Permission command (Team Foundation Version Control)
TFS 2017 | TFS 2015 | TFS 2013
Visual Studio 2019 | Visual Studio 2017 | Visual Studio 2015 | Visual Studio 2013
The permission command modifies the user access control list (ACL) and displays authorization settings for an item under version control.
Prerequisites
To use the permission command, you must have the Manipulate security settings permission set to Allow for the folders being modified, be a member of the Team Foundation Administrators security group, or be a system administrator on the local computer (Windows Administrator security group). For more information, see Default TFVC permissions.
Syntax
tf permission [/allow:(* |perm1[,perm2,...]]
[/deny:(* |perm1[,perm2,...])] [/remove:(* |perm1[,perm2,...])]
[/inherit:yes|no] [/user:username1[,username2,...]]
[/group:groupname1[,groupname2,...]] [/collection:TeamProjectCollectionUrl]
[/recursive] itemspec [/global][/login:username,[password]]
Parameters
Argument
Argument
Description
perm
Name of a permission or role to modify. For more information about the permission names, see Team Foundation Server Permissions.
Username
Provides a value to the /user option. A username value can be expressed in one of two ways, depending on the network settings: DOMAIN\username or username.
Groupname
The user-provided value for the /group option.
TeamProjectCollectionUrl
The URL of the project collection that contains the item for which you want to modify permissions (for example, http://myserver:8080/tfs/DefaultCollection).
Itemspec
Identifies the file or folder for which to modify permissions. For more information about how Team Foundation parses itemspecs to determine which items are within scope, see Use Team Foundation version control commands.
Note
You can specify more than one Itemspec argument.
Username
Provides a value to the /login option. You can specify a username value as either DOMAIN<em>UserName or UserName.
Option
Option
Description
/allow
Specifies a list of Team Foundation version control permissions to add to the allow ACL.
/deny
Specifies a list of denied Team Foundation version control access permissions to add to the user access control list.
/remove
Specifies a list of Team Foundation version control permissions to remove from both the allow and the deny ACLs.
/inherit
If you select yes, all permissions associated with a parent ACL are inherited by an item. Cannot be combined with the /remove option.
/user
Specifies the name of a user to modify permissions for.
/group
Name of the group for which to modify permissions.
/collection
Specifies the project collection.
/recursive
Applies the specified command to all items in the directory and any subdirectories.
/recursive option works only when viewing the permissions for items in a source tree. It does not work when setting permissions, for example with /allow, /deny and /remove options.
/global
Used to view or assign a TFVC collection-level permission.
To assign permissions, use the /allow, /deny, or /remove options.
The argument itemspec is not required. If it is listed, it is ignored.
When used to view a TFVC collection-level, the five permissions listed are as follows:
tf: AdminShelvesets
tf: AdminWorkspaces
tf: CreateWorkspace
tf: AdminConfiguration
tf: AdminConnections
For more information about permissions, see Permissions and groups, Collection-level permissions.
/login
Specifies the user name and password to authenticate the user with Azure DevOps.
Remarks
You can use the permission command (or alternatively its shortcut, perm) to manage authorization settings for Team Foundation version control server objects. However, this command does not let you manage authentication settings such as creating or modifying Team Foundation security groups.
For more information on how to find the tf command-line utility, see Use Team Foundation version control commands.
Examples
The following example displays the Team Foundation access control lists (ACLs) for 314.cs.
c:\projects>tf permission 314.cs
The following example displays the ACL information that relates to the group "developers" for the collection that is located at http://myserver:8080/tfs/DefaultCollection/.
c:\projects>tf permission /group:[teamproject]\developers /collection: http://myserver:8080/tfs/DefaultCollection/
The following example enables members of the "leads" group to change their local copies of all items in the $/baseobjects Team Foundation version control server folder.
c:\projects>tf permission /allow:PendChange /group:[teamproject]\leads $/baseobjects
The following example removes all permission-related settings from the $/baseobjects folder for members of the "developers" group.
c:\projects>tf permission /remove:* /group:developers $/baseobjects
The following example enables the group "testers" to change their local copies of all items in $/testproject.
c:\projects>tf permission /allow:PendChange /group:testers$/testproject
The following example enables user somealias to make pending changes to his local copy of $/testtproject/314.cs in his workspace.
c:\projects>tf permission /allow:PendChange /user:somealias $/testproject/314.cs.
The following example denies user somealias the ability to make pending changes to his local copy of $/testproject/1256.cs.
c:\projects>tf permission /deny:PendChange /user:somealias $/testproject/1256.cs