Managing security in TFS the easy way

The old way

Before the introduction of Teams in TFS 2012, managing Security was fairly easy, my recommendations to my customers was always the same, use AD-groups and let the TFS Administrator do all the work. Create three AD groups for every TFS project and add them to the TFS project groups.

TFS Group AD-group
Project Administrators TFS-MyProject-Administrators
Project Contributors TFS-MyProject-Contributors
Project Readers TFS-MyProject-Readers

 

Use the same groups and add them to SharePoint and Reporting Services according to this matrix:

TFS SharePoint Reporting Services
Project Administrators Project site-level Administrator Project site-level Content Manager
Project Contributors Project site-level Contributors Project site-level Browser
Project Readers Project site-level Readers Project site-level Browser

 

A great tool to help you do this is the Team Foundation Administration Tool in Codeplex

The new way

When Teams were introduced in TFS 2012 things changed, a Team Administrator could add users to a Team and they were automatically added to the project contributors group overriding the project contributor AD groups. I thought a lot about this and spoke to my colleagues at Solidify and my customers and the got the idea to try to skip the project AD groups and let the TFS project completely handle themselves and this way lighten the work load of the TFS Administrator.

Use the build in Security this way:

TFS Comment
Project Administrators The project administrator creates Teams and assigns Team Administrators
Team Administrator The Team administrator assigns members to his/her Teams and they are automatically added to the project contributor groups.
Project Contributors You might consider giving everyone in the Project Contributor group some or all of the following rights to make things easier:

  • Add/Change Areas
  • Add/Change Iterations
  • Create Shared Queries
  • Create builds
  • Create branches
Project Readers

 

Let the project administrator handle SharePoint and Reporting services the same way if you use them. You might even consider to give everyone read access to all project reporting sites to make thins easier.

Managing Access levels in TFS Web Access

Regardless if you chose the old way or the new way you also have to use the Access Levels in TFS Web Access to Access your users to the right Access Levels.

Acces Level Comment
Stakeholder This level is free and the user can add and change Work Items and se but not change the Agile planning
Basic This is the level for product owners, scrum masters and other people that are not developers but want to do Agile planning. Create the following AD-groups: TFS_CAL_Users and TFS_MSDN_Professional_Users
Advanced This level has access to all parts of TFS web access. Create the following AD-groups: TFS_MSDN_Enterprise_Users (former Ultimate and Premium), and TFS_MSDN_Test_Professional_Users

 

My recommendations here are that you set the default level to Stakeholder and create AD-Groups for the different MSDN licenses and add them to the Access Level groups. The reason to use AD groups here is that in my opinion that the AD groups are better for audit purposes and if Microsoft decide to change the license levels they are easier to move from one level to another.

TFS 2013.4

TFS 2013.4 is out with a lot of nice stuff

Stakeholders

My favorite is the new Stakeholder access level

You probably have a lot of Stakeholders who are interested in using TFS web access. Up to now to use the Backlog and other features you needed a TFS CAL.

Now Microsoft have decided to let Stakeholders use much of this for free a new Stakeholder license replacing the “Limited User Access”.

What will be able to do with the Stakeholder access level is:

  • Full read/write/create on all work items
  • Create, run and save (to “My Queries”) work item queries
  • View project and team home pages
  • Access to the backlog, including add and update (but no ability to reprioritize the work)
  • Ability to receive work item alerts

What they won’t be able to do

  • No access to Code, Build or Test hubs.
  • No access to Team Rooms
  • No access to any administrative functionality (Team membership, license administration, permissions, area/iterations configuration, sprint configuration, home page configuration, creation of shared queries, etc.)

The basic access level

You need a TFS CAL for this

  • View My Work Items
  • Standard Features
  • Agile boards
  • Basic backlog and sprint planning tools
  • Agile Portfolio Management
  • Chart Viewing
  • Code
  • Build
  • Administer account
  • Advanced home page
  • Advanced backlog and sprint planning tools

The Advances Access Level

You need MSDN Premium, Ultimate or Test Professional for this

  • View My Work Items
  • Standard Features
  • Agile boards
  • Basic backlog and sprint planning tools
  • Request and Manage Feedback
  • Test case management
  • Team rooms
  • Agile Portfolio Management
  • Chart Viewing
  • Chart Authoring
  • Code
  • Build
  • Administer account
  • Advanced home page
  • Advanced backlog and sprint planning tools
  • Advanced portfolio management

 

Agile planning

There are lots of new small Agile planning features. Here are some of them.

  • Full screen mode in all HTML fields
  • Sometimes Teams want to have the bugs in the backlog and sometimes not. Now each team can choose regardless of project template.

TFS2013.4.1

  • They have increased the number of items you can have in the first and last columns on the Kanban board to 999.
  • Charting as a nice and easy way to create chats from Work Items Queries, with 2013.4 we get trend diagrams.

Testing

There are also new test features connected to TFS Web Access.

Before TFS 2013.3 Test Plans and Test Suites were not stored as work items, now they are. In TFS 2013.4 Microsoft added new features for this, here are some of them.

You can work with all test work item types from Excel and even enter test steps this way.

TFS2013.4.2

You can work with Tags and modify your Test Cases the same way as all other work item types.

If a Test Case is connected to several Test Suites you can now see all suites it is connected to.

We get charts to show test status and you can of course pin them to you Team homepage.

TFS2013.4.3

 

License Update Visual Studio Online and maybe TFS 2013.4

Stakeholders

With all the nice stuff included in TFS web access you probably have a lot of Stakeholders who are interested in using TFS web access. Up to now to use the Backlog and other stuff you needed a TFS CAL or pay 20$ per user per month in Visual Studio Online.

Now Microsoft have decided to let Stakeholders use much of this for free in Visual Studio Online with a new Stakeholder license. This will probably be introduced to on Premises TFS in TFS 2013.4 as a part of the “Limited User Access”

What will be able to do

  • Full read/write/create on all work items
  • Create, run and save (to “My Queries”) work item queries
  • View project and team home pages
  • Access to the backlog, including add and update (but no ability to reprioritize the work)
  • Ability to receive work item alerts

What they won’t be able to do

  • No access to Code, Build or Test hubs.
  • No access to Team Rooms
  • No access to any administrative functionality (Team membership, license administration, permissions, area/iterations configuration, sprint configuration, home page configuration, creation of shared queries, etc.)

Access to the Test Hub in Visual Studio Online

If you want access to the Test hub in TFS Web Access you need Visual Studio Premium, Ultimate or Test professional. If you are an acceptance tester and only need access to the Test Hub that might be a bit expensive, the cheapest version you can buy is Visual Studio Test professional.

Microsoft has now decided to include this in the Visual Studio Online Advanced plan. At the moment this will not be included in on premises TFS.