/a+ Command
Use /a+ to add permissions for a user or a group in a server-level, collection-level, or project-level group. To add users to groups from the user interface, see Configuring Users, Groups, and Permissions.
Required Permissions
To use the /a+ command, you must have the View collection-level information or the View instance-level information permission set to Allow, depending on whether you are using the /collection or /server parameter, respectively. If you are changing permissions for a team project, you must also have the Edit project-level information permission for the team project set to Allow. For more information, see Team Foundation Server Permissions.
TFSSecurity /a+ Namespace Token Action Identity (ALLOW | DENY) [/collection:CollectionURL] [/server:ServerURL]
Parameters
Argument |
Description |
---|---|
Namespace |
The namespace that contains the group to which you want to add permissions for a user or group. You can also use the TFSSecurity /a command to view a list of namespaces at the server, collection, and project level. |
Token |
The name or GUID of the object on which you want to add permissions.
Note
Tokens vary depending on the namespace you specify. Some namespaces do not have tokens that apply for this command.
|
Action |
The name of the permission for which you are granting or denying access. For a list of valid IDs, see Team Foundation Server Permissions, or use the TFSSecurity /a command to view a list of valid actions for a namespace that you specify. |
Identity |
The identity of the user or the group. For more information about identity specifiers, see TFSSecurity Identity and Output Specifiers.
|
/collection:CollectionURL |
Required if /server is not used. Specifies the URL of a team project collection in the following format: http://ServerName:Port/VirtualDirectoryName/CollectionName |
/server:ServerURL |
Required if /collection is not used. Specifies the URL of an application-tier server in the following format: http://ServerName:Port/VirtualDirectoryName |
Remarks
Run this command on an application-tier server for Team Foundation.
Access control entries are security mechanisms that determine which operations a user, group, service, or computer is authorized to perform.
Examples
The following example displays what namespaces are available at the server level for the application-tier server that is named ADatumCorporation.
Note
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.
>tfssecurity /a /server:ServerURL
Sample output:
TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation. All rights reserved.
The target Team Foundation Server is http://ADatumCorporation:8080/.
The following security namespaces are available to have permissions set on them:
Registry
Identity
Job
Server
CollectionManagement
Warehouse
Catalog
EventSubscription
Lab
Done.
The following example displays what actions are available for the Server namespace at the collection level.
>tfssecurity /a Server /collection:CollectionURL
Sample output:
TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation. All rights reserved.
The target Team Foundation Server is http://ADatumCorporation:8080/.
The following actions are available in the security namespace Server:
GenericRead
GenericWrite
Impersonate
TriggerEvent
Done.
The following example grants the server-level "View instance-level information" permission to the ADatumCorporation deployment for the Datum1 domain user John Peoples (Datum1\jpeoples).
>tfssecurity /a+ Server FrameworkGlobalSecurity GenericRead n:Datum1\jpeoples ALLOW /server:http://ADatumCorporation:8080
Sample output:
TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation. All rights reserved.
The target Team Foundation Server is http://ADatumCorporation:8080/.
Resolving identity "n:Datum1\jpeoples"...
[U] Datum1\jpeoples (John Peoples)
Adding the access control entry...
Verifying...
Effective ACL on object "FrameworkGlobalSecurity":
[+] GenericRead [INSTANCE]\Team Foundation Valid Users
[+] GenericRead [INSTANCE]\SharePoint Web Application Services
[+] Impersonate [INSTANCE]\SharePoint Web Application Services
[+] GenericRead [INSTANCE]\Team Foundation Service Accounts
[+] GenericWrite [INSTANCE]\Team Foundation Service Accounts
[+] Impersonate [INSTANCE]\Team Foundation Service Accounts
[+] TriggerEvent [INSTANCE]\Team Foundation Service Accounts
[+] GenericRead [INSTANCE]\Team Foundation Administrators
[+] GenericWrite [INSTANCE]\Team Foundation Administrators
[+] TriggerEvent [INSTANCE]\Team Foundation Administrators
[+] GenericRead DATUM1\jpeoples
Done.
The following example grants the collection-level "View collection-level information" permission to the Collection0 team project collection for Datum1 domain user John Peoples (Datum1\jpeoples).
>tfssecurity /a+ Server FrameworkGlobalSecurity GenericRead n:Datum1\jpeoples ALLOW /collection:http://ADatumCorporation:8080/Collection0
Sample output:
TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation. All rights reserved.
The target Team Foundation Server is http://ADatumCorporation:8080/COLLECTION0.
Resolving identity "n:Datum1\jpeoples"...
[U] DATUM1\jpeoples (John Peoples)
Adding the access control entry...
Verifying...
Effective ACL on object "FrameworkGlobalSecurity":
[+] GenericRead [Collection0]\Project Collection ValidUsers
[+] GenericRead [Collection0]\Project Collection Service Accounts
[+] GenericWrite [Collection0]\Project Collection Service Accounts
[+] Impersonate [Collection0]\Project Collection Service Accounts
[+] TriggerEvent [Collection0]\Project Collection Service Accounts
[+] GenericRead [Collection0]\Project Collection Administrators
[+] GenericWrite [Collection0]\Project Collection Administrators
[+] TriggerEvent [Collection0]\Project Collection Administrators
[+] GenericRead [INSTANCE]\SharePoint Web Application Services
[+] Impersonate [INSTANCE]\SharePoint Web Application Services
[+] GenericRead [Collection0]\Project Collection Build Service Accounts
[+] GenericRead DATUM1\jpeoples
Done.
See Also
Tasks
Create a Collection-Level Group