Permission command (Team Foundation Version Control)
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
Visual Studio 2019 | Visual Studio 2022
The tf permission
command modifies the user access control list (ACL) and displays authorization settings for an item in Team Foundation Version Control (TFVC).
Prerequisites
To use the permission
command, have the Manipulate security settings permission set to Allow for the folders being modified, be a member of the Azure DevOps Administrators security group, or be a system administrator on the local computer (Windows Administrator security group).
For more information, see Default TFVC permissions.
Syntax
tf permission [/allow:(* |perm1[,perm2,...]]
[/deny:(* |perm1[,perm2,...])] [/remove:(* |perm1[,perm2,...])]
[/inherit:yes|no] [/user:username1[,username2,...]]
[/group:groupname1[,groupname2,...]] [/collection:TeamProjectCollectionUrl]
[/recursive] itemspec [/global][/login:username,[password]]
Parameters
Arguments
Argument
Description
<permission>
Name of a permission or role to modify. For more information about the permission names, see Security groups, service accounts, and permissions in Azure DevOps.
<username>
Value for the /user
option. A user name value can be expressed as DOMAIN\username
or username
, depending on network settings.
<groupname>
The user-provided value for the /group
option.
<TeamProjectCollectionUrl>
The URL of the project collection that contains the item for which to modify permissions, for example http://myserver:8080/tfs/DefaultCollection
.
<itemspec>
The file or folder for which to modify permissions. For more information about how TFVC parses an itemspec
to determine which items are within scope, see Use Team Foundation version control commands.
Note
You can specify more than one itemspec
argument.
<username>
Provides a value to the /login
option. You can specify a user name value as either DOMAIN\username
or username
.
Options
Option
Description
/allow
Specifies a list of TFVC permissions to add to the allow ACL.
/deny
Specifies a list of denied TFVC access permissions to add to the user ACL.
/remove
Specifies a list of TFVC permissions to remove from both the allow and the deny ACLs.
/inherit
If yes
, the item inherits all permissions associated with a parent ACL. Can't combine with the /remove
option.
/user
Specifies the name of a user to modify permissions for.
/group
Specifies the name of the group to modify permissions for.
/collection
Specifies the project collection.
/recursive
Applies the specified command to all items in the directory and any subdirectories.
The /recursive
option works only when viewing permissions. It doesn't work when setting permissions, for example with the /allow
, /deny
, or /remove
options.
/global
Views or assigns a TFVC collection-level permission. To assign permissions, use the /allow
, /deny
, or /remove
options. The argument itemspec
isn't required. If listed, it's ignored.
When used to view a TFVC collection, lists the following five permissions:
tf: AdminShelvesets
tf: AdminWorkspaces
tf: CreateWorkspace
tf: AdminConfiguration
tf: AdminConnections
For more information, see Collection-level groups.
/login
Specifies the user name and password to authenticate the user with Azure DevOps.
Remarks
You can use the permission
command or its shortcut perm
to manage authorization settings for TFVC server objects. However, this command doesn't let you manage authentication settings such as creating or modifying Azure DevOps security groups.
For more information on how to use the tf
command-line utility, see Use Team Foundation version control commands.
Examples
The following example displays the TFVC ACLs for 314.cs:
c:\projects>tf permission 314.cs
The following example displays the ACL information for the developers
group in the collection at http://myserver:8080/tfs/DefaultCollection/
:
c:\projects>tf permission /group:[teamproject]\developers /collection: http://myserver:8080/tfs/DefaultCollection/
The following example allows members of the leads
group to change their local copies of all items in the $/baseobjects TFVC server folder:
c:\projects>tf permission /allow:PendChange /group:[teamproject]\leads $/baseobjects
The following example removes all permission-related settings from the $/baseobjects folder for members of the developers
group:
c:\projects>tf permission /remove:* /group:developers $/baseobjects
The following example allows the testers
group to change their local copies of all items in $/testproject:
c:\projects>tf permission /allow:PendChange /group:testers$/testproject
The following example allows user somealias
to make pending changes to their local copy of $/testproject/314.cs in their workspace:
c:\projects>tf permission /allow:PendChange /user:somealias $/testproject/314.cs.
The following example denies user somealias
the ability to make pending changes to their local copy of $/testproject/1256.cs:
c:\projects>tf permission /deny:PendChange /user:somealias $/testproject/1256.cs