TFS 2017 | TFS 2015 | Previous versions
To connect and use the functions and features that Team Services or TFS provides, users must be added to a group with the appropriate permissions. To access select web portal features, they must also belong to one or more access levels.
Access levels determine which web portal features users or groups can access from an on-premises TFS. When you add a user or group to a team or team project, they're automatically granted access to those features supported by the default access level, which is Basic. This provides most users all the features they need. For a simplified overview of the permissions assigned to the most common groupsReaders, Contributors, and Project Administratorsas well as the Stakeholder access group, see Permissions and access.
This topic applies to managing access levels for team projects defined on an on-premises Team Foundation Server (TFS). Although the same access levels exist in both on-premises and the cloud, the features available with each might differ.
To manage access levels for Team Services, see Manage users and access in Visual Studio Team Services. See the Visual Studio Team Services Feature Matrix for Team Services feature availability.
Make sure to set each user's access level based on what you've purchased for that user. Basic access includes all Stakeholder features, and Advanced access includes all Basic features. In the images provided below (click ? to view), the circled features indicate the features made available from the previous access level.
- Assign Basic ?, the default access level, to users with a TFS client access license (CAL).
Basic provides access to most features, except for Test.
All Visual Studio subscriptions and paid Team Services users include a TFS CAL.
Find out more about licensing from the Visual Studio licensing white paper.
- Assign Stakeholder ? access to those users who need to enter bugs, view backlogs, boards, charts, and dashboards, but who don't have a TFS CAL.
- For TFS 2015, Assign Advanced ? access to those users for whom you've purchased the full Test feature set. Here are the purchasing options:
- Higher-level Visual Studio subscriptions: Visual Studio Test Professional, Visual Studio Enterprise, or MSDN platform subscriptions. These include a TFS CAL plus the rights to access the full set of Test features.
- A paid Visual Studio Team Services user (which includes a TFS CAL) plus the Test Manager extension.
Note: The Advanced access level is deprecated for TFS 2017 and later versions. Use the VS Enterprise access level to support access to premium features.
- For TFS 2017, Assign VS Enterprise ? access to those users for whom you've purchased Visual Studio Enterprise or MSDN platform subscriptions. These include a TFS CAL plus the rights to access VS Enterprise features.
You manage access levels for all collections defined on the application tier for TFS. The default access level you set applies to all team projects defined for all collections. Users or groups that you add to teams, team projects, or collections are granted the access level that you set as the default. To change the access level for a specific group or user, you add them specifically to one of the access levels.
Set the access level for a user or group
Even if you set a user or group’s access level, you must add them to a team project collection or team project for them to connect to TFS and access features available through a supported client or the web portal.
If you’re managing access for a large group of users, a best practice is to first create either a Windows group or TFS group and add individuals to those groups.
The images you see from your web portal may differ from the images you see in this topic. These differences result from updates made to Team Services or your on-premises TFS. However, the basic functionality available to you remains the same unless explicitly mentioned.
From the web portal home page (for example,
http://MyServer:8080/tfs), open the administration context.
From the Access levels page, select the access level you want to manage. For example, here we add a group to Stakeholder access.
If you don’t see the Access levels tab, you aren't a TFS administrator and don’t have permission. Here’s how to get permissions.
Change the default access level
Change the default access level to match the access you have licenses for. If you change the default access level to Stakeholder, all users not explicitly added to the Basic or Advanced level will be limited to the features provided through Stakeholder access.
Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the TFS service accounts to the Basic or Advanced group.
You set an access level from its page. Click Set as default access level as shown.
List users and groups who have access
You can get a list of users and groups that have access to the server by exporting the audit log. The audit log also indicates which access level has been granted.
From the Access levels page, export the audit log.
Save the audit log .csv file which is downloaded to a folder.
You can open the file in Excel and determine the access level assigned to each group or user.
Guide to features and access levels
You can learn more about each of the features you have access to from the following topics. Basic includes all features supported by Stakeholder, and Advanced includes access to all features supported by Basic.
Stakeholder access 1
Basic access 5
- Basic & Advanced backlog and sprint planning tools
- Request and manage feedback 6
- Chart viewing & Chart authoring
- Code: Git and TFVC
- Administer account 7
- Advanced home page 8
- Web-based test execution
- Create and manage releases 4
- Advanced portfolio management
- Team rooms
- Analyze test results and manage machine groups
Advanced access (TFS 2015)
Advanced access is no longer supported for TFS 2017 and later versions.
VS Enterprise (TFS 2017)
- Microsoft published TFS Extensions 10
- With Stakeholder access, users can create and modify all work items, and can create and save queries on all work items under their My Queries folder. (This is a change from Limited access in which users could create and modify only those work items that they created and query and view work items they created.) Also, stakeholders can create and modify work items using Team Foundation clients such as Visual Studio Community, Microsoft Excel, Microsoft Project, and Microsoft Feedback Client.
