Team members in the Readers group can create work items!

Team members in the Readers group can create work items!

Posted by richard | November 17, 2014 | Scrum, Team Services, TFS 2013

Watch out. This could happen to you and your team.

Let’s assume you have a single team project with three teams (Bacon, Lettuce, and Tomato) …

blt_teams

Next, let’s assume you have Jake, a stakeholder, asking for access to the team project. You don’t want Jake to be able to add, edit, or delete anything, only to read data. Following MSDN’s guidance, you add Jake to the Readers group …

jakereaders

Since Jake only cares about the work that Team Bacon is doing, you add him to that team …

jakebacon

And Bob’s your uncle (translation: unfortunately Jake can now create work items, check-in code, etc.). The reason is that members of team Bacon are de facto Contributors to the team project. The fact that Jake is a member of the Readers group doesn’t matter, because the Readers group does not explicitly DENY any permissions at the team project scope …

readers_permissions

or at the work item area scope …

area_permissions

The Workaround

You could obviously change the “Not set” permissions to “Deny” for the Readers group at the various scopes: team project, area, code, etc. I, Microsoft, and other of my fellow MVPs advise against this because of various performance and troubleshooting reasons.

A better workaround would be to remove Team Bacon from the Contributors group and add it to the Readers group …

bacon_readers_group

Then add the regular Team Bacon members to the Contributors group individually. At this point, Jake (the stakeholder) will have true read-only access as well as only being able to see Team Bacon’s slice of the Product Backlog. The other members of Team Bacon will see no interruption in their day-to-day capabilities.

Blog Comments

There is also the option not to add a security group to a Team when you create it. This works for additional teams; for the default Team, I think you must patch the Process Template.

Good tip. Thanks Giulio.

Add a comment

*Please complete all fields correctly

Related Blogs

Posted by richard | March 15, 2017
Create a Professional Scrum process
Visual Studio Team Services' customization capabilities are to a point now where I can write this blog post ... as a rebuttal to any earlier post of my own. Since...
Posted by richard | September 30, 2016
Wassup Team Room?
According to Microsoft's official definition, Team Rooms, like chat rooms, "provide teams with a space to discuss work in progress, ask questions, share status, and clarify issues that arise." Sounds...
Posted by richard | August 15, 2016
Ordering the Product Backlog by ROI
The Scrum Guide says that the Product Owner is the sole person responsible for managing the Product Backlog and that Product Backlog management includes ordering items in the Product Backlog...