Add users and groups and control access to Release Management

You must add the user account of anyone who wants to set up, start, or approve releases to Release Management. Also, you must add the service accounts that are used in deploying applications in your release environment. You can add user accounts or a group of users defined in Team Foundation Server (TFS), Active Directory (AD), or Release Management. Control access to release functions based on user role or group permissions.

All users you add, whether individually or through a group, belong to the Everyone group. By default, members of the Everyone group have access to all Release Management operations, including adding users and setting permissions.

If you want to restrict access, then you’ll want to follow these steps:

  1. Determine what groups you need.

  2. Define these groups in TFS or AD.

  3. Add the groups to Release Management, set their permissions, and change the Everyone group permissions.

Add an individual user or service account

  1. If you haven’t installed the Release Management client, do that now.

    Important

    This is a 90-day trial version of Release Management. For information about obtaining a non-trial version, see How to buy Release Management or Release Management Licensing. If you are an MSDN subscriber, you can download a non-trial version from the MSDN Subscriber website.

  2. If you haven’t been added to the Release Manager role, get added now from someone with that role. This role is required to manage security.

  3. Open the New User page (Administration > Manage Users).

    Administration tab, Manage Users, New button

  4. Choose a user account (use the ellipsis … button) and set the user role.

    Do not assign any role when you want to restrict access to functional areas. Instead, link the user account to the group where you set permissions.

    Assign the Release Manager role to grant access to the following functions:

    • Manage the connection between TFS and Release Management.

    • View and edit all release paths and stages that are defined in a release path.

    • For release templates, create and edit the templates, view and edit the deployment sequence and configuration variables for all stages that are defined, and add custom tools and actions.

    • Manage servers, environments, actions, tools, and security.

Add a group

  1. Choose the type of group you want to add. (Administration > Manage Groups).

    Administration, Manage groups, New group

  2. On the Security tab, select the permissions that you want to enable for this group.

    Group page, Security tab

  3. Under Stages, keep the default All Stage Types or add one or more stages.

    • Enable Edit Values and Target Servers: Users in this group can edit deployment sequence and configuration variables for a release or stage. Without this permission, stage information is read-only.

    • Enable Edit Approvals and Environment: Users in this group can edit approvals and environments for a stage. Without this permission, stage information is read-only.

  4. If you create a Release Management group (one not associated with TFS or AD), link existing user accounts to be members of this group.

    Group page, Link Existing users tab

    Or, you can add a user account by choosing the Create button.

  5. Edit the Everyone group to remove permissions to which you want to restrict access.

  6. Notify the users that you added. Let them know that they have to install the Release Management client, or restart their client. This is required for their client to register the changes in permission.

  7. When you create a Release Path, in the Security tab, add the group and select the permissions that you want to enable for this group. You can enable the following permissions on a Release Path.

    • Enable View: Users in this group can view the Release Path.

    • Enable Edit: Users in this group can edit the Release Path. Without this permission, the user cannot edit a Release Path stage, even with Edit Approvals and Environment permission.

    • Enable Manage Security: Users in this group have full control on the Release Path.

    Release Path security

  8. When you create a Release Template, in the Security tab, add the group and select the permissions that you want to enable for this group. You can enable the following permissions on a Release Template.

    • Enable View: Users in this group can view the Release Template.

    • Enable Edit: Users in this group can edit the Release Template.

    • Enable Can Release: Users in this group can trigger a release.

    • Enable Manage Security: Users in this group have full control on the Release Path.

    Release Template security

Q & A

Q: Who needs to be added as a user to Release Management?

A: These users:

  • Any user who needs to create, start or approve a release.

  • Any user who needs to manage the release configuration, servers, environment, and inventory of tools and actions used in deploying applications.

  • Service accounts that are used to deploy apps or manage web services.

Q: What groups should I define to control access?

A: Define groups based on the restrictions you want to enforce. For example, you can restrict access based on one or more of the following functional user roles. You can define these groups in TFS, AD, or through the Release Management client itself

  • Approvers: These users approve or validate a step or stage during a release cycle. They need the Edit Approvals and Environment permission set for all stage types that they will be required to approve.

  • Deployers: These users will create release templates and initiate releases based on the release paths created by the release architects. They need the Can Create Release Template and Edit Values and Target Servers for all stage types.

  • Release architects: These users will create release paths that define the deployment stages and test the design of these paths. They will also need to test the release paths. Enable the following permissions:

    • Can Create Release Template

    • Can Create Release Path

    • Can Manage Environment

    • Can Use Custom Tool in Actions and Components

    • Edit Approvals and Environment

    • Edit Values and Target Servers

  • Tool and action developers: These users will add or modify tools and actions. Release actions define the deployment sequence for each stage of a release. Each action uses a specific tool to run a command with a set of arguments. Enable these permissions for these users: Can Manage Inventory and Can Use Custom Tool in Actions and Components.

    To learn more, see Release actions to deploy an app for Release Management.

  • Administrators: These users will manage the servers and security for all release management operations. Enable all permissions for users in this group. If you add users individually, assign them to the Release Manager role.

Q: I don’t see some tabs or UI elements. Why not?

A: Based on your user role or the permissions assigned to your group, some UI elements may not appear. For example, if you do not have permissions to Can Manage Inventory, the Inventory tab does not display.

Similarly, if you don’t have permissions to edit an object, you might be able to view it, but the Save button will be inactive. If you don’t have one of the permissions listed in the following table, the corresponding UI element will either be hidden or disabled. Release Managers, however, can view and edit all information.

Permission

UI element

Can Create Release Template

Configure Apps > Release Template tab (hidden)

Can Create Release Path

New button on the Configure Paths > Release Paths tab (hidden)

Can Manage Environment

Configure Paths > Environments tab (hidden)

Can Manage Server

Configure Paths > Server tab (hidden)

Can Manage Inventory

Inventory tab (which provides access to Actions and Tools) (hidden)

Can Use Custom Tool in Actions and Components

Command and Arguments fields cannot be edited when No Tool is selected

Edit Values and Target Servers

For Release Templates: If the user does not have this permission set for a stage type, the information of the Deployment Configuration and Configuration Variables tabs are read-only.

For Releases: If the user does not have this permission set for a stage type, the information of the Deployment Configuration and Configuration Variables panel is read-only.

Edit Approvals and Environment

For Release Paths: If the user does not have this permission set for a stage type, the stage information in the Release Path is read-only.

Q: What happens when I deactivate a group?

Members that you add through an Active Directory or TFS group remain active members, even if you deactivate or delete the group. To remove these members, you must delete them manually from the Manage Users page.