How to Grant Read-Only Access to All TFS Team Projects to a Group of Users?

Question

I see from the answer to How to add Windows group as "Readers" to all projects in TFS 2010 collection? that this must be done manually for all existing projects.

Is there a command-line tool that can be used to do this? I know about the TfsSecurity program, but my attempt to do this for a single team project didn't work.

---

What I did for a single Team Project:

1. I created "[DefaultCollection]\All Project Read-Only Users" as a collection-level group containing a single Active Directory group as a member.
2. I then attempted to add read access to the project for that group:

tfssecurity /collection:http://tfs:8080/tfs/defaultcollection /a+ Project vstfs:///Classification/TeamProject/guid GENERIC_READ "[DefaultCollection]\All Project Read-Only Users" ALLOW

This did add an ACL for that group to the Team Project, yet that group didn't appear in the Security dialog for the Team Project.

What I wanted to do is give that group the same access as the "Readers" group for the team projects.

Answer 1

Here is a powershell script to iterate over each team project in your collection, get the Readers group and add a SID.

# load the required dll
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.TeamFoundation.Client")

function get-tfs
{
    param(
    [string] $serverName = $(throw 'serverName is required')
    )

    $propertiesToAdd = (
        ('VCS', 'Microsoft.TeamFoundation.VersionControl.Client', 'Microsoft.TeamFoundation.VersionControl.Client.VersionControlServer'),
        ('WIT', 'Microsoft.TeamFoundation.WorkItemTracking.Client', 'Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore'),
        ('CSS', 'Microsoft.TeamFoundation', 'Microsoft.TeamFoundation.Server.ICommonStructureService'),
        ('GSS', 'Microsoft.TeamFoundation', 'Microsoft.TeamFoundation.Server.IGroupSecurityService')
    )

    [psobject] $tfs = [Microsoft.TeamFoundation.Client.TeamFoundationServerFactory]::GetServer($serverName)
    foreach ($entry in $propertiesToAdd) {
        $scriptBlock = '
            [System.Reflection.Assembly]::LoadWithPartialName("{0}") > $null
            $this.GetService([{1}])
        ' -f $entry[1],$entry[2]
        $tfs | add-member scriptproperty $entry[0] $ExecutionContext.InvokeCommand.NewScriptBlock($scriptBlock)
    }
    return $tfs
}
#set the TFS server url
[psobject] $tfs = get-tfs -serverName http://YourTfsServer:8080/tfs/YourColleciton


$items = $tfs.vcs.GetAllTeamProjects( 'True' )
    $items | foreach-object -process { 
    $proj = $_
    $readers = $tfs.GSS.ListApplicationGroups($proj.Name) | ?{$_.DisplayName -eq 'Readers' }

    $tfs.GSS.AddMemberToApplicationGroup($readers.Sid, 'TheSidToTheGroupYouWantToAdd')
}

Answer 2

My approach is based on the fact that TFS permissions are inherited unless explicitly denied.

To create an user group that will automatically access with read only permissions to all existent projects as well as the futures ones, follow those steps:

1. Create a new security group at the project collection level. You can do it in Visual Studio using the "Team/Team Project Collection Settings/Group Membership" menu.

2. Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.

3. Limit the permissions of the new group to remove the administrator permissions inherited. To force the read only access, Deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information".

The users of this group will have read access to source code, work items, and build definitions of all projects in the collection.