Table of contents

Change groups and permissions with TFSSecurity

Last Updated: 8/4/2016

You can use the TFSSecurity command-line tool to create, modify, and delete groups and users in Visual Studio Team Foundation Server (TFS), in addition to modifying permissions for groups and users. For information about how to perform these tasks in the user interface, see Manage users or groups .

This server-level tool is located in Drive:\%programfiles%\Microsoft Team Foundation Server 12.0\Tools on the TFS application-tier server.

Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function.

Permissions

/a+: Add permissions

Use /a+ to add permissions for a user or a group in a server-level, collection-level, or project-level group. To add users to groups from the user interface, see Manage users or groups.

tfssecurity /a+ Namespace Token Action Identity (ALLOW | DENY) [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /a+ command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. If you are changing permissions for a team project, you must also have the Edit project-level information permission for the team project set to Allow. For more information, see Permission reference for Team Foundation Server.

Parameters

Argument

Description

Namespace

The namespace that contains the group to which you want to add permissions for a user or group. You can also use the tfssecurity /a command to view a list of namespaces at the server, collection, and project level.

Token

The name or GUID of the object on which you want to add permissions.

Note: Tokens vary depending on the namespace you specify. Some namespaces do not have tokens that apply for this command.

Action

The name of the permission for which you are granting or denying access. For a list of valid IDs, see Permission reference for Team Foundation Server, or use the tfssecurity /a command to view a list of valid actions for a namespace that you specify.

Identity

The identity of the user or the group. For more information about identity specifiers, see TFSSecurity Identity and Output Specifiers.

  • ALLOW

    The group or user can perform the operation that the Action specifies.

  • DENY

    The group or user cannot perform the operation that the Action specifies.

/collection :CollectionURL

Required if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName

/server :ServerURL

Required if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

Access control entries are security mechanisms that determine which operations a user, group, service, or computer is authorized to perform.

Examples

The following example displays what namespaces are available at the server level for the application-tier server that is named ADatumCorporation.

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

 tfssecurity /a /server:ServerURL 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.

The following security namespaces are available to have permissions set on them:

     Registry
     Identity
     Job
     Server
     CollectionManagement
     Warehouse
     Catalog
     EventSubscription
     Lab

Done.

The following example displays what actions are available for the Server namespace at the collection level.

 tfssecurity /a Server /collection:CollectionURL 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.

The following actions are available in the security namespace Server:
    GenericRead
    GenericWrite
    Impersonate
    TriggerEvent

Done.

The following example grants the server-level "View instance-level information" permission to the ADatumCorporation deployment for the Datum1 domain user John Peoples (Datum1\jpeoples).

 tfssecurity /a+ Server FrameworkGlobalSecurity GenericRead n:Datum1\jpeoples ALLOW /server:http://ADatumCorporation:8080 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.
Resolving identity "n:Datum1\jpeoples"...
  [U] Datum1\jpeoples (John Peoples)
Adding the access control entry...
Verifying...

Effective ACL on object "FrameworkGlobalSecurity":
  [+] GenericRead                        [INSTANCE]\Team Foundation Valid Users
  [+] GenericRead                        [INSTANCE]\SharePoint Web Application Services
  [+] Impersonate                        [INSTANCE]\SharePoint Web Application Services
  [+] GenericRead                        [INSTANCE]\Team Foundation Service Accounts
  [+] GenericWrite                       [INSTANCE]\Team Foundation Service Accounts
  [+] Impersonate                        [INSTANCE]\Team Foundation Service Accounts
  [+] TriggerEvent                       [INSTANCE]\Team Foundation Service Accounts
  [+] GenericRead                        [INSTANCE]\Team Foundation Administrators
  [+] GenericWrite                       [INSTANCE]\Team Foundation Administrators
  [+] TriggerEvent                       [INSTANCE]\Team Foundation Administrators
  [+] GenericRead                        DATUM1\jpeoples

Done.

The following example grants the collection-level "View collection-level information" permission to the Collection0 team project collection for Datum1 domain user John Peoples (Datum1\jpeoples).

 tfssecurity /a+ Server FrameworkGlobalSecurity GenericRead n:Datum1\jpeoples ALLOW /collection:http://ADatumCorporation:8080/Collection0

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.
The target Team Foundation Server is http://ADatumCorporation:8080/COLLECTION0.
Resolving identity "n:Datum1\jpeoples"...
  [U] DATUM1\jpeoples (John Peoples)
Adding the access control entry...
Verifying...

Effective ACL on object "FrameworkGlobalSecurity":
  [+] GenericRead                        [Collection0]\Project Collection ValidUsers
  [+] GenericRead                        [Collection0]\Project Collection Service Accounts
  [+] GenericWrite                       [Collection0]\Project Collection Service Accounts
  [+] Impersonate                        [Collection0]\Project Collection Service Accounts
  [+] TriggerEvent                       [Collection0]\Project Collection Service Accounts
  [+] GenericRead                        [Collection0]\Project Collection Administrators
  [+] GenericWrite                       [Collection0]\Project Collection Administrators
  [+] TriggerEvent                       [Collection0]\Project Collection Administrators
  [+] GenericRead                        [INSTANCE]\SharePoint Web Application Services
  [+] Impersonate                        [INSTANCE]\SharePoint Web Application Services
  [+] GenericRead                        [Collection0]\Project Collection Build Service Accounts
  [+] GenericRead                        DATUM1\jpeoples

Done.

