Change access levels

Last Update: 6/14/2017

TFS 2017 | TFS 2015 | TFS 2013

IMPORTANT

This topic applies to managing access levels for team projects defined on an on-premises Team Foundation Server (TFS). To manage access levels for Team Services, see Manage users and access in Visual Studio Team Services. For Team Services feature availability, see the Visual Studio Team Services Feature Matrix.

To connect and use the functions and features that TFS provides, users must be added to a group with the appropriate permissions. To use select web portal features, they must also belong to the access level that enables access to that feature.

When you add a user or group to a team or team project, they're automatically granted access to those features supported by the default access level, which is Basic. This provides most users all the features they need. For a simplified overview of the permissions assigned to the most common groups—Readers, Contributors, and Project Administrators—as well as the Stakeholder access group, see Permissions and access.

Make sure to set each user's access level based on what you've purchased for that user. Basic access includes all Stakeholder features. Advanced and Visual Enterprise access levels include all Basic features. In the images provided below (click ▼ to view), the circled features indicate the features made available from the previous access level.

  • Assign Basic, the default access level, to users with a TFS client access license (CAL). Basic provides access to most features, except for Test. All Visual Studio subscriptions and paid Team Services users include a TFS CAL. Find out more about licensing from the Team Foundation Server pricing page.
    Basic access features
  • Assign Stakeholder access to those users who need to enter bugs, view backlogs, boards, charts, and dashboards, but who don't have a TFS CAL.
    Stakeholder access features
    Stakeholder access is free. Stakeholders can also view releases and manage release approvals. See Stakeholder access for details of features available to stakeholders.
  • For TFS 2013 and TFS 2015 versions, Assign Advanced access to those users for whom you've purchased the full Test feature set. Here are the purchasing options:
    Advanced access features
    • Higher-level Visual Studio subscriptions: Visual Studio Test Professional, Visual Studio Enterprise, or MSDN platform subscriptions. These include a TFS CAL plus the rights to access the full set of Test features.
    • A paid Visual Studio Team Services user (which includes a TFS CAL) plus the Test Manager extension.
  • For TFS 2017.2, Assign Advanced access to those users for whom you've purchased MSDN Platform or Visual Studio Test Professional subscriptions. These include a TFS CAL plus the rights to access Test Manager. To learn more, see Get extensions for TFS, Assign paid extension access to users.
    TFS 2017.2, Advanced Access
    Note: The Advanced access level will be deprecated for future versions of TFS. Use the VS Enterprise access level only for active Visual Studio Enterprise subscribers. For MSDN Platforms and Visual Studio Test Professional with MSDN subscribers needing access to the Test hub, assign them to the Advanced access level and the Test Manager extension.
  • For TFS 2017 versions, Assign VS Enterprise access to those users for whom you've purchased Visual Studio Enterprise. These include a TFS CAL plus the rights to access VS Enterprise features. (For users with MSDN subscriptions or Test Professional, assign the Basic access level and the Test Manager extension.) To learn more, see Get extensions for TFS, Assign paid extension access to users. For example, for users with Visual Studio Test Professional or Visual Studio Enterprise, assign them access to the Test Manager extension.
    VS Enterprise access features

Manage access

You manage access levels for all collections defined on the application tier for TFS. The default access level you set applies to all team projects defined for all collections. Users or groups that you add to teams, team projects, or collections are granted the access level that you set as the default. To change the access level for a specific group or user, you add them specifically to one of the other, non-default access levels.

Set the access level for a user or group

IMPORTANT

Even if you set a user or group's access level, you must add them to a team project collection or team project for them to connect to TFS and access features available through a supported client or the web portal.

If you're managing access for a large group of users, a best practice is to first create either a Windows group or TFS group and add individuals to those groups.

NOTE

The images you see from your web portal may differ from the images you see in this topic. These differences result from updates made to your on-premises TFS. However, the basic functionality available to you remains the same unless explicitly mentioned.

From a user context, open the admin context by clicking the gear icon gear Settings icon. The tabs and pages available differ depending on which admin context you access.

  1. From the web portal home page for a team project (for example, http://MyServer:8080/tfs/DefaultCollection/MyProject/), open the Server Settings administration context.


    TFS 2017, Web portal, open the Server settings admin context
  2. From the Access levels page, select the access level you want to manage. For example, here we click Add to add a group to Stakeholder access.


    TFS 2017, Web portal, Server settings admin context, Access levels, Stakeholder access level, Add user or group

    If you don't see the Access levels tab, you aren't a TFS administrator and don't have permission. Here's how to get permissions.



  1. From the web portal home page for a team project (for example, http://MyServer:8080/tfs/DefaultCollection/MyProject/), open the administration context.


    Open the administration page
  2. From the Access levels page, select the access level you want to manage. For example, here we add a group to Stakeholder access.


    Stakeholder access level, Add Windows user or group

    If you don't see the Access levels tab, you aren't a TFS administrator and don't have permission. Here's how to get permissions.


Change the default access level

Change the default access level to match the access you have licenses for. If you change the default access level to Stakeholder, all users not explicitly added to the Basic or Advanced level will be limited to the features provided through Stakeholder access.

IMPORTANT

Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the TFS service accounts to the Basic or Advanced group.

You set an access level from its page. Click Set as default access level as shown.

Admin context, Control panel, Access levels, Stakeholder tab, set as default access level

List users and groups who have access

You can get a list of users and groups that have access to the server by exporting the audit log. The audit log also indicates which access level has been granted.

