Permission command (Team Foundation Version Control)
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
Visual Studio 2019 | Visual Studio 2022
The tf permission command modifies the user access control list (ACL) and displays authorization settings for an item in Team Foundation Version Control (TFVC).
Prerequisites
To use the permission command, you must have the Manipulate security settings permission set to Allow for the folders being modified, be a member of the Azure DevOps Administrators security group, or be a system administrator on the local computer (Windows Administrator security group).
For more information, see Default TFVC permissions.
Syntax
tf permission [/allow:(* |perm1[,perm2,...]]
[/deny:(* |perm1[,perm2,...])] [/remove:(* |perm1[,perm2,...])]
[/inherit:yes|no] [/user:username1[,username2,...]]
[/group:groupname1[,groupname2,...]] [/collection:TeamProjectCollectionUrl]
[/recursive] itemspec [/global][/login:username,[password]]
Parameters
Arguments
Argument
Description
<permission>
Name of a permission or role to modify. For more information about the permission names, see Security groups, service accounts, and permissions in Azure DevOps.
<username>
Value for the /user option. A user name value can be expressed as DOMAIN\username or username, depending on network settings.
<groupname>
The user-provided value for the /group option.
<TeamProjectCollectionUrl>
The URL of the project collection that contains the item for which to modify permissions, for example http://myserver:8080/tfs/DefaultCollection.
<itemspec>
The file or folder for which to modify permissions. For more information about how TFVC parses an itemspec to determine which items are within scope, see Use Team Foundation version control commands.
Note
You can specify more than one itemspec argument.
<username>
Provides a value to the /login option. You can specify a user name value as either DOMAIN\username or username.
Options
Option
Description
/allow
Specifies a list of TFVC permissions to add to the allow ACL.
/deny
Specifies a list of denied TFVC access permissions to add to the user ACL.
/remove
Specifies a list of TFVC permissions to remove from both the allow and the deny ACLs.
/inherit
If yes, the item inherits all permissions associated with a parent ACL. Can't combine with the /remove option.
/user
Specifies the name of a user to modify permissions for.
/group
Specifies the name of the group to modify permissions for.
/collection
Specifies the project collection.
/recursive
Applies the specified command to all items in the directory and any subdirectories.
The /recursive option works only when viewing permissions. It doesn't work when setting permissions, for example with the /allow, /deny, or /remove options.
/global
Views or assigns a TFVC collection-level permission. To assign permissions, use the /allow, /deny, or /remove options. The argument itemspec isn't required. If listed, it's ignored.
When used to view a TFVC collection, lists the following five permissions:
tf: AdminShelvesetstf: AdminWorkspacestf: CreateWorkspacetf: AdminConfigurationtf: AdminConnections
For more information, see Collection-level groups.
/login
Specifies the user name and password to authenticate the user with Azure DevOps.
Remarks
You can use the permission command or its shortcut perm to manage authorization settings for TFVC server objects. However, this command doesn't let you manage authentication settings such as creating or modifying Azure DevOps security groups.
For more information on how to use the tf command-line utility, see Use Team Foundation version control commands.
Examples
The following example displays the TFVC ACLs for 314.cs:
c:\projects>tf permission 314.cs
The following example displays the ACL information for the developers group in the collection at http://myserver:8080/tfs/DefaultCollection/:
c:\projects>tf permission /group:[teamproject]\developers /collection: http://myserver:8080/tfs/DefaultCollection/
The following example allows members of the leads group to change their local copies of all items in the $/baseobjects TFVC server folder:
c:\projects>tf permission /allow:PendChange /group:[teamproject]\leads $/baseobjects
The following example removes all permission-related settings from the $/baseobjects folder for members of the developers group:
c:\projects>tf permission /remove:* /group:developers $/baseobjects
The following example allows the testers group to change their local copies of all items in $/testproject:
c:\projects>tf permission /allow:PendChange /group:testers$/testproject
The following example allows user somealias to make pending changes to their local copy of $/testproject/314.cs in their workspace:
c:\projects>tf permission /allow:PendChange /user:somealias $/testproject/314.cs.
The following example denies user somealias the ability to make pending changes to their local copy of $/testproject/1256.cs:
c:\projects>tf permission /deny:PendChange /user:somealias $/testproject/1256.cs