/a-: Remove a user or a group from membership in a group

Use the /a- command to remove a user or a group from membership in a server-level, collection-level, or project-level group. To add users to groups from the user interface, see Manage users or groups.

tfssecurity /a- Namespace Token Action Identity (ALLOW | DENY) [/collection:CollectionURL] [/server:ServerURI]

Required Permissions

To use the /a- command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. If you are changing permissions for a team project, you must also have the Edit project-level information permission for the team project set to Allow.

Parameters

Argument

Description

Namespace

The namespace that contains the group from which you want to remove the user or group. You can also use the tfssecurity /a command to view a list of namespaces at the server level, the collection level, and the project level.

Token

The name or GUID of the object on which you want to set permissions.

Note: Tokens vary depending on the namespace that you specify. Some namespaces do not have tokens that apply for this command.

Action

The name of the permission that for which access is granted or denied. For a list of valid IDs, see Permission reference for Team Foundation Server, or use the tfssecurity /a command to view a list of valid actions for a namespace that you specify.

Identity

The identity of the user or the group. For more information about the identity specifiers, see TFSSecurity Identity and Output Specifiers.

  • ALLOW

    The group or user can perform the operation that the Action specifies.

  • DENY

    The group or user cannot perform the operation that the Action specifies.

/collection :CollectionURL

Required if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName

/server :ServerURL

Required if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

Access control entries are security mechanisms that determine which operations a user, group, service, or computer is authorized to perform on a computer or server.

Examples

The following example displays what namespaces are available at the server level for the application-tier server that is named ADatumCorporation.

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

 tfssecurity /a /server:ServerURL 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.

The following security namespaces are available to have permissions set on them:

     Registry
     Identity
     Job
     Server
     CollectionManagement
     Warehouse
     Catalog
     EventSubscription
     Lab

Done.

The following example displays what actions are available for the Server namespace at the collection level.

tfssecurity /a Server /collection:CollectionURL 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.

The following actions are available in the security namespace Server:
    GenericRead
    GenericWrite
    Impersonate
    TriggerEvent

Done.

The following example removes the server-level "View instance-level information" permission to the ADatumCorporation deployment for the Datum1 domain user John Peoples (Datum1\jpeoples).

tfssecurity /a- Server FrameworkGlobalSecurity GenericRead n:Datum1\jpeoples ALLOW /server:http://ADatumCorporation:8080 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.
Resolving identity "n:Datum1\jpeoples"...
  [U] Datum1\jpeoples (John Peoples)
Removing the access control entry...
Verifying...

Effective ACL on object "FrameworkGlobalSecurity":
  [+] GenericRead                        [INSTANCE]\Team Foundation Valid Users
  [+] GenericRead                        [INSTANCE]\SharePoint Web Application Services
  [+] Impersonate                        [INSTANCE]\SharePoint Web Application Services
  [+] GenericRead                        [INSTANCE]\Team Foundation Service Accounts
  [+] GenericWrite                       [INSTANCE]\Team Foundation Service Accounts
  [+] Impersonate                        [INSTANCE]\Team Foundation Service Accounts
  [+] TriggerEvent                       [INSTANCE]\Team Foundation Service Accounts
  [+] GenericRead                        [INSTANCE]\Team Foundation Administrators
  [+] GenericWrite                       [INSTANCE]\Team Foundation Administrators
  [+] TriggerEvent                       [INSTANCE]\Team Foundation Administrators

Done.

The following example removes the collection-level "View collection-level information" permission to the Collection0 team project collection for Datum1 domain user John Peoples (Datum1\jpeoples).

tfssecurity /a+ Server FrameworkGlobalSecurity GenericRead n:Datum1\jpeoples ALLOW /collection:http://ADatumCorporation:8080/Collection0

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.
The target Team Foundation Server is http://ADatumCorporation:8080/COLLECTION0.
Resolving identity "n:Datum1\jpeoples"...
  [U] DATUM1\jpeoples (John Peoples)
Removing the access control entry...
Verifying...

Effective ACL on object "FrameworkGlobalSecurity":
  [+] GenericRead                        [Collection0]\Project Collection ValidUsers
  [+] GenericRead                        [Collection0]\Project Collection Service Accounts
  [+] GenericWrite                       [Collection0]\Project Collection Service Accounts
  [+] Impersonate                        [Collection0]\Project Collection Service Accounts
  [+] TriggerEvent                       [Collection0]\Project Collection Service Accounts
  [+] GenericRead                        [Collection0]\Project Collection Administrators
  [+] GenericWrite                       [Collection0]\Project Collection Administrators
  [+] TriggerEvent                       [Collection0]\Project Collection Administrators
  [+] GenericRead                        [INSTANCE]\SharePoint Web Application Services
  [+] Impersonate                        [INSTANCE]\SharePoint Web Application Services
  [+] GenericRead                        [Collection0]\Project Collection Build Service Accounts

Done.

/acl: Display the access control list

Use /acl to display the access control list that applies to a particular object.

tfssecurity /acl Namespace Token [/collection:CollectionURL] [/server:ServerURL]

Required permissions

To use the /acl command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. For more information, see Permission reference for Team Foundation Server.

