Change access levels

Last Update: 11/18/2016

TFS 2017 | TFS 2015 | Previous versions

Feature availability: Managing access levels applies to team projects hosted on an on-premises Team Foundation Server (TFS). For Visual Studio Team Services, you get 5 free users and can purchase more as needed. Although the same access levels exist in both on-premises and the cloud, the features available with each might differ. See the Visual Studio Team Services Feature Matrix for Team Services feature availability.

Access levels determine which TFS web portal features users or groups can access. When you add a user or group to a team or team project, they're automatically granted access to those features supported by the default access level, which is Basic. This provides most users all the features they need.

Make sure to set each user's access level based on what you've purchased for that user:

  • Assign Basic, the default access level, to users with a TFS client access license (CAL). Basic provides access to most features, except for Test. All Visual Studio subscriptions and paid Team Services users include a TFS CAL. Find out more about licensing from the Visual Studio licensing white paper.

  • Assign Stakeholder access to those users who need to enter bugs, view backlogs, boards, charts, and dashboards, but who don't have a TFS CAL. Stakeholder access is free. Stakeholders can also view releases and manage release approvals. See Stakeholder access for details of features available to stakeholders.

  • Assign Advanced access to those users for whom you've purchased the full Test feature set. Here are the purchasing options:

    • Higher-level Visual Studio subscriptions: Visual Studio Test Professional, Visual Studio Enterprise, or MSDN platform subscriptions. These include a TFS CAL plus the rights to access the full set of Test features.
    • A paid Visual Studio Team Services user (which includes a TFS CAL) plus the Test Manager extension.

If you need to add more TFS users or get access to the test features in the Test hub, see Buy access to Team Foundation Server or the Test hub.

Manage access

You manage access levels for all collections hosted on the application tier for TFS. The default access level you set applies to all team projects defined for all collections. Users or groups that you add to teams, team projects, or collections are granted the access level that you set as the default. To change the access level for a specific group or user, you add them specifically to one of the access levels.

Set the access level for a user or group

Note: Even if you set a user or group’s access level, you must add them to a team project collection or team project for them to connect to TFS and access features available through a supported client or the web portal.

If you’re managing access for a large group of users, a best practice is to first create either a Windows group or TFS group and add individuals to those groups.

  1. From the web portal home page (for example, http://MyServer:8080/tfs), open the administration context.

    Open the administration page

  2. From the Access levels page, select the access level you want to manage. For example, here we add a group to Stakeholder access.

    Stakeholder access level, Add Windows user or group

    If you don’t see the Access levels tab, you aren't a TFS administrator and don’t have permission. Here’s how to get permissions.

Change the default access level

Change the default access level to match the access you have licenses for. If you change the default access level to Stakeholder, all users not explicitly added to the Basic or Advanced level will be limited to the features provided through Stakeholder access.

Important: Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the TFS service accounts to the Basic or Advanced group.

You set an access level from its page. Click Set as default access level as shown.

Admin context, Control panel, Access levels, Stakeholder tab, set as default access level

List users and groups who have access

You can get a list of users and groups that have access to the server by exporting the audit log. The audit log also indicates which access level has been granted.

  1. From the Access levels page, export the audit log.

    Control panel, admin context, Export audit log

  2. Save the audit log .csv file which is downloaded to a folder.

  3. You can open the file in Excel and determine the access level assigned to each group or user.

Guide to features and access levels

You can learn more about each of the features you have access to from the following topics. Basic includes all features supported by Stakeholder, and Advanced includes access to all features supported by Basic.

Stakeholder access 1

Notes:

  1. With Stakeholder access, users can create and modify all work items, and can create and save queries on all work items under their My Queries folder. (This is a change from Limited access in which users could create and modify only those work items that they created and query and view work items they created.) Also, stakeholders can create and modify work items using Team Foundation clients such as Visual Studio Community, Microsoft Excel, Microsoft Project, and Microsoft Feedback Client.
  2. Standard features include access to the Home and Work hubs.
  3. Includes all backlogs and boards, including product, portfolio, and sprint backlogs and Kanban and sprint task boards. Can add work items to backlogs, which appear at the bottom of the list. Can’t reorder items on the page or use some other features. See Stakeholder access for details.
  4. Release Management is in preview and available when you upgrade your application server to TFS 2015 Update 2 or later version.
  5. Basic access allows you to access the Code, Build, and Test hubs in addition to the Home and Work hubs.
  6. Request and manage feedback is now available within the Basic access level when you upgrade your application server to TFS 2015 Update 1 or later version.
  7. You can open the Admin context and view and modify settings provided you are a team, project, or project collection administrator. See Administer account features.
  8. Advanced home page allows you to configure and view the Welcome page in addition to team dashboards.
  9. You can purchase Test Manager extensions and assign to user accounts to gain full access to web-based Test case management tools.

