Two scenarios will be discussed in this post: Single Hat and Multiple Hats.
You have 3 people: Joe, Sally, and Dave
You have 3 main roles: Developer, Tester, Reviewer
You also have 3 projects: Project A, Project B, and Project C
Scenario #1: Single Hats
Team members wear only one hat in the enterprise. A Developer for one project is a developer for all projects – the same for Tester and Reviewer.
The roles that Joe, Sally and Dave play are the same for every project:
The simple setup for this in Team Foundation Server is to use generic role-based groups:
Team Foundation Server
When configuring your Team Project’s permissions, simply grant each group the desired rights. This will allow any subsequent users to be added to the environment with ease (just add them to the group that fits their role).
Scenario #2: Multiple Hats
Your team may have roles that vary by project. A good way to support this in Team Foundation Server is to create role-based groups on a per-project basis.
The roles that Joe, Sally and Dave play vary with each project:
The inherent problem with using generic role-based groups (as in Scenario #1) is that in this scenario, everyone would have full rights to each of the three projects because each person belongs to each group:
A more practical approach is to use project-specific, role-specific groups. This adds several extra groups, but more effectively manages access control at the project level:
\Project A - Developers
\Project A - Testers
\Project A - Reviewers
\Project B - Developers
\Project B - Testers
\Project B - Reviewers
\Project C - Developers
\Project C - Testers
\ Project C - Reviewers