Parameters

Argument

Description

Namespace

The namespace that contains the group for which you want to view permissions for a user or group.

Token

The name or GUID of the object on which you want to view permissions.

NoteNote

Tokens vary depending on the namespace that you specify. Some namespaces do not have tokens that apply for this command.

/collection:CollectionURL

Required if /server is not used. Specifies the URL of a team project collection in the following format: http://ServerName:Port/VirtualDirectoryName/CollectionName

/server:ServerURL

Required if /collection is not used. Specifies the URL of an application-tier server in the following format: http://ServerName:Port/VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

Access control entries are security mechanisms that determine which operations a user, group, service, or computer is authorized to perform on a computer or server.

Examples

The following example displays what users and groups have access to the FrameworkGlobalSecurity token in the Server namespace within the ADatumCorporation deployment.

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /acl Server FrameworkGlobalSecurity /server:ServerURL 

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.
The target Team Foundation Server is http://ADatumCorporation:8080/.
Retrieving the access control list for object "Server"...

Effective ACL on object "FrameworkGlobalSecurity":
  [+] GenericRead                        [INSTANCE]\Team Foundation Valid Users
  [+] GenericRead                        [INSTANCE]\SharePoint Web Application Services
  [+] Impersonate                        [INSTANCE]\SharePoint Web Application Services
  [+] GenericRead                        [INSTANCE]\Team Foundation Service Accounts
  [+] GenericWrite                       [INSTANCE]\Team Foundation Service Accounts
  [+] Impersonate                        [INSTANCE]\Team Foundation Service Accounts
  [+] TriggerEvent                       [INSTANCE]\Team Foundation Service Accounts
  [+] GenericRead                        [INSTANCE]\Team Foundation Administrators
  [+] GenericWrite                       [INSTANCE]\Team Foundation Administrators
  [+] TriggerEvent                       [INSTANCE]\Team Foundation Administrators
  [+] GenericRead                        DATUM1\jpeoples

Done.

Groups

/g: List the groups

Use /g to list the groups in a team project, in a team project collection, or across Team Foundation Server.

tfssecurity /g [scope] [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /g command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. To use the /g command within the scope of a single team project, you must have the View project-level information permissions set to Allow. For more information, see Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
scopeOptional. Specifies the URI of the team project for which you want to display groups. To obtain the URI for a team project, open Team Explorer, right-click the team project, click Properties, and copy the entire entry for URL.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

The /g command of the TFSSecurity command-line utility displays information about every group within the selected scope. This scope can be the team project collection (/server) or the application-tier server (/instance). If used with the scope of a team project, it will display information only about the groups associated with that team project.

Example

The following example displays information for all the groups within a team project collection.

tfssecurity /g /collection:CollectionURL

/g+: Add a user or another group to an existing group

Use /g+ to add a user or another group to an existing group.

tfssecurity /g+ groupIdentity memberIdentity [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /g+ command, you must have the View collection-level information and Edit collection-level information or the View instance-level information and Edit instance-level information permissions set to Allow, depending on whether you are using the /collection or /server parameter, respectively. For more information, see Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
groupIdentitySpecifies the group identity. For more information on valid identity specifiers, see TFSSecurity Identity and Output Specifiers.
memberIdentitySpecifies the member identity. For more information on valid identity specifiers, see TFSSecurity Identity and Output Specifiers.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

You can also add users and groups to an existing group using Team Explorer. For more information, see Add Users to a Collection-Level Group.

Examples

The following example adds the Datum1 domain user John Peoples (Datum1\jpeoples) to the Team Foundation Administrators group.

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /g+ "Team Foundation Administrators" n:Datum1\jpeoples /server:http://ADatumCorporation:8080

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.
Resolving identity "Team Foundation Administrators"...
a [A] [INSTANCE]\Team Foundation Administrators
Resolving identity "n:Datum1\jpeoples"...
  [U] DATUM1\jpeoples (John Peoples)
Adding John Peoples to [INSTANCE]\Team Foundation Administrators...
Verifying...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
   Group type: AdministrativeApplicationGroup
Project scope: Server scope
 Display name: [INSTANCE]\Team Foundation Administrators
  Description: Members of this group can perform all operations on the Team Foundation Application Instance.

4 member(s):
  [U] Datum1\hholt (Holly Holt)
  [U] Datum1\jpeoples (John Peoples)
  [G] BUILTIN\Administrators (BUILTIN\Administrators)
s [A] [INSTANCE]\Team Foundation Service Accounts

Member of 2 group(s):
a [A] [Collection0]\Project Collection Administrators
e [A] [INSTANCE]\Team Foundation Valid Users

Done.

/g-: Remove a user or group

Use /g- to remove a user or a user group from an existing group.

tfssecurity /g- groupIdentity memberIdentity [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /g- command, you must have the View collection-level information and Edit collection-level information or the View instance-level information and Edit instance-level information permissions set to Allow, depending on whether you are using the /collection or /server parameter, respectively. For more information, see Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
groupIdentitySpecifies the group identity. For more information about valid identity specifiers, see TFSSecurity Identity and Output Specifiers.
memberIdentitySpecifies the member identity. For more information about valid identity specifiers, see TFSSecurity Identity and Output Specifiers.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

You can also add users and groups to an existing group using Team Explorer. For more information, see Remove Users from a Team Project Group, Remove Users from a Default Group or Remove Users from a Collection-Level Group.

