TFS allows flexible setup. It can be customized to address most peoples requirements.
Everything that can be changed with TFS Explorer in the UI can also be modified using the API and command line tools.
TFSSECURITY.EXE is one of those allowing to batch script modifications to TFS’s security interface.
However, for some scenarios the tool application is pretty complicated as the required input parameters are hard to figure out due to their low level.
A customer asked me how to grant or deny a set o users the privilege to manage build resources via shell script.
the syntax looks pretty straight forward:
1: tfssecurity /a+ Namespace, Token and Action <user/group> Allow /collection:<collectionURI>
But how do you get all three parameters Namespace, Token and Action?
To get the namespace use TFSSecurity /a against the collection:
1: tfssecurity /a /collection:<collectionURI>
Reading the token is the most tricky part and neither my EE colleague nor the WWW cam up with a better solution than running a SQL query against the confid DB:
1: select distinct SecurityToken
2: from Tfs_DefaultCollection..tbl_SecurityAccessControlEntry
3: where (SecurityToken not like '%/%' )and (SecurityToken not like '%$%')
The action can be queried with tfssecurity once more (syntax):
1: : tfssecurity /a Namespace Token /collection:<collectionURI>
1: tfssecurity /a BuildAdministration BuildPrivileges /collection:<collectionURI>
Output [Build Management Privileges]
Notice: This post focuses on build management privileges and does not cover all possible scenarios.
There is a pretty detailed forum answer in the MSDN forums which covers alternative ways to retrieve tokens for other tasks:
I’d love to read your feedback if this article helped you solve your problem!