Permissions versus access levels

As previously mentioned, setting the access level for users or groups doesn't provide them access to a team project or the web portal. Only users or groups added to a team or TFS group can connect to a team project and the web portal. Make sure your users have both the permissions and the access level they need. You do this by making sure there added to the team project or as a team member.

TFS controls access through these three inter-connected functional areas:

  • Access level management controls access to features provided via the web portal, the web application for TFS. Based on what has been purchased for a user, administrators set the user's access level to Basic, Advanced, or Stakeholder (previously labeled Standard, Full, and Limited).

  • Membership management supports adding individual Windows user accounts and groups to default TFS groups. Also, you can create TFS groups. Each default TFS group is associated with a set of default permissions. All users added to any TFS group are added to the Valid Users group. A valid user is someone who can connect to the team project.

  • Permission management controls access to specific functional tasks at different levels of the system. Object-level permissions set permissions on a file, folder, build definition, or a shared query. Permission settings correspond to Allow, Deny, Inherited allow, Inherited deny, and Not set.

Each functional area uses groups to simplify management across the deployment. You add users and groups through the TFS web service administration pages. Permissions are automatically set based on the TFS group that you add users to, or based on the object, project, collection, or server level to which you add groups. On the other hand, access level management controls access for all users and groups at the server level.

Access levels, membership management, and permissions management

You can create local groups or Active Directory (AD) groups to manage your users. If you decide to use groups, make sure that membership in those groups is limited to TFS users. Because group membership can be altered by their owners at any time, if those owners did not consider TFS when they created those groups, their changes to membership can cause unwanted side effects within TFS.

Here’s what you need to know about permission settings:

  • Allow or Deny explicitly grants or restricts users from performing specific tasks, and are usually inherited from group membership.

  • Not set implicitly denies users the ability to perform tasks that require that permission, but allows membership in a group that does have that permission set to take precedence, also known as Inherited allow and Inherited deny.

  • For most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.

    For members of the Project Collection Administrators or Team Foundation Administrators groups, Deny doesn’t trump Allow. Permissions assigned to these groups take precedent over any Deny set within any other group to which that member might belong.

  • Changing a permission for a group changes that permission for all users who are granted that permission through their membership in that group. In other words, depending on the size of the group, you might affect the ability of hundreds of users to do their jobs by changing just one permission. So make sure you understand the impact before you make a change.

Two useful tips for understanding the effects of change: The Member of tab shows the groups that an individual user or group belongs to. You can also hover over an inherited permission, and a Why? icon will appear. If you choose it, a dialog box will open with more information.

Control panel, team project, Security tab, Contributors group, permissions

See these resources to get started, manage permissions, or learn more about features made available through access to TFS.

Get started

Build, test, release

Access to the Test hub

Full access to the Test hub requires Advanced access. Visual Studio Test Professional plus the Test hub features in the TFS web portal are managed through Visual Studio Team Services, Azure billing services, and purchase of Test Manager extensions from the Marketplace.

See how to buy Team Services extensions from the Visual Studio Marketplace.

What features are accessible to users who belong to two different groups?

If a user belongs to a group that has Basic access and another group that has Advanced access, the user has access to all features available through Advanced, which is a superset of Basic.

Service account assignments require Basic or Advanced access

TFS service accounts are added to the default access level. If you make Stakeholder the default access level, you must set the TFS service accounts to Basic or Advanced access.

Service accounts don’t require a TFS CAL or other purchase.

Where can I learn about the new features added with a service or on-premises upgrade?

Learn all about what's new in Team Services and TFS from the News portal.

Administer account features

Within the admin context, there are several hubs which support administrating features at the team, project, or project collection level. You can learn more about administrating these features from these resources: