Prevent direct checkin on TFS 2017 branch, allow merge only

I'd like to find out if it's possible to prevent users from checking in directly on a branch using TFS 2017, while still allowing a merge-checkin to that branch. It sounds like an oxymoron I know, how can you merge to that branch if you can't checkin?

Anyways, we have a typical dev-qa-prod merging structure. I'd like to allow users to check-in directly on the dev branch. Then on the qa and prod branches, only allow merge-checkins to occur. This is to prevent users who want to "bypass" our deployment model and check changes directly into the prod branch. (This isn't the place to discuss why they're doing that in the first place :-\ )

If something isn't clear, let me know and i'll update the question accordingly.

Thanks.

Solution

No, it's not possible.

To check in changes you need the Check in permission (set to Allow)

So you can set permissions for users/groups to prevent users from checking to a specific branch, but at same time the merger-checkin is also prevented.

However you can use the check-in policy to enforce Code Review, that can prevent directly check in on TFS branch. (Before you check in your code, you have to ask someone else from your team to review it.)

You can install the Colin's ALM Checkin Policies VS 2017 on client side. See Enable and Disable Check-In Policies for details:

To enable a check-in policy:

On the Team menu, click Project Settings, and then click Source Control.

In the Source Control Settings dialog box, click the Check-in Policy tab.

In the policy type list, select the policy type you want to enable, and click Enable.

Click OK.