0
0
I recently upgraded from TFS 2010 SP1 to TFS 2012 Update 3 and have a permission problem in one (but only one) of my upgraded team projects. Even though my current user is admin of everything (local machine, TFS, project collection, SharePoint, report server) I can't add members to the "Project Administrators" group. When I click on "Add Windows user or group" or "Add TFS group" it just shows the error message "You do not have the required permissions to perform this action" as can be seen here:
But that's not the only weird thing about this one team project:
A) It only shows two groups in the team project, all other team projects additionally also have a team ("[project name] Team") and 3 TFS groups ("Builders", "Contributors", "Readers").
B) Its "Project Valid Users" group is listed twice in the members of the "Project Collection Valid Users" group. But if I open the "member of" page of the "Project Valid Users" group the "Project Collection Valid Users" group is only listed once.
Is there any way to reset the permissions/groups of a team project? Or any other way to fix this?
Edit:
I've now tried the TFS Admin Tool. It also isn't able to add users but at least it gives a good error message:
Type: System.Web.Services.Protocols.SoapException
Message: Multiple identities found matching '[projectname]\Project Administrators'. Use the unique name to specify one of the following identities:
- [projectname]\Project Administrators (unique name: vstfs:///Classification/TeamProject/df734fb3-0868-448a-b44e-bab6f8426bf8\Project Administrators)
- [projectname]\Project Administrators (unique name: vstfs:///Classification/TeamProject/1f1d053a-1aa3-4734-b876-5a2bc7e42703\Project Administrators)
Only one of those GUIDs actually appear in the Project table in the Tfs_DefaultCollection database. Does anyone know how I can get rid of the wrong one?
Edit 2:
I've now tried the following:
> tfssecurity /gd "adm:vstfs:///Classification/TeamProject/df734fb3-0868-448a-b44e-bab6f8426bf8" /collection:http://servername:8080/tfs/DefaultCollection
Microsoft (R) TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation. All rights reserved.
The target Team Foundation Server is http://servername:8080/tfs/defaultcollection.
Resolving identity "adm:vstfs:///Classification/TeamProject/df734fb3-0868-448a-b44e-bab6f8426bf8"...
a [A] [projectname]\Project Administrators
Deleting the application group...
Error: Access Denied: Administrator needs the following permission(s) to perform
this action: Edit project-level information
How should I get this permission if I can't add myself to the Administrators group?
cremor
Posted 2013-08-20T06:58:07.547
Reputation: 297
you can check the app pool that your code is running under (in IIS) to it's running as If that identity should also have TF perms fine, try logging in as that user and connecting, or doing a "runas /user:that\user cmd" and trying "tf dir $/ /s:http://server:8080" to make sure that user can do the calls fine.
– BlueBerry - Vignesh4303 – 2013-08-20T07:02:51.630@Vignesh4303 The TFS application pool runs with the identity of the TFS service account (a domain user). Both my admin user and the service user can execute the tf dir call fine. – cremor – 2013-08-20T07:28:21.707
try with http://www.attrice.info/cm/tfs/ advance gui tool for tfs, and are u able to browse the project level information?
– BlueBerry - Vignesh4303 – 2013-08-21T09:41:47.120@Vignesh4303 Using this tool I can see the effective permissions of this project, yes. But I can't edit it. If I enable "Edit project-level information" for my admin user in the problematic project and then refresh the view, the permission is gone again. – cremor – 2013-08-21T10:01:03.230
http://social.msdn.microsoft.com/Forums/vstudio/en-US/dedf3ab1-e32a-44bf-96be-26ba99bd40ad/tf218030-groups-and-permissions-error-preventing-project-creation it might help u in overcoming the access denied error and also verify permission level TFSSecurity /imx /collection:http://server:8080/tfs/defaultcollection n:domain\username – BlueBerry - Vignesh4303 – 2013-08-21T10:21:04.050
@Vignesh4303 I do not use AD groups and also haven't added anyone to a group other than Administrators, so I don't think the thread you liked can help me. That tfssecurity command shows that my admin user is member of 4 groups: "BUILTIN\Administrators", "[TEAM FOUNDATION]\Team Foundation Administrators", "[DefaultCollection]\Project Collection Administrators", "[DefaultCollection]\Project Collection Valid Users" – cremor – 2013-08-21T10:33:36.713
not sure but check out this thread http://go4answers.webhost4life.com/Example/tfs-permission-error-access-denied-144096.aspx
– BlueBerry - Vignesh4303 – 2013-08-21T10:37:11.223