I blog about debugging, development using .net, C#, SQL, and other Microsoft technologies.
Disclaimer: All posts are provided "AS IS" with no warranties, confering no rights, and expressing only my personal opinion, not Microsoft's.
Some thoughts about permissions, especially deny. Why deny? Because deny is the best way to apply the principle of least privilege. When a permission is set, it shouldn't matter what client is used to access TFS, the permissions are evaluated according to the credentials supplied. Permissions are namespace-based and not temporal, i.e. when you set a permission on $/, it's recursive and it's applied for all old and new items before and after the permission is set.
You can run tf perm /user:DOMAIN\username $/ /r to see all permissions of that user or you can run tf perm itemSpec to see permissions of that item.
I quote the following about the deny permission from MSDN because I think it’s really important to know that "the Deny setting takes precedence ... The only exception to this rule occurs when the user is a member of either the Project Administrators group for a project or the Team Foundation Administrators group. If a user is a member of the Project Administrators group for a project, the privileges of that group override an explicit Deny for that user in a project. Similarly, if a user is a member of the Team Foundation Administrators group, the privileges of that group override an explicit Deny for that user in Team Foundation Server." For more info, please take a look at: http://msdn.microsoft.com/en-us/library/ms252587.aspx and http://msdn.microsoft.com/en-us/library/ms400712.aspx