Deny
Some thoughts about permissions, especially deny. Why deny? Because deny is the best way to apply the principle of least privilege. When a permission is set, it shouldn't matter what client is used to access TFS, the permissions are evaluated according to the credentials supplied. Permissions are namespace-based and not temporal, i.e. when you set a permission on $/, it's recursive and it's applied for all old and new items before and after the permission is set.
You can run tf perm /user:DOMAIN\username $/ /r to see all permissions of that user or you can run tf perm itemSpec to see permissions of that item.
I quote the following about the deny permission from MSDN because I think it’s really important to know that "the Deny setting takes precedence ... The only exception to this rule occurs when the user is a member of either the Project Administrators group for a project or the Team Foundation Administrators group. If a user is a member of the Project Administrators group for a project, the privileges of that group override an explicit Deny for that user in a project. Similarly, if a user is a member of the Team Foundation Administrators group, the privileges of that group override an explicit Deny for that user in Team Foundation Server."
For more info, please take a look at: https://msdn.microsoft.com/en-us/library/ms252587.aspx and https://msdn.microsoft.com/en-us/library/ms400712.aspx