Examples

The following example removes the Datum1 domain user John Peoples (Datum1\jpeoples) from the Team Foundation Administrators group.

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /g- "Team Foundation Administrators" n:Datum1\jpeoples /server:http://ADatumCorporation:8080

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.
Resolving identity "Team Foundation Administrators"...
a [A] [INSTANCE]\Team Foundation Administrators
Resolving identity "n:Datum1\jpeoples"...
  [U] DATUM1\jpeoples (John Peoples)
Removing John Peoples from [INSTANCE]\Team Foundation Administrators...
Verifying...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
   Group type: AdministrativeApplicationGroup
Project scope: Server scope
 Display name: [INSTANCE]\Team Foundation Administrators
  Description: Members of this group can perform all operations on the Team Foundation Application Instance.

3 member(s):
  [U] Datum1\hholt (Holly Holt)
  [G] BUILTIN\Administrators (BUILTIN\Administrators)
s [A] [INSTANCE]\Team Foundation Service Accounts

Member of 2 group(s):
a [A] [Collection0]\Project Collection Administrators
e [A] [INSTANCE]\Team Foundation Valid Users

Done.

/gc: Create a project-level group

Use /gc at a command prompt to create a project-level group. To create a project-level group from the user interface, see Manage users or groups .

tfssecurity /gc Scope GroupName [GroupDescription] [/collection:CollectionURL]

Required Permissions

To use the /gc command, you must have the Edit Project-Level Information permission for that team project set to Allow. For more information, see Permission reference for Team Foundation Server .

Parameters

ArgumentDescription
ScopeThe URI of the team project to which you want to add a project-level group. To obtain the URI for a team project, connect to it, and open Team Explorer, hover over the name of the project in Home, and read the address. Alternatively, connect to the project in Web Access and copy the URL.
GroupNameThe name of the new group.
GroupDescriptionA description of the project group. Optional.
/collection :CollectionURLThe URL of the team project collection. Required. The group will be created within the team project collection. The format for the URL is http:// ServerName : Port / VirtualDirectoryName / CollectionName

Remarks

Run this command on an application-tier server for Team Foundation.

A project-level group is a security group for your team project. You can use project groups to grant read, write, and administrative permissions that meet the security requirements of your organization.

Example

The following example creates a group that is specific to the project that the URI "vstfs://Classification/TeamProject/00000000-0000-0000-0000-000000000000" specifies. The group is named "Test Group" and has the description "This group is for testing."

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

You must replace the placeholder GUID with the URI of the team project for which you want to create this group. To obtain the URI for a team project, open Team Explorer, right-click the team project, click Properties, and copy the entire value of the URL property.

After you run the command, you can verify the group in Team Explorer. Right-click the team project that you used in the command, click Team Project Settings, and then click Group Memberships. In the Project Groups on TeamProjectName dialog box, the Groups list includes Test Group .

Note:
You can use the /gc command to create groups but not to add any users to the groups or assign any permissions. To change the membership of the group, see /g+: Add a user or another group to an existing group and /g-: Remove a user or group. To change the permissions for the group, see /a+: Add permissions and /a-: Remove a user or a group from membership in a group.

tfssecurity /gc "vstfs:///Classification/TeamProject/00000000-0000-0000-0000-000000000000" "Test Group"
    "This group is for team members who test our code" /collection:CollectionURL

/gcg: Create a server or collection-level group

Use the /gcg command to create a server-level or collection-level group. To create a server-level or collection-level group from the user interface, see Manage users or groups.

tfssecurity /gcg GroupName [GroupDescription] [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /gcg command, you must have the Edit project-level information permission for that team project set to Allow. For more information, see Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
GroupNameThe group name.
GroupDescriptionA description of the group. Optional.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

Server-level groups are created directly on the application tier and apply to all team project collections. Collection-level are created at the team project collection level. They apply to that collection and have implications for all team projects within the collection. In contrast, team project groups apply to a specific project within a collection but not any other projects in that collection. You can assign permissions to server-level groups so that members of those groups can perform tasks in Team Foundation Server (TFS) itself, such as creating team project collections. You can assign permissions to collection-level groups so that members of those groups can perform tasks across a team project collection, such as administering users.

Note:
You can use the /gcg command to create groups, but you cannot use it to add any users to the groups or assign any permissions. For information about how to change the membership of a group, see /g+: Add a user or another group to an existing group and /g-: Remove a user or group. For information about how to change the permissions for the group, see /a+: Add permissions and /a-: Remove a user or a group from membership in a group.

Example

The following example creates a collection-level group that is named "Datum Testers" with the description "A. Datum Corporation Testers."

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /gcg "Datum Testers" "A. Datum Corporation Testers" /collection:CollectionURL

The following example creates a server-level group that is named "Datum Auditors" with the description "A. Datum Corporation Auditors."

tfssecurity /gcg "Datum Auditors" "A. Datum Corporation Auditors" /server:ServerURL

/gd: Delete a server or collection-level group

Use /gd to delete a server-level or collection-level group.

tfssecurity /gd groupIdentity [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /gd command, you must have the View collection-level information and Edit collection-level information or the View instance-level information and Edit instance-level information permissions set to Allow, depending on whether you are using the /collection or /server parameter, respectively. For more information, see Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
groupIdentitySpecifies the group identity.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

You can also remove groups on Team Explorer. For more information, see Remove a Collection-Level Group and Remove a Team Project Group.

