TFS 2013 Source Control Permissions to Lock Down A Folder

TFS 2013 Source Control Permissions to Lock Down A Folder

Things Tried

The way I have things structured for this Team Project is each team is mapped to an area and I also created a folder in source control for there source code.

Defualt Team Project Team -> Team Project -> $/TeamProject
Team A -> Area A -> $/TeamProject/Product A
Team B -> Area B -> $/TeamProject/Product B

All of the teams are part of the Contributors VSO Group
I have an Active Directory group for each team.  This is where we managed users (and not in Team Foundation Server/TFS).

I noticed that when I created each of the teams it automatically placed then in the contributors group as well.  This is the default when you create a team.  I wonder if I should have not placed the teams in any group at this time.  That may be a future article as I think I have made permissions more complex than they need to be.

Initially I had thought to deny the Team Projects default team (everyone in our department) and allow just a specific team to have access to their folder.  I found that did not work as it locked me out of my team's folder even though I am a Team Collection and Project administrator.

Then I tried add my team in explicitly Allowing the actions I set to Deny for the team project team.  This did not work.  When I look at the permissions of a file I am trying to get latest on it shows both teams.  The problem is I am a member of both teams and it looks like Deny overrides Allow permissions.

Next I removed both teams from the version control security for that folder and set Contributors back to Deny.  I added my team group and set it to Allow.  After saving the changes it red flagged all of them.  It says it is overriding explicit allow.  This is because my teams group is part of the Contributors group.  Guess you can't do that either.

This Works

First what you need to understand about permissions in TFS is they use the most restrictive permissions wins principle.  What that means is if you belong to multiple groups the one with the most restrictive permission applies to that folder or file.

Since I am a Collection and Project administrator this will be tough to accomplish.  Basically I will need to completely lock my self out of that folder and only grant permissions to the team that needs access to the files.  To do that I had to make one of the team members administrator for the team (I was it by default since I created the team.) Then I had to stop inheritance on the folder.  Last I removed all of the groups (including admins) and added just the team's VSO group.  That did the trick!

Image courtesy of  Stuart Miles / FreeDigitalPhotos.net