Thursday, June 26, 2014

TFS 2013 Portfolio Management - Team Administrator

I have been working on setting up one TFS Team Project for all of our products to live under.  This included creating teams and corresponding areas.  Queries for each team (and their respective area) were also created.  The challenge I face today is granting permissions for the team's administrators to be able to add queries to their teams Shared Queries.  

 Currently we do not have any TFS teams created and are just using the defaults.  All of our permissions are driven out of active directory.  For example each team has a corresponding AD security group as a member.  This keeps all of our user administration in one location (Active Directory) for the entire company.

 To add a Team Administrator it appears you only have the option of adding AD users or groups.  Having a security group as a member would simplify the team administrator management.  I am torn at this point because it would mean a bunch more AD groups.  I can hear the IT guys now on that one. 

 I thought about created a VSO TFS team for the administrators of each team but it does not look like you can add a TFS team as a team administrator.  This brings me back to either asking IT for more groups for them to manage or just adding individual users as team administrators.  The down side to the individual user part is then I will have to manage security on iterations and queries at the user level.  This could get messy.

 This is the major downside to having everyone in the same team project.  PERMISSIONS!

The Solution


 So that IT doesn't come after me for doubling the number of groups they have to managed I ended up creating a TFS group called TeamName Team Admin.  I set this group to have the same base permissions as Contributors.  I did this so if you are in both groups it will not mess up your permissions.  This will always be in sync with Contributors.

 With this new group I gave it rights to edit shared queries for the team as well as iterations for the team. Both of these can be achieved by right-clicking on the object (example a query folder) and editing the security for it.  For queries I gave the TFS group Allow on Contribute and Read.  For the iteration (and sub iterations) they were given Allow on Create child nodes and Edit this node.  The Edit this node was needed so they could move sub-iterations between the 3 root iterations they have rights to.

 The only downsides are if an admin changes I have to change it within the Team and the team admin TFS group.  My user security is now being managed in two tools instead of one (just Active Directory).  

 Any questions please feel free to ask.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)