Example

The following example deletes a group from the team project collection. The group is identified by "S-1-5-21-2127521184-1604012920-1887927527-588340", the security identifier (SID). For more information about finding the SID of a group, see /im: Display information about identities that compose direct membership. You can also use the friendly name to delete a group.

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /gd S-1-5-21-2127521184-1604012920-1887927527-588340 /collection:CollectionURL

/gud: Change the description for a server or collection-level group

Use /gud to change the description for a server-level or collection-level group.

tfssecurity /gud GroupIdentity GroupDescription [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /gud command, you must have the Edit project-level information permission set to Allow. For more information, see Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
GroupIdentitySpecifies the group identity. For more information about valid identity specifiers, see TFSSecurity Identity and Output Specifiers.
GroupDescriptionSpecifies the new description for the group.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

Example

The following example associates the description "The members of this group test the code for this project" with the group "Datum Testers."

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /gud "Datum Testers" "The members of this group test the code for this project" /collection:CollectionURL

/gun: Rename a group

Use /gun to rename a server-level or collection-level group.

tfssecurity /gun GroupIdentity GroupName [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /gun command, you must have the View collection-level information and Edit collection-level information or the View instance-level information and Edit instance-level information permissions set to Allow, depending on whether you are using the /collection or /server parameter, respectively. For more information, see Permission reference for Team Foundation Server>.

Parameters

ArgumentDescription
GroupIdentitySpecifies the group identity. For more information about valid identity specifiers, see TFSSecurity Identity and Output Specifiers.
GroupNameSpecifies the new name of the group.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

Example

The following example renames the collection-level group "A. Datum Corporation Testers" to "A. Datum Corporation Test Engineers."

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /gun "A. Datum Corporation Testers" "A. Datum Corporation Test Engineers" /collection:CollectionURL

Identities and membership

/i: Display identity information for a specified group

Use /i to display identity information for a specified group in a deployment of Team Foundation Server.

tfssecurity /i Identity [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /i command, you must have the View collection-level information or the View instance -level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. For more information, see <Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
IdentityThe identity of the user or the application group. For more information about identity specifiers, see TFSSecurity Identity and Output Specifiers.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

The /i command of the TFSSecurity command-line utility displays information about each group within the team project collection (/server) or the application-tier server (/instance). It does not display any membership information.

Examples

The following example displays identity information for the "Team Foundation Administrators" group.

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /i "Team Foundation Administrators" /server:ServerURL 

Sample output:

Resolving identity "Team Foundation Administrators"...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
   Group type: AdministrativeApplicationGroup
Project scope: Server scope
 Display name: Team Foundation Administrators
  Description: Members of this application group can perform all privileged operations on the server.

The following example displays identity information for the Project Collection Administrators group using the adm: identity specifier.

tfssecurity /i adm: /collection:CollectionURL 

Sample output:

Resolving identity "adm:"...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
   Group type: AdministrativeApplicationGroup
Project scope: Server scope
 Display name: [DatumOne]\Project Collection Administrators
  Description: Members of this application group can perform all privileged operations on the team project collection.

The following example displays identity information for the Project Administrators group for the "Datum" project by using the adm: identity specifier.

tfssecurity /i adm:vstfs:///Classification/TeamProject/ProjectGUID /collection:CollectionURL 

Sample output:

Resolving identity "adm:vstfs:///Classification/TeamProject/ProjectGUID"...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
   Group type: AdministrativeApplicationGroup
Project scope: Datum
 Display name: [Datum]\Project Administrators
  Description: Members of this application group can perform all operations in the team project.

/im: Display information about identities that compose direct membership

Use /im to display information about the identities that compose the direct membership of a group that you specify.

tfssecurity /im Identity [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /im command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. For more information, see Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
IdentityThe identity of the user or the group. For more information about identity specifiers, see TFSSecurity Identity and Output Specifiers.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

The /im command of TFSSecurity displays the direct members of the specified group only. This list includes other groups that are members of the specified group. However, the actual members of the member groups are not listed.

Examples

The following example displays direct membership identity information for the "Team Foundation Administrators" group in the domain "Datum1" at the fictitious company "A. Datum Corporation".

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /im "Team Foundation Administrators" /server:ServerURL

Sample output:

Resolving identity "Team Foundation Administrators"...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
Group type: AdministrativeApplicationGroup
Project scope: Server scope
Display name: Team Foundation Administrators
Description: Members of this application group can perform all privileged operations on the server.

3 member(s):
  [U] Datum1\hholt (Holt, Holly)
  [G] BUILTIN\Administrators (BUILTIN\Administrators)
s [A] [InstanceName]\Team Foundation Service Accounts

Member of 2 group(s):
a [A] [DatumOne]\Project Collection Administrators ([DatumOne]\Project Collection Administrators)
e [A] [InstanceName]\Team Foundation Valid Users

Done.

