concept of users and groups. You don't create users inside TFS; instead, you create groups and give those groups the appropriate security permissions. You then add users (from, say, your Active Directory) into the appropriate groups inside TFS. You also have the ability to add users from your Active Directory directly into TFS, but as a best practice you should always create a TFS group, and then add users to that group.
In this article, we are going to delve into how to set up and configure security at both the server level and the team project level. In future articles, we'll look at how to set up and configure security for both work item tracking and version control.
Setting TFS at the Server Level
As I mentioned before, you create groups in TFS and then assign users to those groups. When creating groups, you can create them at the "server" level or at the "team project" level. Each level affords different security options.
To create a server-level security group (also known as global groups), open Team Explorer, right-click on your TFS and select Team Foundation Server Settings | Group Membership (see Figure 1).
This will open the Global Groups window, which lists all the global groups for this TFS. When you install TFS, three global groups are created for you: Team Foundation Valid Users, Team Foundation Administrators and Service Accounts (see Figure 2).
To create a new global group, click the New button on the window in Figure 2. This will open the Create New Team Foundation Server Group window, where you can enter a group name and description. Click the OK button on this window when you're finished to return to the Global Groups window, where you'll see your new group.
To add users to your global groups, select the global group in question and click the
Properties button. This will open the properties window for the selected group. In Figure 3, you'll see the properties windows for the Team Foundation Administrators global group.
You have two tabs on this window: Members and Member of. The Members tab shows all the TFS groups and Windows users or groups that are a member of this group. The Member of tab shows all the TFS groups to which this group belongs.
To add a new TFS group to this group, select the Team Foundation Server Group radio button and click the Add button. This opens the Add Group window, which shows you all the available groups, as shown in Figure 4. You can add global groups only to other global groups, which is why you only see two other groups listed in the window for this example. Select the appropriate group or groups and click OK to add them.
You also have the ability to add Windows users and groups to your TFS groups. Simply select the Windows User or Group radio button from the Team Foundation Server Group Properties window (Figure 3) and click the Add button. This opens the standard Select Users or Groups window (Figure 5), where you can enter or search for the user or group you want to add and then add them.
Now that you've created your TFS global groups and added users to them, you need to set the security permissions for those groups. To do this, open Team Explorer, right-click on your TFS, and select Team Foundation Server Settings | Security (see Figure 1). This opens the Global Security window, shown in Figure 6.
If you've created new server level groups, here's where you would add them to give them their server-level permissions. You can add TFS global groups, as well as Windows users or groups. As you can see, you simply select the appropriate radio button, click Add and walk through the process outlined previously.
Once you've added your global groups, you need to set their security permissions. First, select the group from the Users and Group field. This will display the permissions for that group in the bottom of the window. For more information on the different global security permissions, go here.
TFS uses a least-permissive model for security permissions. As you can see in Figure 6, for the different server-level permissions, there are two checkboxes: Allow and Deny. The default permission is Deny, so if neither Allow nor Deny are checked, then that permission is denied. If the Deny checkbox is checked the permission is denied, and if the Allow checkbox is checked the permission is allowed. But what if Allow and Deny are both checked? This could happen if a user is a member of two different groups, with one group having Allow permissions and the other having Deny permissions, for a particular security permission. In that case, the user is going to be denied.
When you're done, simply click the Close button on the Global Security window to save your changes and close the window.
Setting Team Project Security at the Team Project Level
Setting Team Project security at the "team project" level is similar to setting it at the "server" level, with a few caveats. To create a team project-level security group, open Team Explorer, right-click on your Team Project and select Team Project Settings | Group Membership (see Figure 7).
This will open the Project Groups window listing all the team project groups for this TFS, as shown in Figure 8. Notice in Figure 8 that in addition to showing the project-level groups (denoted by [<TeamProjectName>] in front of the group name), you can also see the server level groups (denoted by [SERVER] in front of the group name). You can hide the server-level groups by unchecking the Show global groups checkbox on the window. The process of creating new groups and adding users to those groups works the same as outlined previously with global groups.
You need to set the team project-level security permissions for your groups. These permissions are different from the server-level permissions (for more information on this, go here). To do this, open Team Explorer, right-click on your Team Project and select Team Project Settings | Security (see Figure 7). This opens the Global Security window, shown in Figure 9.
Modifying security permissions for groups works the same as it did for global security. Simply add the server-level or project-level groups, then check the appropriate checkboxes. In this case, you're setting the team project-level permissions for the project-level groups and the server-level groups.
As with any software, security is important. And to be able to administer TFS, you'll need to understand all the different facets of its security. In this article, we covered the basics of how to set up and configure security at both the server-level and the team project-level. In future articles, we'll look at how to set up and configure security for both the TFS work item tracking system and version control system.
Mickey Gousset spends his days as a principal consultant for Infront Consulting Group. Gousset is lead author of "Professional Application Lifecycle Management with Visual Studio 2012" (Wrox, 2012) and frequents the speaker circuit singing the praises of ALM and DevOps. He also blogs at ALM Rocks!. Gousset is one of the original Team System/ALM MVPs and has held the award since 2005.