Restrict Access to just "Bugs" In Team Foundation Server 2010

I want to give access to all employees of the company to access the TFS server, but i just want to give them the right to view/edit and created Bugs, just Bugs, no access whatsoever 开发者_Python百科to view tasks, source code or anything else, just bugs, how is this possible?

As an alternate option you could control all work item access on the Project-Area level.

TFS projects have "Areas". They can be setup to be what ever you want to call them. Many people organize these by feature or application "part".

You could restrict access to all working areas but leave access open to a "Triage" or "Bug Reporting" area. (Or if you just want to shut people out entirely just remove them from the root "Area" node.)

To do this right click on your project in Team Explorer and select Team Project Settings. From the sub menu select Areas and Iterations.

Set up your areas something like this:

Select the Development area then click the Security button in the bottom left corner.

In the resulting dialog you can setup permissions as needed to restrict view and edit access to work items in that area. Then when your developers make work items (tasks etc) make sure they set the area correctly. This will limit access to those work items.

Since you leave the "Bug Reporting" area open, users can still add bugs (or sadly Tasks) to that Area. Once you plan on working on the bug you can move it into the Development area.

This works, but has several drawbacks:

1. Users can't see the status of the Bug they reported once it goes into development. A Sharepoint dashboard report could help with allowing viewing of that status.
2. Users can still make non-bug work items. This means they can make tasks and such if they choose to.

An alternative is the use the Work Item Only View of TFS. This is a tfs portal that is setup automatically with TFS 2010 and can be installed in TFS 2008. It allows users to enter work items and see work items that they entered. But that is all. This is a fairly limited view, but it may work for you. (But remember, a person can only view work items that were created by them.)

The main benefit is that you don't have to purchase a CAL license for users to use the Work Item Only View (WIOV). Depending on how many users you are planning to give access to, that can save you a lot of money.

Here is a link about that: http://msdn.microsoft.com/en-us/library/cc668124.aspx

As a side note, both WIOV and the Area security would work fine together if you want.

EDIT: After re-reading your comment I think you might have been asking how to restrict users from accessing source. To do that open the Source Control Explorer and right click on a project or the root node and select properties. From there you select the security tab and you can deny access to source control from there.

This can be done for creation, but not viewing (to my knowledge). However, this is a lot of work. To do it you have to edit the work item type templates.

Basically you would edit the non-Bug templates so that only a specific group of people have rights to all the fields. You would also have to restrict transitions (i.e. move the non-bug work item to "Created" (or what ever your "new" work item state is).

This is a lot of editing, but it could be done.

This blog post gives the basic idea:

http://social.msdn.microsoft.com/forums/en-US/tfsadmin/thread/178bc809-0035-45ee-9e0a-65ac412186f1/

and this is the docs for the Not parameter to deny transition permissions:

http://msdn.microsoft.com/en-us/library/aa337653.aspx

And lastly, here is the ValidUser docs:

http://msdn.microsoft.com/en-us/library/dd997577.aspx

We have two Application Tier servers, one is used by the client only, so I edited the JS source for TFS web access to not allow adding anything other than Bugs, Change Requests or Issues.

In (TFS Deploy folder)\Application Tier\Web Access\Web\Resources\Scripts, you can edit the DocumentService.js file:

//Opens new workitem editor with specified workitem type.
//workItemType: WorkItem type name.
DocumentService.newWorkItem = function(workItemType, tfsLocator)
{

    if (JsUtility.stringIsNullOrEmpty(workItemType))
        throw "Unspecified WorkItem Type Name.";

    if (workItemType != 'Bug' && workItemType != 'Change Request' && workItemType != 'Issue') {
    alert('Only Bugs, Change Requests and Issues can be created from this site');
    }
    else {    
    var _url = this.createUrl(CommonUrls.WorkItemEditor, { wit: workItemType }, tfsLocator);
    return WindowHelpers.openWindow(_url, "_blank"); }

}