Prevent check-ins and restrict merges for TFS branch

Question

In my environment we have Dev, Main and Production branches. We also have Business and Architecture teams. What I would like to achieve is the following:

1. Both teams can Contribute to Dev
2. The Business team can only read Main and Production
3. The Architecture team can only merge into Main and Production

Currently, both teams are members of the Contributors group on the Team Project.

---

Final Solution:

1. Created a Group called Promo Officers at the collection level
2. Added the Architecture team to the new group
3. Added the Promo group to the permissions at the collection level (in Source Control Explorer right-click the collection, select properties and click permissions
4. Gave Promo Officers Read, Check Out, Check In, Label, Admin Labels, Merge and Manage Branch permissions
5. Turned off Inherit Security for the Main and Production branches.
6. Set the permissions for Contributors to just Read.

NB: You can't deny the unwanted permissions for Contributors because if a user is both in Contributors and Promo Officers, then the deny takes precedence and they won't have the correct permissions. Secondly, I wasn't able to achieve my goal of only allowing merges to Main and Production as you need Check In and Check out permissions to do merges.

Answer 1

If you right-click a folder in Source Control Explorer and go to Properties -> Security you can manage permissions right down to the folder/branch level.