Ged325

Hi All,

I'm a TFS admin trying to resolve the following error:

A user is both a contributor, and a DB developer (both added in the project groups). The user cannot check in because the server claims he needs pendChange. As you can see, the DB developers have this permission.

Because this is a DB folder, we are not inheritting from above, the permissions are set explicitely on this folder. If I add the user Directly to the folder (EG: find him in AD and allow permission check in), then he is allowed to check in. Any ideas

tfperm yields the following:

Server item: <path> (Inherit: No)
Identity: [project]\Contributors
Allow: Read
Deny:
Allow (Inherited):
Deny (Inherited):

Identity: [project]\Database Developers
Allow: Read, PendChange, Checkin, Label, Lock
Deny:
Allow (Inherited):
Deny (Inherited):

Identity: [project]\Project Administrators
Allow: Read, PendChange, Checkin, Label, Lock, ReviseOther,
UnlockOther, UndoOther, LabelOther, AdminProjectRights,
CheckinOther
Deny:
Allow (Inherited):
Deny (Inherited):

Identity: [SERVER]\Service Accounts
Allow: Read, PendChange, Checkin, Label, Lock, ReviseOther,
UnlockOther, UndoOther, LabelOther, AdminProjectRights,
CheckinOther
Deny:
Allow (Inherited):
Deny (Inherited):

Identity: [SERVER]\Team Foundation Administrators
Allow: Read, PendChange, Checkin, Label, Lock, ReviseOther,
UnlockOther, UndoOther, LabelOther, AdminProjectRights,
CheckinOther
Deny:
Allow (Inherited):
Deny (Inherited):




Re: Team Foundation Server - General TF14098: Access Denied: <user> needs PendChange permission(s) for <path>

Hua Chen - MSFT

Dear Ged325:


Sorry I am not sure I have caught your means. If there is any misunderstanding, please let me know. Thanks.

Do you mean that you clear the 'Inherit security setting' check box in the security tab of Properties of 'DB folder' and add the [project]\Database Developers Group to the 'Users and Groups' List Box

Thanks again.






Re: Team Foundation Server - General TF14098: Access Denied: <user> needs PendChange permission(s) for <path>

Ged325

I'm just saying it's not inherited from the parent above.

We have the following tree

[project]

[frontend]

[DB folder]

[etc]

for DB folder, we override the permissioning as we only want some people to have access. The problem I'm having is that even though the user is in the group "DB Developer", he or she is not able to check in their code unless we add the pend change specifically to that folder for the user.

Example

Joe is a member of contributor, as well as db developer

Joe tries to check in code with the permissions set as described by tf perm, he is NOT able to do so.

We add Joe to allow checkin to the folder, he is now able to check in his code.





Re: Team Foundation Server - General TF14098: Access Denied: <user> needs PendChange permission(s) for <path>

Richard Berg MSFT

It sounds like TFS isn't aware that he is part of DB Developers. Did you add him directly to that TFS group, or as part of an AD security group How long ago did you add him I know we've fixed some issues around TFS <-> AD sync.




Re: Team Foundation Server - General TF14098: Access Denied: <user> needs PendChange permission(s) for <path>

Ged325

He is directly in the group. It's a TFS group, so no AD sync required.

I'm assuming TFS does union and not intersection of permissions.