Search code examples
tfsteam-project

Cannot manage security in TFS 2018 on a Team Project with Project Collection Adminstrator Role

I have been converting access to Team projects using Active Directory groups.

I am a project collection admin and we host around 40 odd team projects.

On all the other proects everything is fine, I have been able to add all the AD groups I needed to the Various TFS groups that exist in a Team Project (Contributors, Readers etc).

When I come to the problem project I can see the add button, and I am able to search for and select the AD group I want, but when I click save, I see a red banner message with the text:

Unable to add members to this group.
Failed to resolve the specified groups to join.
You do not have sufficient permissions to add members to the following groups: 
[Team Project]\Build Administrators

I have looked at the oi and all I can see around the time of the issue are activities reporting a 200 response.

I am looking at the api and the database to see what I can do but not sure where to start. I thought I might be able to see something about security but it is asking for a guid that I am not sure how to get hold of.

Looking at the database I thought there might be a security table, but not sure where to start.

I'm going to keep looking at what to do, so I am going to keep this updated

update 2019-03-27

We have a support call open with Microsoft, I still have issues managing the teams, but I have been able to update the team via the Apis, I even found a useful little CLI tool to help with the tasks I needed to do.

Solution

  • Got the answer and the fix worked.

    After a lot of back and forth, sending files and running some tfssecurity queries, they were able to determine the problem.

    What I had done was add the domain User AD containing our project collection admin account in as a project reader, as the security on tfs works on a least level principle it was then applying a deny permision on my Project collection admin account, by simply removing the AD group from the reader level, which I was able to do, the ablity to manage the securities came back.

    I havent been able to find the specific group that I belonged to that then set the deny, but there is no denying that removing the AD group from the reader level fixed the issue.