The following example displays identity information for the Project Collection Administrators group in the "DatumOne" team project collection in the domain "Datum1" at the fictitious company "A. Datum Corporation" by using the adm: identity specifier.

tfssecurity /im adm: /collection:CollectionURL 

Sample output:

Resolving identity "adm: "...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
Group type: AdministrativeApplicationGroup
Project scope: Server scope
Display name: [DatumOne]\Project Collection Administrators
Description: Members of this application group can perform all privileged operations on the team project collection.

5 member(s):
  [U] Datum1\jpeoples (Peoples, John)
  [U] Datum1\hholt (Holt, Holly)
  [G] BUILTIN\Administrators (BUILTIN\Administrators)
a [A] [InstanceName]\Team Foundation Administrators
s [A] [DatumOne]\Project Collection Service Accounts ([DatumOne]\Project Collection Service Accounts)

Member of 1 group(s):
e [A] [DatumOne]\Project Collection Valid Users ([DatumOne]\Project Colleciton Valid Users)

Done.

The following example displays identity information for the Project Administrators group for the "Datum" project in the "DatumOne" team project collection in the domain "Datum1" at the fictitious company "A. Datum Corporation" using the adm: identity specifier.

tfssecurity /im adm:vstfs:///Classification/TeamProject/ProjectGUID /collection:CollectionURL 

Sample output:

Resolving identity "adm:vstfs:///Classification/TeamProject/ProjectGUID"...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX

DN:

Identity type: Team Foundation Server application group
Group type: AdministrativeApplicationGroup
Project scope: Datum
Display name: [Datum]\Project Administrators
Description: Members of this application group can perform all operations in the team project.

2 member(s):
  [U] Datum1\jpeoples (Peoples, John)
  [U] Datum1\hholt (Holt, Holly)

Member of 1 group(s):
e [A] [DatumOne]\Project Collection Valid Users ([DatumOne]\Project Collection Valid Users)

Done.

/imx: Display information about the identities that the expanded membership

Use /imx to display information about the identities that compose the expanded membership of a specified group.

tfssecurity /imx Identity [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /imx command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. For more information, see Permission reference for Team Foundation Server.

Parameters

ArgumentDescription
IdentityThe identity of the user or the group. For more information about identity specifiers, see TFSSecurity Identity and Output Specifiers.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on an application-tier server for Team Foundation.

The /imx command of TFSSecurity displays the expanded members of the specified group only. This list includes not only other groups that are members of the specified group but also the members of the member groups.

Examples

The following example displays expanded membership identity information for the "Team Foundation Administrators" group in the domain "Datum1" at the fictitious company "A. Datum Corporation".

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /imx "Team Foundation Administrators" /server:ServerURL

Sample output:

Resolving identity "Team Foundation Administrators"...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
Group type: AdministrativeApplicationGroup
Project scope: Server scope
Display name: Team Foundation Administrators
Description: Members of this application group can perform all privileged operations on the server.

10 member(s):
  [U] Datum1\hholt (Holly Holt)
  [U] Datum1\jpeoples (John Peoples)
  [U] Datum1\tommyh (Tommy Hartono)
  [U] Datum1\henriea (Henriette Andersen)
  [U] Datum1\djayne (Darcy Jayne)
  [U] Datum1\aprilr (April Reagan)
  [G] Datum1\InfoSec Secure Environment
  [U] Datum1\nbento (Nuno Bento)
  [U] Datum1\cristp (Cristian Petculescu)
  [G] BUILTIN\Administrators (BUILTIN\Administrators)
s [A] [InstanceName]\Team Foundation Service Accounts

Member of 3 group(s):
a [A] [DatumOne]\Project Collection Administrators ([DatumOne]\Project Collection Administrators)
e [A] [DatumOne]\Project Collection Valid Users ([DatumOne]\Project Collection Valid Users)
e [A] [InstanceName]\Team Foundation Valid Users

Done.

The following example displays identity information for the Project Collection Administrators group in the "DatumOne" team project collection in the domain "Datum1" at the fictitious company "A. Datum Corporation" using the adm: identity specifier.

tfssecurity /imx adm: /collection:CollectionURL 

Sample output:

Resolving identity "adm: "...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-0-0-0-0-1

DN:

Identity type: Team Foundation Server application group
Group type: AdministrativeApplicationGroup
Project scope: Server scope
Display name: [DatumOne]\Project Collection Administrators
Description: Members of this application group can perform all privileged operations on the team project collection.

6 member(s):
  [U] Datum1\jpeoples (Peoples, John)
  [U] Datum1\hholt (Holt, Holly)
  [G] BUILTIN\Administrators (BUILTIN\Administrators)
a [A] [InstanceName]\Team Foundation Administrators
s [A] [InstanceName]\Team Foundation Service Accounts
s [A] [DatumOne]\Project Collection Service Accounts ([DatumOne]\Project Collection Service Accounts)

Member of 1 group(s):
e [A] [DatumOne]\Project Collection Valid Users ([DatumOne]\Project Collection Valid Users)

Done.

The following example displays identity information for the Project Administrators group for the "Datum" project in the "DatumOne" team project collection in the domain "Datum1" at the fictitious company "A. Datum Corporation" using the adm: identity specifier.

tfssecurity /imx adm:vstfs:///Classification/TeamProject/ProjectGUID /collection:CollectionURL 

Sample output:

Resolving identity "adm:vstfs:///Classification/TeamProject/ProjectGUID"...

SID: S-1-9-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX

DN:

Identity type: Team Foundation Server application group
Group type: AdministrativeApplicationGroup
Project scope: Datum
Display name: [Datum]\Project Administrators
Description: Members of this application group can perform all operations in the team project.

2 member(s):
  [U] Datum1\jpeoples (Peoples, John)
  [U] Datum1\hholt (Holt, Holly)

Member of 2 group(s):
e [A] [DatumOne]\Project Collection Valid Users ([DatumOne]\Project Collection Valid Users)
e [A] [InstanceName]\Team Foundation Valid Users

Done.

For more information about the output specifiers, such as [G] and [U], see TFSSecurity Identity and Output Specifiers.

/m: Check explicit and implicit group membership

Use /m to check explicit and implicit group membership information for a specified group or user.

tfssecurity /m GroupIdentity [MemberIdentity] [/collection:CollectionURL] [/server:ServerURL]

Required Permissions

To use the /m command, you must be a member of the Team Foundation Administrators security group. For more information, see Permission reference for Team Foundation Server.

Note:
Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function.

Parameters

ArgumentDescription
GroupIdentitySpecifies the group identity. For more information on valid identity specifiers, see TFSSecurity Identity and Output Specifiers.
MemberIdentitySpecifies the member identity. By default, the value of this argument is the identity of the user who is running the command. For more information on valid identity specifiers, see TFSSecurity Identity and Output Specifiers.
/collection :CollectionURLRequired if /server is not used. Specifies the URL of a team project collection in the following format: http:// ServerName : Port / VirtualDirectoryName / CollectionName
/server :ServerURLRequired if /collection is not used. Specifies the URL of an application-tier server in the following format: http:// ServerName : Port / VirtualDirectoryName

Remarks

Run this command on the local application-tier computer.

The /m command of the TFSSecurity command-line utility checks both direct and extended memberships.

Examples

The following example verifies whether the user "Datum1\jpeoples" belongs to the Team Foundation Administrators server-level group.

Note:
The examples are for illustration only and are fictitious. No real association is intended or inferred.

tfssecurity /m "Team Foundation Administrators" n:Datum1\jpeoples /server:http://ADatumCorporation:8080

Sample output:

TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://ADatumCorporation:8080/.
Resolving identity "Team Foundation Administrators"...
a [A] [INSTANCE]\Team Foundation Administrators
Resolving identity "n:Datum1\jpeoples"...
  [U] DATUM1\jpeoples (John Peoples)
Checking group membership...

John Peoples IS a member of [INSTANCE]\Team Foundation Administrators.

Done.

Permission namespaces and actions

Server level

PermissionNamespaceAction
Administer warehouseWarehouseAdminister
Create team project collectionCollectionManagementCreateCollection
Delete team project collectionCollectionManagementDeleteCollection
Edit instance-level informationServerGENERIC_WRITE

tf: AdminConfiguration

tf: AdminConnections
Make requests on behalf of othersServerImpersonate
Trigger eventsServerTRIGGER_EVENT
Use full Web Access featuresServerFullAccess
View instance-level informationServerGENERIC_READ

Collection level

PermissionNamespaceAction
Administer build resource permissionsBuildAdministrationAdministerBuildResourcePermissions
Administer Project Server integrationProjectServerAdministrationAdministerProjectServer
Administer shelved changesVersionControlPrivilegesAdminShelvesets

tf: AdminShelvesets
Administer workspacesVersionControlPrivilegesAdminWorkspaces

tf: AdminWorkspaces
Alter trace settingsCollectionDIAGNOSTIC_TRACE
Create a workspaceVersionControlPrivilegestf: CreateWorkspace
Create new projectsCollectionCREATE_PROJECTS
Delete team projectProjectDelete
Edit collection-level informationCollection

VersionControlPrivileges
GENERIC_WRITE

tf: AdminConfiguration

tf: AdminConnections
Make requests on behalf of othersServerImpersonate
Manage build resourcesBuildAdministrationManageBuildResources
Manage process templateCollectionMANAGE_TEMPLATE
Manage test controllersCollectionMANAGE_TEST_CONTROLLERS
Trigger eventsCollectionTRIGGER_EVENT
Use build resourcesBuildAdministrationUseBuildResources
View build resourcesBuildAdministrationViewBuildResources
View collection-level informationCollectionGENERIC_READ
View system synchronization informationCollectionSYNCHRONIZE_READ
EventSubscriptionCREATE_SOAP_SUBSCRIPTION
EventSubscriptionGENERIC_READ
EventSubscriptionGENERIC_WRITE
EventSubscriptionUNSUBSCRIBE

Team project level

PermissionNamespaceAction
Create tag definitionTaggingCreate
Create test runsProjectPUBLISH_TEST_RESULTS
Delete team projectProjectDELETE
Delete work itemsProjectWORK_ITEM_DELETE
Delete test runsProjectDELETE_TEST_RESULTS
Edit project-level informationProjectGENERIC_WRITE
Move work items out of this projectProjectWORK_ITEM_MOVE
Manage test configurationsProjectMANAGE_TEST_CONFIGURATIONS
Manage test environmentsProjectMANAGE_TEST_ENVIRONMENTS
Permanently delete (destroy) work items in this projectProjectWORK_ITEM_PERMANENTLY_DELETE
View project-level informationProjectGENERIC_READ
View test runsProjectVIEW_TEST_RESULTS

