Friday, January 6, 2012

TFS: Securing Work Item Definition updates

Recently I got the following question from a customer:

“Can you prevent a user from updating a project's work item definition or its project template?”

This is not so easy to achieve as there is not a specific permission that controls this feature. By default members of the "Project Collection Administrators" and "Project Administrators" group have hard-coded admin permissions. Even if you remove the "Edit Project-Level Information" permissions, they have the ability to give that permission to themselves again.

The only way to prevent users from modifying the work item definitions, is to keep them out of the Project Admin groups.  If you still  want to  make these people administrators, I recommend to create a new administrators group and give them the same permissions, except for the following set:

  • Manage process template(Project Collection level)
  • Manage work item link types(Project Collection level)
  • Edit project-level information(Project level)

No comments: