Quickly and easily setup “Work Item Only View” team web access users in TFS 2010


Team Foundation Server has some notoriety when it comes to administering security. When it comes to giving a client or remote user access to enter work items and bugs only, wading through the quagmire of MSDN can make it seem impossible. I’ll show you a quick direct path to giving a client remote access.

image Team Foundation Server 2010 offers so many great new features and additions on the previous release. Couple this with the fact that it’s released as part of MSDN and more people seem to be dipping their toes in that ever. This makes it even more important to learn the black arts of the beast to successfully administer it for developer and client folk alike. Let’s take a look.

How to make it happen

  1. Create a local windows user group to store all work item only view users. For this demo I’ve called mine “TFS CLIENT REMOTE ACCESS”
  2. Create a new user for your client. For the purposes of this demo I'll call mine “tfs_client1”
  3. Add the user you just created to the windows user group “TFS CLIENT REMOTE ACCESS” you just created
  4. On your TFS server open Team Foundation Server Administration Console
  5. Open the Application Tier Tab
  6. Click the link marked “Group Membership”
  7. Select the group marked [TEAM FOUNDATION]\Work Item Only View Users and click Properties
  8. Select the “Windows User or Group” radio button and then click add
  9. Enter your newly created local user group above.
  11. Click OK twice to save out of the group properties (after clicking OK once, you should see below)
  12. Now in Team Explorer or Visual Studio 2010 right click on your TFS project in the Team Explorer view on the right hand side of the screen and select Team Project Settings and then select Group Membership
  13. Select [Your ProjectName]\Contributors and click the properties button
  14. In the next screen select the radio button marked “Team Foundation Server Group” and click the Add button
  15. Scroll down until you find the [Team Foundation]\Work Item Only View Users and click OK
  16. Click OK twice to save out and your done!

Now when clients or remote users try to login to your TFS web view using the account we just setup, they’ll only have work item only view. The great thing about this is that they can only see work items and bugs that they have created. So all that internal chatter from your project managers etc, never gets seen by the client.

Taking it one step further

So if your organisation is like mine, you have multiple projects and multiple clients. In this case you don’t want all clients to have access to all projects, and this is what the above solution offers. What we want to do is take it one step more and make security more granular. We want to create a new work item view group for your client, add your user and give that work item view group access to your project.

  1. Create a new windows user for your client as above
  2. On your TFS server open Team Foundation Server Administration Console
  3. Open the Application Tier Tab
  4. Click the link marked “Group Membership”
  5. Click on New
  6. Enter a name for your group. I’ve called mine Work Item Only View Users – Client A
  7. Click OK
  8. Now select the group you have just created and click Properties to show a list of users in this TFS group (there should be none yet)
  9. Select the radio button that says “Windows User or Group” and click Add
  10. Enter the local user you have created for your client and click OK twice to accept and close out.
  11. Click on the Administer Security link in the TFS Admin console
  12. Select the Team Foundation Server Group you created in step 6 and click Add to add the TFS user group to the server settings
  13. Select your newly created group and click Properties
  14. Select your newly created group from the list and un tick everything but the Deny box on “Use full Web Access” in the bottom security list and click close
  15. Now follow on from Point 12 in the first walk-through but instead of adding “Work Item Only View Users” add your newly created group “Work Item Only View Users – Client A” instead
  16. Now you’re done! Your newly created user will only have access to the project in TFS that you have allowed them access to.