Inside VSTS

Security in Team Foundation Server, Part 2

Part 1 covered the basics of project-level and server-level security in TFS. Mickey's follow-up tackles work item tracking and version control security.

• By Mickey Gousset
• 02/23/2009

Work Item Tracking Security
Your work item tracking system in TFS contains a list of all the "stuff" that needs to get done on your projects. Depending on your process and organizational rules, you may have a very transparent work item tracking system, where every team member can see all the work items.

However, you may have rules and restrictions in place where team members are allowed access only to certain work items. You can enforce this security using the Areas and Iterations sections of your work items. Areas and Iterations are used as a classification system for your work items. They're completely customizable and can be defined as needed. "Areas" usually refers to different areas of your project, while "Iterations" usually refers to a timeframe when a particular work item should be completed.

To create new Areas and Iterations, open Team Explorer. Right-click on the appropriate Team Project, and from the context menu select Team Project Settings | Areas and Iterations. This will open the Areas and Iterations Window, shown in Figure 1.

Using the toolbar on this window, you can create a nested hierarchy of Areas, being as detailed as you need. Once you've created your areas, you can set security on individual one.

To set the security for a particular area, select the area and click the Security button. This will open a window, as shown in Figure 2.

You can add TFS Groups as well as Active Directory users and groups to this particular area and set their permissions appropriately. To enable read-only access to work items for a particular group, select only "View this node" and "View work items in this node" permissions. To enable read/write access, select "Edit work items in this node" as well as the previously listed permissions. Permissions automatically propagate down from parent nodes to child nodes.

Security for Iterations works in exactly the same way. Select the Iterations tab on the Areas and Iterations window, enter your Iterations, click the Security button and configure the security levels.

Version Control Security
The third and final area where you can specify security is in the TFS Version Control system. Here you have the ability to lock down folders and files to restrict access to only certain users or groups, similar to the work item tracking system.

To get started, open Visual Studio, then open the Source Control Explorer window by selecting View | Other Windows | Source Control Explorer. Right-click on the file or folder you want to set security permissions on, and from the context menu select Properties. This opens the Properties window for that file or folder. Select the Security tab to modify security on that item, as shown in Figure 3.

As with the Areas and Iterations security, you can add Team Foundation Server groups as well as Active Directory users and groups, and set their security permissions appropriately. Notice the "Inherit security settings" checkbox at the bottom left corner of the window. By default, this box is checked, so any security permissions set for the parent of this item in version control are inherited into this item. To stop this from happening, simply uncheck the box. But be careful! If you uncheck the box, it automatically removes all permissions from all groups or users that were initially specified. Make sure you add back at least the TFS Administrators group with full Allow permissions before closing this window.

Conclusion
Security really is a first-class citizen in TFS, and some thought should be put into exactly how you want to implement it. This column along with Part 1 should give you a good overview of how security works in TFS. By configuring security with Areas and Iterations, you have the ability to control access to information in the Work Item Tracking system. And security in the version control system allows you to control who can view and modify specific files and folders in version control.