Team Foundation Server source control - can I prevent a group from seeing an entire collection

Question

I wish to give a small number of users (in their own Windows Group) access to their own collection in TFS 2013 source control, but prevent them from any access at all to the default collection on that TFS server. The idea is they can use source control for their own work without being able to access any of the code in the default collection - not even to browse.

Basically I want to prevent all access to the TFS default collection to members of a particular Windows group whilst allowing then normal access to another TFS collection. It sounds as if it should be simple, but I find the documentation for TFS security quite confusing, especially via Visual Studio. I've tried using TFSSecurity.exe too but so far that hasn't worked - the users can still see both their own collection and the default collection.

Can this be done, and if so how is it accomplished?

Answer 1

• While in TFS (via the browser, click on the Cog wheel (top right) next to your user name to view the Administer Server page
  • A new browser window should open
• Click on the Control Panel Breadcrumb at the top left.
  • All collections should be presented
• Click on a collection, then click on the Manage project security and group membership link in the right panel
  • You should then be taken to that collection page where you are presented with a number of tabs. (Overview/Iterations/Area/Security/Alerts/Version Control)
  • In the overview tab you can add in new teams (if you wish to allocate these users to a group)
  • For what your after I would first click on the Security tab for the collection you are interested in to see which groups/user have been allocated to those collections.
  • Within Security you have 3 areas you can click on (Permissions/Members/Member of)
  • e.g. Removing Members (users) from those collection where you don't want them to access them.
• If you also click on the Version Control tab you will see the standard TFS groups with their access control summary for that collection you are in.

If you can create a test collection then I would suggest having a play with these settings to get what you are after.

I would suggest you read the following Permissions and groups defined for Team Services and TFS

Answer 2

Simple steps:

1. Create a new windows group in your TFS server and add corresponding users to this group
2. Open internet browser and navigate to your TFS (e.g. http://XXX:8080/tfs)
3. Click Browse and select a team project of corresponding collection and navigate to that team project
4. Click Administer Server Icon to go to the admin page of team project
5. Click Security tab
6. Select a team or TFS groups (e.g. Project Administrator, Readers)
7. Click Add > Windows user or group in the right panel
8. Type windows group name in the Identities box and click Check name > Save Changes

After that, users in that group can only access that team project, also they just can see that collection. (The same way for other team projects)

To change the permission of that group for team project collection:

1. Go to admin page of team project collection
2. Select a windows groups (will be existed there after pervious steps)
3. Change permissions and click Save changes