Kallex

Hello!

We just set up our organisation + customer wide project portal using TFS + TeamPlain (www.teamplain.com). Using "Scrum" process model, I cannot praise how much this boosts our project management and collaboration with the customers.

First impressions are really superb, astonishing and GREAT! After spending little while of creating the "account sandboxes" for our customers in the Active Directory environment restricted for anything except authenticating to the TFS (including SQL Server RS and SharePoint) everything just clicked in.

Wow!

Seriously, after a day's work we had running web accessible TFS project portal that our customers can access as well for their projects.

 

Almost perfect. Only few minor issues that cause really huge major head aches.

Three words: project level access. I'll iterate the problem causes:

1. Currently any user can see the list of all the projects, regardless of whether they have access to those individual projects.

Problem: Our customer XX can see that we have a project for customer YY. Not good. This might be up to certain level circumvented by 3rd party add-ons such as TeamPlain, but that's not good solution for overall security. Also even our customer XX user A should not be seeing that the same company XX is also having a project of user B.

2. Task "assigned to" dropdown presents all the users in the list. Also those who don't have any access to the said projects. This is an example, why this kind of access cannot really be tweaked at add-on level.

Problem: Our customer XX user can see our customer YY users in the dropdown.

 

We tried denying the "server level information" access from the said users, but then the TFS altogether starts to complain; it appeared to be somewhat requirement for connecting to the server with Team Explorer (ie. Visual Studio) let alone TeamPlain, which politely tossed access denied error.

I'm not sure how many of these gotchas would be there, but it might also be not that big of a change to allow per-project-access filtering option to be toggled on/off to remove this kind of problems of seeing "too much" of the TFS information.

My example makes it obvious between different customers, but I think that the information about ongoing projects of a company and/or all the users assigned in TFS are not necessarily information, that should be available to anyone having access to TFS.

Other solution would of course be launching dedicated TFS for each customer/project area, but that's just stupid; especially when there is no clean way of moving projects between two TFS systems, when the need would arise to.

 

We are already taking the customer in our TFS as I described, I hope we can solve the matter soon enough so we can take the 2nd customer to the environment as well without revealing the projects of our other customers.

Thanks for the great product aside of these minor (but major) problems,

Kalle Launiala



Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Kallex

We thought over a possible solution to circumvent the entire problem domain;

1. Wrap the entire TFS under identical web service tree structure and customize certain calls to behave differently.

2. Point those people/add-ons that need the custom behaviour to the new mirrored location.

Without previous experience in hooking into TFS, is there any access/credential requirements that would cause problems if the web services were wrapped under other web services

Considering we can run the wrapper service with the same credentials that the current service is running already.

Br,

Kalle Launiala





Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Kallex

I realise this "General" section might not be suitable for add-on development questions. Is there any other place to go with the suggestions/problems like this

Br,

Kalle Launiala





Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

alan_b

For customizing the Assigned To field have a look at http://blogs.msdn.com/team_foundation/archive/2005/05/23/421178.aspx

As for the other question the Administration board should be able to help http://forums.microsoft.com/MSDN/ShowForum.aspx ForumID=477&SiteID=1





Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Richard Berg MSFT

The easiest solution might be to request those security features from the Teamplain developers. I've found them pretty responsive, and obviously they're on a much shorter release cycle than we are. Changing the web interface wouldn't prevent users from viewing the complete list of projects/users through some other means, but it might be good enough for your needs.




Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Bill Essary MSFT

1. The reason that users can see all projects is that the Team Foundation Valid Users group is granted "view project level information" rights by default when a project is created. To manage the permission setting using the Team Explorer, you right click on the project node, select Team Project Settings::Security, select [SERVER]\Team Foundation Valid Users and clear the ˇ°view project level informationˇ± permission. You will have to manually clear this permission setting when a new project is created if you do not want that project visible to all users of the system. There are workarounds to automate the process, but at this point they require a bit of code.

2. Alan_b's pointer to instructions for modifying the Assigned To field is exactly what you need to tailor the lists that you see in the dropdowns. See "Customize the Assigned To" field here for more detailed and recent instructions: http://msdn2.microsoft.com/en-us/library/ms195023.aspx.





Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Kallex

Thanks a lot for swift responses :) These modifications seemed to fix the issues (had to "refresh" the users through TeamPlain to realize that they don't have anymore access to the project level data they used to).

:)

Br,

Kalle Launiala





Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Jay D

Does the problem with all projects being shown in the dropdown still exist on the 2.0 RC

I've set the permissions on the projects to not allow the users the certain permissions, but when they login, they still see all projects in the list.




Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Kolchak

I still get all projects listed as well - not an ideal solution Sad




Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Kallex

Hi!

Edit: This was answered above already; didn't check the thread properly before posting...

The exact access setting is from the project specific access:

Team Project => Security ==> View Project Level Information

The "problem" is caused by the fact, that by default TFS adds this access to [SERVER]\Valid Users (or something like that, my memory fails me).

The solution is to remove the access from that group, so that you will be effectively left only with groups such as:

[YourProject]\Readers

[YourProject]\Contributors

[YourProject]\Administrators

...

[SERVER]\Team Foundation Administrators

This will solve the issue.

Best regards,

Kalle





Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Andreas Ohlund

Hi!

I've done all steps mentioned above to get rid of all the projects being listed in the "projects" dropdown. But all projects are still being listed. I'm running on the latest build of TFS Web access.

Any ideas

/Andreas





Re: Team Foundation Server - General Using TFS + TeamPlain as project portal GREAT first impressions

Kallex

Hi!

I ran into the same issue when I upgraded to the TFS Web Access (the new Microsoft branded one). The initial project list does not honor the user access for that list; apparently if you choose to "select" the actual projects to show in the drop-down list it filters the allowable selections based on that.

So you cannot re-select unselected unaccessible projects, but you do see all the projects initially, which is really unfortunate behaviour.

Same thing happens with the source code view, that it displays the roots of every version control project (thus including the possible customer names in the list). Sure you won't be able to access the actual contents, but you already know too much at that stage.

I'm not sure if the source code thing was there also with the earlier version, but this behaviour altogether renders the portal quite useless if you are not supposed to show out your other projects/clients (which would be close to 100% of the cases).

I suer hope this gets addressed in the future versions.

Br,

Kalle