Security in Team Foundation Server, Part 2
Part 1 covered the basics of project-level and server-level security in TFS. Mickey's follow-up tackles work item tracking and version control security.
In Part 1
of "Security in Team Foundation Server," we discussed how to set up and configure security at both the server level and the team project level. Team Foundation Server (TFS) 2008 also allows you to specify security at both the work item tracking level and the version control level, letting you control who can view and modify information in both systems. Specifying this security builds off the server and project-level group concept covered in the first article.
Work Item Tracking Security
Your work item tracking system in TFS contains a list of all the "stuff" that needs to get done on your projects. Depending on your process and organizational rules, you may have a very transparent work item tracking system, where every team member can see all the work items.
However, you may have rules and restrictions in place where team members are allowed access only to certain work items. You can enforce this security using the Areas and Iterations sections of your work items. Areas and Iterations are used as a classification system for your work items. They're completely customizable and can be defined as needed. "Areas" usually refers to different areas of your project, while "Iterations" usually refers to a timeframe when a particular work item should be completed.
To create new Areas and Iterations, open Team Explorer. Right-click on the appropriate Team Project, and from the context menu select Team Project Settings | Areas and Iterations. This will open the Areas and Iterations Window, shown in Figure 1.
Using the toolbar on this window, you can create a nested hierarchy of Areas, being as detailed as you need. Once you've created your areas, you can set security on individual one.
To set the security for a particular area, select the area and click the Security button. This will open a window, as shown in Figure 2.
You can add TFS Groups as well as Active Directory users and groups to this particular area and set their permissions appropriately. To enable read-only access to work items for a particular group, select only "View this node" and "View work items in this node" permissions. To enable read/write access, select "Edit work items in this node" as well as the previously listed permissions. Permissions automatically propagate down from parent nodes to child nodes.
Security for Iterations works in exactly the same way. Select the Iterations tab on the Areas and Iterations window, enter your Iterations, click the Security button and configure the security levels.
Version Control Security
The third and final area where you can specify security is in the TFS Version Control system. Here you have the ability to lock down folders and files to restrict access to only certain users or groups, similar to the work item tracking system.
To get started, open Visual Studio, then open the Source Control Explorer window by selecting View | Other Windows | Source Control Explorer. Right-click on the file or folder you want to set security permissions on, and from the context menu select Properties. This opens the Properties window for that file or folder. Select the Security tab to modify security on that item, as shown in Figure 3.
As with the Areas and Iterations security, you can add Team Foundation Server groups as well as Active Directory users and groups, and set their security permissions appropriately. Notice the "Inherit security settings" checkbox at the bottom left corner of the window. By default, this box is checked, so any security permissions set for the parent of this item in version control are inherited into this item. To stop this from happening, simply uncheck the box. But be careful! If you uncheck the box, it automatically removes all permissions from all groups or users that were initially specified. Make sure you add back at least the TFS Administrators group with full Allow permissions before closing this window.
Security really is a first-class citizen in TFS, and some thought should be put into exactly how you want to implement it. This column along with Part 1 should give you a good overview of how security works in TFS. By configuring security with Areas and Iterations, you have the ability to control access to information in the Work Item Tracking system. And security in the version control system allows you to control who can view and modify specific files and folders in version control.
Mickey Gousset spends his days as a principal consultant for Infront Consulting Group. Gousset is lead author of "Professional Application Lifecycle Management with Visual Studio 2012" (Wrox, 2012) and frequents the speaker circuit singing the praises of ALM and DevOps. He also blogs at ALM Rocks!. Gousset is one of the original Team System/ALM MVPs and has held the award since 2005.