« High CPU load on Team Server | Main | Eliminate ctl00oReportCell error in Team System Project Portal »

April 25, 2005

Simplify Authorization for Team Project Creation

I prefer to have Team Projects created by non-administrative users. Unfortunately, properly authorizing users to create new team projects is not easy in the current beta release of Team Foundation Server. The standard install of TFS requires three separate authorization entries to accomplish this.
If you haven't set up the permissions for SQL Server Reporting services you'll get something like this in the error log.

Event Description: Initialization for plugin "Microsoft.Pcw.Rosetta" failed with error: "Failed to retrieve projects from the report server"

If you haven't set up the permissions for Windows Sharepoint Services you'll get

Event Description: Initialization for plugin "Microsoft.Pcw.wss" failed with error: "The request failed with HTTP status 401: Unauthorized."

These errors arise because the TFS permission system is maintained in Active Domain/Application Mode (ADAM) and is not integrated with SQL Server Reporting Services or Windows SharePoint Services. Brian Harry confirmed yesterday that ADAM will be eliminated from TFS before it's released. So, in anticipation of this, I'd recommend that you create an Active Directory group for users that are authorized to create new team projects.

The following is a step-by-step guide to setting up this group so that all you have to do is add a user to the group when you want to permit them to create new projects.

  1. Add a new Active Directory group called TFS Project Creators.
  2. Start Visual Studio 2005 Beta 2 under the <domain>/TFSSERVICE account.
  3. Select Team | Team Foundation Server Settings | Permissions...
  4. Select the Windows User or Group radio button and click the Add... button.
  5. Enter <domain>/TFS Project Creators in the object name text box and click OK.
  6. Click the Allow check box next to Create new projects. The dialog should look like:
  7. Click Close
  8. From the web browser within Visual Studio, navigate to http://<TFS Server>/Reports.
  9. Select the Properties tab
  10. Click New Role Assignment
  11. Enter <domain>/TFS Project Creators in the Group or user name: text box
  12. Select the Content Manager check box. The dialog should look like:
  13. Click OK
  14. Navigate the browser to http://<TFS Server>:<Sharepoint Admin Port>. This is the SharePoint Central Administration site.
    [Update: The Sharepoint Admin Port is not fixed. The easiest way to determine the port is to open the Sharepoint Central Adminstration shortcut in the TFS Server's Administrative Tools folder. Once there, you can click on the shortcut and continue with the following step.]
  15. Click Set Sharepoint Administration Group
  16. Enter <domain>/TFS Project Creators in the Group account name: text box. The dialog should look like:
  17. Click OK

Now to allow any domain user to create a new Team Project it's as simple as adding that user to the TFS Project Creators group.

Posted by Mike Attili at April 25, 2005 03:13 PM

Comments

I have to scratch this itch to automate this. This is just insane.

How did you hear about the elimination of ADAM? I had thought this was going to be a big thing about TFS?

Regards,
Michael Shorten

Posted by: Michael Shorten at May 10, 2005 10:52 AM

Post a comment




Remember Me?