  1. From the Access levels page, export the audit log.

    Control panel, admin context, Export audit log

  2. Save the audit log .csv file which is downloaded to a folder.

  3. You can open the file in Excel and determine the access level assigned to each group or user.

Guide to features and access levels

You can learn more about each of the features you have access to from the following topics. Basic includes all features supported by Stakeholder, and Advanced includes access to all features supported by Basic.

Stakeholder access 1

Advanced access
(TFS 2017, TFS 2015, TFS 2013)

Advanced access will be deprecated in future versions of TFS.

VS Enterprise (TFS 2017)

  • Microsoft published TFS Extensions 10

Notes:

  1. With Stakeholder access, users can create and modify all work items, and can create and save queries on all work items under their My Queries folder. (This is a change from Limited access in which users could create and modify only those work items that they created and query and view work items they created.) Also, stakeholders can create and modify work items using Team Foundation clients such as Visual Studio Community, Microsoft Excel, Microsoft Project, and Microsoft Feedback Client.
  2. Standard features include access to the Home and Work hubs.
  3. Includes all backlogs and boards, including product, portfolio, and sprint backlogs and Kanban and sprint task boards. Can add work items to backlogs, which appear at the bottom of the list. Can't reorder items on the page or use some other features. See Stakeholder access for details.
  4. Release Management is in preview and available when you upgrade your application server to TFS 2015 Update 2 or later version.
  5. Basic access allows you to access the Code, Build, and Test hubs in addition to the Home and Work hubs.
  6. Request and manage feedback is now available within the Basic access level when you upgrade your application server to TFS 2015 Update 1 or later version.
  7. You can open the Admin context and view and modify settings provided you are a team, project, or project collection administrator. See Administer account features.
  8. Advanced home page allows you to configure and view the Welcome page in addition to team dashboards.
  9. You can purchase Test Manager extensions and assign to user accounts to gain full access to web-based Test case management tools.
  10. With VS Enterprise access, users have access to any fee-based, Marketplace extension published by Microsoft Marketplace extension published by Microsoft that is included for active Visual Studio Enterprise subscribers. Examples include Package Management (which is also free for 5 users who are not Visual Studio Enterprise subscribers) and Test Manager.

Permissions versus access levels

As previously mentioned, setting the access level for users or groups doesn't provide them access to a team project or the web portal. Only users or groups added to a team or TFS group can connect to a team project and the web portal. Make sure your users have both the permissions and the access level they need. You do this by making sure they're added to the team project or as a team member.

TFS controls access through these three inter-connected functional areas:

  • Access level management controls access to features provided via the web portal, the web application for TFS. Based on what has been purchased for a user, administrators set the user's access level to Basic, Advanced, or Stakeholder (previously labeled Standard, Full, and Limited).

  • Membership management supports adding individual Windows user accounts and groups to default TFS groups. Also, you can create TFS groups. Each default TFS group is associated with a set of default permissions. All users added to any TFS group are added to the Valid Users group. A valid user is someone who can connect to the team project.

  • Permission management controls access to specific functional tasks at different levels of the system. Object-level permissions set permissions on a file, folder, build definition, or a shared query. Permission settings correspond to Allow, Deny, Inherited allow, Inherited deny, and Not set.

Each functional area uses groups to simplify management across the deployment. You add users and groups through the TFS web service administration pages. Permissions are automatically set based on the TFS group that you add users to, or based on the object, project, collection, or server level to which you add groups. On the other hand, access level management controls access for all users and groups at the server level.

Access levels, membership management, and permissions management

You can create local groups or Active Directory (AD) groups to manage your users. If you decide to use groups, make sure that membership in those groups is limited to TFS users. Because group membership can be altered by their owners at any time, if those owners did not consider TFS when they created those groups, their changes to membership can cause unwanted side effects within TFS.

Here's what you need to know about permission settings:

  • Allow or Deny explicitly grants or restricts users from performing specific tasks, and are usually inherited from group membership.

  • Not set implicitly denies users the ability to perform tasks that require that permission, but allows membership in a group that does have that permission set to take precedence, also known as Inherited allow and Inherited deny.

  • For most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.

    For members of the Project Collection Administrators or Team Foundation Administrators groups, Deny doesn't trump Allow. Permissions assigned to these groups take precedent over any Deny set within any other group to which that member might belong.

  • Changing a permission for a group changes that permission for all users who are granted that permission through their membership in that group. In other words, depending on the size of the group, you might affect the ability of hundreds of users to do their jobs by changing just one permission. So make sure you understand the impact before you make a change.

Two useful tips for understanding the effects of change: The Member of tab shows the groups that an individual user or group belongs to. You can also hover over an inherited permission, and a Why? icon will appear. If you choose it, a dialog box will open with more information.

Control panel, team project, Security tab, Contributors group, permissions

To learn all about what's new in TFS, see What's new.

To get started, manage permissions, or learn more about features made available through access to TFS, see these topics:

Build, test, release

- Build
- Test
- Release

Within the admin context, there are several hubs which support administrating features at the team, project, or project collection level. You can learn more from these resources:

Access to the Test hub and Marketplace extensions

Full access to the Test hub requires Advanced (TFS 2015) or VS Enterprise (TFS 2017) access . Visual Studio Test Professional plus the Test hub features in the TFS web portal are managed through Visual Studio Team Services, Azure billing services, and purchase of Test Manager extensions from the Marketplace.

To learn how to grant access to an extensions, see Get extensions for TFS.

What features are accessible to users who belong to two different groups?

If a user belongs to a group that has Basic access and another group that has Advanced access, the user has access to all features available through Advanced, which is a superset of Basic.

Service account access

TFS service accounts are added to the default access level. If you make Stakeholder the default access level, you must set the TFS service accounts to Basic or Advanced/VS Enterprise access.

Service accounts don't require a TFS CAL or other purchase.