Build

PermissionNamespaceAction
Administer build permissionsBuildAdministerBuildPermissions
Delete build definitionBuildDeleteBuildDefinition
Delete buildsBuildDeleteBuilds
Destroy buildsBuildDestroyBuilds
Edit build definitionBuildEditBuildDefinition
Edit build qualityBuildEditBuildDefinition
Manage build qualitiesBuildManageBuildQualities
Manage build queueBuildManageBuildQueue
Override check-in validation by buildBuildOverrideBuildCheckInValidation
Queue buildsBuildQueueBuilds
Retain indefinitelyBuildRetainIndefinitely
Stop buildsBuildStopBuilds
Update build informationBuildUpdateBuildInformation
View build definitionBuildViewBuildDefinition
View buildsBuildViewBuilds

Work item query

PermissionNamespaceAction
ContributeWorkItemQueryFoldersCONTRIBUTE
DeleteWorkItemQueryFoldersDELETE
Manage permissionsMANAGEPERMISSIONS
ReadWorkItemQueryFoldersREAD

Tagging

PermissionNamespaceAction
Create tag definitionTaggingCREATE
Delete tag definitionTaggingDELETE
Enumerate tag definitionTaggingENUMERATE
Update tag definitionTaggingUPDATE

Area

PermissionNamespaceAction
Create child nodesCSSCREATE_CHILDREN
Delete this nodeCSSDELETE
Edit this nodeCSSGENERIC_WRITE
Edit work items in this nodeCSSWORK_ITEM_WRITE
Manage test plansCSSMANAGE_TEST_PLANS
Manage test suitesCSSMANAGE_TEST_SUITES
View permissions for this nodeCSSGENERIC_READ
View work items in this nodeCSSWORK_ITEM_READ

Iteration

PermissionNamespaceAction
Create child nodesIterationCREATE_CHILDREN
Delete this nodeIterationDELETE
Edit this nodeIterationGENERIC_WRITE
View permissions for this nodeIterationGENERIC_WRITE

TFVC

PermissionNamespaceAction
Administer labelsVersionControlItemsLabelOthers
Check inVersionControlItemsCheckin
Check in other users' changesVersionControlItemsCheckinOther
Check outVersionControlItemsPendChange
LabelVersionControlItemsLabel
LockVersionControlItemsLock
Manage branchVersionControlItemsManageBranch
Manage permissionsVersionControlItemsAdminProjectRights
MergeVersionControlItemsVersionControlItems
ReadVersionControlItems
Revise other users' changesVersionControlItemsReviseOther
Undo other users' changesVersionControlItemsUndoOther
Unlock other users'-changesVersionControlItemsUnlockOther

Git repository

PermissionNamespaceAction
AdministerGitRepositoriesAdminister
Branch CreationGitRepositoriesCreateBranch
ContributeGitRepositoriesGenericContribute
Note ManagementGitRepositoriesManageNote
ReadGitRepositoriesGenericRead
Rewrite and destroy history (force push)GitRepositoriesForcePush
Tag CreationGitRepositoriesCreateTag

Identity Specifiers

You can reference an identity by using one of the notations in the following table.

Identity specifierDescriptionExample
sid: Sid.References the identity that has the specified security identifier (SID).sid:S-1-5-21-2127521184-1604012920-1887927527-588340
n:[D omain]NameReferences the identity that has the specified name. For Windows, Name is the account name. If the referenced identity is in a domain, the domain name is required. For application groups, Name is the group display name, and Domain is the URI or GUID of the containing project. In this context, if Domain is omitted, the scope is assumed to be at the collection level.To reference the identity of the user "John Peoples" in the domain "Datum1" at the fictitious company "A. Datum Corporation:"

n:DATUM1\jpeoples

To reference application groups:

n:"Full-time Employees"

n:00a10d23-7d45-4439-981b-d3b3e0b0b1ee\Vendors
adm:[Scope]References the administrative application group for the scope, such as "Team Foundation Administrators" for the server level or "Project Collection Administrators" at the collection level. The optional parameter Scope is a project URI or URL, including its GUID and connection string. If scope is omitted, the server or collection scope is assumed based on whether the /instance or /server parameter is used. In either case, the colon is still required.adm:vstfs:///Classification/TeamProject/ GUID
srv:References the application group for service accounts.Not applicable
all:References all groups and identities.Not applicable
StringReferences an unqualified string. If String starts with S-1-, it is identified as a SID. If String starts with CN= or LDAP:// it is identified as a distinguished name. Otherwise, String is identified as a name."Team testers"

Type Markers

The following markers are used to identify types of identities and ACEs in output messages.

Identity type markers

Identity type markerDescription
UWindows user.
GWindows group.
ATeam Foundation Server (TFS) application group.
a [ A ]Administrative application group.
s [ A ]Service account application group.
XIdentity is not valid.
?Identity is unknown.

Access control entry markers

Access control entry markerDescription
+ALLOW access control entry.
-DENY access control entry.
* []Inherited access control entry.
© 2016 Microsoft