- Standard features include access to the Home and Work hubs.
- Includes all backlogs and boards, including product, portfolio, and sprint backlogs and Kanban and sprint task boards. Can add work items to backlogs, which appear at the bottom of the list. Can’t reorder items on the page or use some other features. See Stakeholder access for details.
- Release Management is in preview and available when you upgrade your application server to TFS 2015 Update 2 or later version.
- Basic access allows you to access the Code, Build, and Test hubs in addition to the Home and Work hubs.
- Request and manage feedback is now available within the Basic access level when you upgrade your application server to TFS 2015 Update 1 or later version.
- You can open the Admin context and view and modify settings provided you are a team, project, or project collection administrator. See Administer account features.
- Advanced home page allows you to configure and view the Welcome page in addition to team dashboards.
- You can purchase Test Manager extensions and assign to user accounts to gain full access to web-based Test case management tools.
- With VS Enterprise access, users have access to any fee-based, Marketplace extension published by Microsoft. Examples include Package Management (free for the first 5 users) and Test Manager.
Permissions versus access levels
As previously mentioned, setting the access level for users or groups doesn't provide them access to a team project or the web portal. Only users or groups added to a team or TFS group can connect to a team project and the web portal. Make sure your users have both the permissions and the access level they need. You do this by making sure they're added to the team project or as a team member.
TFS controls access through these three inter-connected functional areas:
Access level management controls access to features provided via the web portal, the web application for TFS. Based on what has been purchased for a user, administrators set the user's access level to Basic, Advanced, or Stakeholder (previously labeled Standard, Full, and Limited).
Membership management supports adding individual Windows user accounts and groups to default TFS groups. Also, you can create TFS groups. Each default TFS group is associated with a set of default permissions. All users added to any TFS group are added to the Valid Users group. A valid user is someone who can connect to the team project.
Permission management controls access to specific functional tasks at different levels of the system. Object-level permissions set permissions on a file, folder, build definition, or a shared query. Permission settings correspond to Allow, Deny, Inherited allow, Inherited deny, and Not set.
Each functional area uses groups to simplify management across the deployment. You add users and groups through the TFS web service administration pages. Permissions are automatically set based on the TFS group that you add users to, or based on the object, project, collection, or server level to which you add groups. On the other hand, access level management controls access for all users and groups at the server level.
You can create local groups or Active Directory (AD) groups to manage your users. If you decide to use groups, make sure that membership in those groups is limited to TFS users. Because group membership can be altered by their owners at any time, if those owners did not consider TFS when they created those groups, their changes to membership can cause unwanted side effects within TFS.
Here’s what you need to know about permission settings:
Allow or Deny explicitly grants or restricts users from performing specific tasks, and are usually inherited from group membership.
Not set implicitly denies users the ability to perform tasks that require that permission, but allows membership in a group that does have that permission set to take precedence, also known as Inherited allow and Inherited deny.
For most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
For members of the Project Collection Administrators or Team Foundation Administrators groups, Deny doesn’t trump Allow. Permissions assigned to these groups take precedent over any Deny set within any other group to which that member might belong.
Changing a permission for a group changes that permission for all users who are granted that permission through their membership in that group. In other words, depending on the size of the group, you might affect the ability of hundreds of users to do their jobs by changing just one permission. So make sure you understand the impact before you make a change.
Two useful tips for understanding the effects of change: The Member of tab shows the groups that an individual user or group belongs to. You can also hover over an inherited permission, and a Why? icon will appear. If you choose it, a dialog box will open with more information.
See these resources to get started, manage permissions, or learn more about features made available through access to TFS.
Plan and track work
Access to the Test hub
Full access to the Test hub requires Advanced access. Visual Studio Test Professional plus the Test hub features in the TFS web portal are managed through Visual Studio Team Services, Azure billing services, and purchase of Test Manager extensions from the Marketplace.
What features are accessible to users who belong to two different groups?
If a user belongs to a group that has Basic access and another group that has Advanced access, the user has access to all features available through Advanced, which is a superset of Basic.
Service account assignments require Basic or Advanced access
TFS service accounts are added to the default access level. If you make Stakeholder the default access level, you must set the TFS service accounts to Basic or Advanced access.
Service accounts don’t require a TFS CAL or other purchase.
Where can I learn about the new features added with a service or on-premises upgrade?
Learn all about what's new in Team Services and TFS from the News portal.
Administer account features
Within the admin context, there are several hubs which support administrating features at the team, project, or project collection level. You can learn more about administrating these features from these resources:
Project collection level
Team project and team level