Server-Level Groups

  • Article

You can use the default groups that are created at the server-level, or you can create custom server-level groups to align with your business needs. You create server-level groups directly on the application-tier server, either by using the administration console for Team Foundation or by using the TFSSecurity command-line utility. Server-level groups have permissions across the server and are not specific to any team project collection or team project. These groups differ from team project groups, which are associated with a specific project, and to team project collection groups, which are specific to a collection. You can assign server-level groups permissions to perform tasks that affect the whole server, such as creating team project collections.

In this topic

  • Default Groups At the Server Level

  • Creating and Managing Custom Groups at the Server Level

  • Managing Permissions for Server-Level Groups

  • Managing Users and Groups in Server-Level Groups

Default Groups at the Server Level

By default, the following groups are created at the server level when you install Visual Studio Team Foundation Server:

Name

Users

Description

SharePoint Web Application Services

Service accounts for SharePoint Products. If you installed SharePoint Products as part of installing Team Foundation Server, the service account that you specified during installation will be populated as a member of this group.

This group has service-level permissions that are required for interoperation with SharePoint Products. If your deployment of Team Foundation Server does not include SharePoint Products, this group should be empty. This group should only contain service accounts. Do not add user accounts to this group.

Team Foundation Administrators

Administrators for Team Foundation Server. The account that you use when you install Team Foundation Server is automatically a member of this group.

This group is the most powerful user group in Team Foundation Server. Members of this group can perform all tasks in Team Foundation Server at the server level, the collection level, and the project level. You should limit membership in this group to only those users who must administer the deployment of Team Foundation Server.

Team Foundation Service Accounts

Service accounts for Team Foundation Server. The service account that you specified for Team Foundation Server during installation will be populated as a member of this group. By default, the system account Network Service is used.

This group has service-level permissions that are required for Team Foundation Server and its services, such as the Visual Studio Team Foundation Background Job Agent. This group should contain only service accounts. Do not add user accounts to this group.

Team Foundation Valid Users

All accounts that have access to the deployment of Team Foundation Server.

You cannot directly modify membership in this group. This group automatically contains all users and groups that have been added anywhere within Team Foundation Server.

Work Item Only View Users

Users whose Web access to Team Foundation Server is restricted to viewing work items.

This group is restricted from using the full range of features that are provided when users view projects and collections in Team Web Access.

Creating and Managing Custom Groups at the Server Level

You can create custom groups at the server level and populate them with the users and groups to whom you want to grant the permissions that are granted to those custom groups. You can more efficiently manage permissions for groups of users by creating and populating custom groups.

Required Permissions

To perform the following procedures, you must be a member of the Administrators security group on the server or servers that are running the administration console for Team Foundation.

To create a custom group at the server level

  1. Open the administration console for Team Foundation on the application-tier server where you want to create a custom group.

    For more information, see Open the Team Foundation Administration Console.

  2. Click Application Tier, and then click Administer Group Membership.

  3. In the Global Groups window, click New.

    The Create New Team Foundation Server Group window opens.

  4. In Group name, type a name for the custom group.

  5. (Optional) In Description, type a description of the group.

  6. Click OK.

  7. In Global Groups, click Close.

    Note

    You must configure at least one permission for this custom group after you create it. For more information, see Managing Permissions for Server-Level Groups later in this topic.

To delete a custom group at the server level

  1. Open the administration console for Team Foundation on the application-tier server from which you want to delete a custom group.

  2. Click Application Tier, and then click Administer Group Membership.

    The Global Groups window opens.

  3. In Global Groups, click the group that you want to delete, and then click Remove.

  4. In the Confirm Deletion dialog box, click Yes.

  5. In the Global Groups window, click Close.

Managing Permissions for Server-Level Groups

You must configure at least one permission for any custom groups that you create at the server level. You can also customize permissions for default or custom groups at the server level.

Important

Changing permissions at the server level can have significant implications on the operation of Team Foundation Server. You should make sure that you understand all the implications before you grant, deny, or change permissions for server-level groups. For more information, see Team Foundation Server Permissions and Team Foundation Server Default Groups, Permissions, and Roles.

To modify permissions for groups at the server level

  1. Open the administration console for Team Foundation on the application-tier server where you want to modify permissions for a server-level group.

  2. Click Application Tier, and then click Administer Security.

    The Global Security window opens.

  3. Under Users and Groups, click the group for which you want to modify permissions.

    Note

    If the group that you want to modify does not appear in the list, you must add it by using the controls in the Add users and groups section.

  4. In Permissions, select or clear the Allow or Deny check box for the permission that you want to modify.

    Note

    If neither the Allow check box nor the Deny check box is selected, the permission level is set to Unset. For more information, see Team Foundation Server Permissions.

  5. When you finish modifying permissions, click Close.

Managing Users and Groups in Server-Level Groups

You can directly modify the membership of all server-level groups except for Team Foundation Valid Users. By adding users and groups to server-level groups, you grant them the permissions that are granted or denied for that group. When you remove users and groups from server-level groups, those users or groups no longer have the permissions of the group from which you removed them.

To add users or groups to a custom group at the server level

  1. Open the administration console for Team Foundation on the application-tier server where you want to add users or groups to a server-level group.

  2. Click Application Tier, and then click Administer Group Membership.

  3. In the Global Groups window, click the group to which you want to add users or groups, and then click Properties.

    The Team Foundation Server Group Properties window opens.

  4. In the Members list, click either Team Foundation Server Group or Windows User or Group, and then click Add.

  5. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to add, and then click OK.

  6. In the Team Foundation Server Group Properties window, click OK.

  7. In the Global Groups window, click Close.

To remove users or groups from a custom group at the server level

  1. Open the administration console for Team Foundation on the application-tier server where you want to remove users or groups from a server-level group.

  2. Click Application Tier, and then click Administer Group Membership.

    The Global Groups window opens.

  3. In the Global Groups window, click the group from which you want to remove users or groups, and then click Properties.

    The Team Foundation Server Group Properties window opens.

  4. In the Members list, click the user or group that you want to remove, and then click Remove.

  5. In the Team Foundation Server Group Properties window, click OK.

  6. In the Global Groups window, click Close.

See Also

Tasks

Add Users to a Team Project Group

Set Administrator Permissions for Team Project Collections

Set Administrator Permissions for Team Foundation Server

Other Resources

Collection-Level Groups

Project-Level Groups