Restrict access in Team Services and TFS

Last Update: 12/15/2016

Team Services | TFS 2017 | TFS 2015 | TFS 2013

You can restrict access to resources that you manage in TFS or Team Services by setting the permission state to Deny through a security group. For a comprehensive list of default groups and permissions, see Permission reference for Team Foundation Server.


From the Version Control tab in the TWA administration context, you can set permissions for a group or individual.

Permissions page for TF version control


For team projects that use Git for version control, you can set the following permissions.

Permissions page for Git project in admin context
For additional information, see Permission reference for Team Foundation Server.

Build definitions

From the Build hub in TWA, you can set build permissions at the project level for a group or individual.

Security link in Actions menu on Build page

You can set permissions for the build operations shown in the following image.

Permissions page for TF version control

Also, you can set permissions by opening the Context Menu Icon context menu for a build definition.
For additional information, see Permission reference for Team Foundation Server.

Work items

Changing work items

By setting permissions on an area path, you can deny a group or individual the ability to create or edit work items assigned under an area path.

Set a condition field rule, a condition-based field rule or a combination of the two that applies to a group. You can restrict changes from being made to a field by specifying a qualifying rule and making it apply for a specific group. Conditional rules can include CANNOTLOSEVALUE, EMPTY, FROZEN, NOTSAMEAS, READONLY, and REQUIRED elements.

Creating specific types of work items

You can restrict access in one of two ways:

  • By adding WITs to the Hidden Categories group, you can prevent the majority of project contributors from creating them. You can create a hyperlink to a template that opens the work item form and share that link with those team members who you do want to create them.
  • By adding a field rule to the workflow for the System.CreatedBy field, you can effectively restrict a group of users from creating a work item of a specific type. As the following example shows, the user who creates the work item must belong to the Allowed Group in order to save the work item.

    <TRANSITION from=" " to="New">
         <FIELD refname="System.CreatedBy">
            <VALIDUSER for="Allowed Group" not="Disallowed Group" />

For more information about how to customize WITs, see Modify or add a custom work item type (WIT).

Work item queries

Set permissions on a shared query or query folder to restrict who can modify the query or queries within the folder.