Groups and Permissions
The Groups and Permissions plug-in defines a team project's initial security groups and their permissions. The plug-in name is Microsoft.ProjectCreationWizard.Groups. The Groups and Permissions XML file is named GroupsandPermissions.xml and is located in the Groups and Permissions folder in the process template folder hierarchy. You can change the XML file and folder name if required.
In the XML file, specify one or more tasks and their dependencies. Generally, you specify one task per security group to create for your process. For an example of a task specifying a simple security group and permissions, see the MSF for Agile Software Development process template.
Note
Team Foundation Server does not include a mechanism for the deployment of client-side plug-ins, policies, or other modifications. If you want to deploy plug-ins, policies, or other modifications to the Team Explorer, you must use your own distribution and installation program.
Groups
Use the group element to specify a new Team Foundation Server security group.
<group name="" description=""></group>
The following table describes the attributes for the group element.
Attribute | Description |
---|---|
name |
Specifies the name of the group being created. |
description |
Provides a description of the group to help users understand the purpose of the group. |
The following example shows how to create a group named Reader.
<task id="GroupCreation1"
name="Create Groups and Permissions"
plugin="Microsoft.ProjectCreationWizard.Groups"
completionMessage="Groups and Permissions created.">
<taskXml>
<groups>
<group name="Readers"
description="A group for those with read access across the project">
<permissions>
<!-- permissions -->
</permissions>
</group>
</groups>
</taskXml>
</task>
Permissions
For each group that you specify, you must also specify permissions. Use the permission element for this purpose.
<permission name="" class="" allow=""/>
The following table describes the attributes for the permission element.
Attribute | Description |
---|---|
name |
Identifies which permission is being applied. |
class |
Identifies the class, or area, where the permission is being applied. |
allow |
A true or false value that indicates if the permission is being allowed or denied. |
The following table describes each class and name combination you can specify as a permission.
Class | Name | Description |
---|---|---|
NAMESPACE |
GENERIC_READ |
Users with this permission can view server level groups (their members), and users and their permissions unless denied by more specific permissions. |
NAMESPACE |
GENERIC_WRITE |
Users with this permission can edit server level groups and permissions. They can:
|
NAMESPACE |
MANAGE_EVERYONE_GROUP |
Can add or remove members to the Team Foundation Valid Users global group. |
NAMESPACE |
CREATE_PROJECTS |
Users who have this permission can create new team projects, as long as they have administrative rights to SharePoint and Report Server. |
NAMESPACE |
ADMINISTER_WAREHOUSE |
Users who have this permission can change warehouse settings through the WarehouseController.asmx Web service's ChangeSetting Web method. This lets the user set, for example, the update interval on calculating the OLAP cubes through the ChangeSetting Web method. |
NAMESPACE |
MANAGE_TEMPLATE |
Only users who have this permission can download or upload process templates. |
PROJECT |
GENERIC_READ |
Users who have this permission can view project level groups (their members), and users and their permissions unless denied view of certain items by more specific permissions. |
PROJECT |
GENERIC_WRITE |
Users who have this permission can edit project level groups and permissions. They can:
|
PROJECT |
DELETE |
Deleteteamproject is a project level permission used when a user created a test or a bad project and must delete it. It is a project specific permission. |
PROJECT |
PUBLISH_TEST_RESULTS |
This permission controls whether a user can upload test results to data to the application tier and whether they can remove the test runs. |
PROJECT |
DELETE_TEST_RESULTS |
Users who have this permission can delete test results. |
PROJECT |
ADMINISTER_BUILD |
Users who have this permission can create new build types, edit new build types, add or check in custom build tasks, delete completed builds or abort current builds in progress. |
PROJECT |
START_BUILD |
Only users with this permission can start a build either through Team Explorer or via the command line. |
PROJECT |
EDIT_BUILD_STATUS |
Enables the user to 'tag' a build with a quality value such as "self test" or "ready for testing." This can be done through the Team Build Browser user interface. The quality tag is stored in the Team Foundation Build database store. |
PROJECT |
UPDATE_BUILD |
This permission must be granted to the account under which the Build Service is running in order to update the Team Foundation Build database store. This permission should only be assigned to service accounts and not to individual users. |
CSS_NODE |
GENERIC_READ |
Users with this permission can edit work items under this area node. |
CSS_NODE |
GENERIC_WRITE |
Users with this permission can rename this area node. |
CSS_NODE |
CREATE_CHILDREN |
Users with this permissions can create new area nodes and re-order any child area nodes. |
CSS_NODE |
DELETE |
Users with this permission can delete area nodes. Any child nodes under the parents being deleted are also deleted. |
CSS_NODE |
WORK_ITEM_READ |
Users with this permission can view, but not edit or change work items under this area node. |
CSS_NODE |
WORK_ITEM_WRITE |
Users with this permission can edit work items under this area node. |
EVENT_SUBSCRIPTION |
GENERIC_READ |
Users who have this permission can view alerts. |
EVENT_SUBSCRIPTION |
GENERIC_WRITE |
Users who have this permission can change alert settings. |
EVENT_SUBSCRIPTION |
UNSUBSCRIBE |
Users who have this permission can unsubscribe from alerts. |
The following example shows how to grant permissions to the Reader security group such that readers can view team project information, but not modify it.
<group name="Readers" description="A group for those with read access across the project">
<permissions>
<permission name="GENERIC_READ" class="PROJECT" allow="true" />
<permission name="GENERIC_READ" class="CSS_NODE" allow="true" />
<permission name="WORK_ITEM_READ" class="CSS_NODE" allow="true" />
</permissions>
</group>
See Also
Tasks
How to: Verify Groups and Permissions Changes
Concepts
Windows SharePoint Services [Team Foundation Server]
Version Control [Team Foundation Server]
Reports