Permission command (Team Foundation Version Control)

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

Visual Studio 2019 | Visual Studio 2022

The tf permission command modifies the user access control list (ACL) and displays authorization settings for an item in Team Foundation Version Control (TFVC).

Prerequisites

To use the permission command, have the Manipulate security settings permission set to Allow for the folders being modified, be a member of the Azure DevOps Administrators security group, or be a system administrator on the local computer (Windows Administrator security group). For more information, see Default TFVC permissions.

Syntax

tf permission [/allow:(* |perm1[,perm2,...]] 
[/deny:(* |perm1[,perm2,...])] [/remove:(* |perm1[,perm2,...])] 
[/inherit:yes|no] [/user:username1[,username2,...]] 
[/group:groupname1[,groupname2,...]] [/collection:TeamProjectCollectionUrl] 
[/recursive] itemspec [/global][/login:username,[password]]

Parameters

Arguments

Argument

Description

<permission>

Name of a permission or role to modify. For more information about the permission names, see Security groups, service accounts, and permissions in Azure DevOps.

<username>

Value for the /user option. A user name value can be expressed as DOMAIN\username or username, depending on network settings.

<groupname>

The user-provided value for the /group option.

<TeamProjectCollectionUrl>

The URL of the project collection that contains the item for which to modify permissions, for example http://myserver:8080/tfs/DefaultCollection.

<itemspec>

The file or folder for which to modify permissions. For more information about how TFVC parses an itemspec to determine which items are within scope, see Use Team Foundation version control commands.

Note

You can specify more than one itemspec argument.

<username>

Provides a value to the /login option. You can specify a user name value as either DOMAIN\username or username.

Options

Option

Description

/allow

Specifies a list of TFVC permissions to add to the allow ACL.

/deny

Specifies a list of denied TFVC access permissions to add to the user ACL.

/remove

Specifies a list of TFVC permissions to remove from both the allow and the deny ACLs.

/inherit

If yes, the item inherits all permissions associated with a parent ACL. Can't combine with the /remove option.

/user

Specifies the name of a user to modify permissions for.

/group

Specifies the name of the group to modify permissions for.

/collection

Specifies the project collection.

/recursive

Applies the specified command to all items in the directory and any subdirectories.

The /recursive option works only when viewing permissions. It doesn't work when setting permissions, for example with the /allow, /deny, or /remove options.

/global

Views or assigns a TFVC collection-level permission. To assign permissions, use the /allow, /deny, or /remove options. The argument itemspec isn't required. If listed, it's ignored.

When used to view a TFVC collection, lists the following five permissions:

  • tf: AdminShelvesets
  • tf: AdminWorkspaces
  • tf: CreateWorkspace
  • tf: AdminConfiguration
  • tf: AdminConnections

For more information, see Collection-level groups.

/login

Specifies the user name and password to authenticate the user with Azure DevOps.

Remarks

You can use the permission command or its shortcut perm to manage authorization settings for TFVC server objects. However, this command doesn't let you manage authentication settings such as creating or modifying Azure DevOps security groups.

For more information on how to use the tf command-line utility, see Use Team Foundation version control commands.

Examples

The following example displays the TFVC ACLs for 314.cs:

c:\projects>tf permission 314.cs

The following example displays the ACL information for the developers group in the collection at http://myserver:8080/tfs/DefaultCollection/:

c:\projects>tf permission /group:[teamproject]\developers /collection: http://myserver:8080/tfs/DefaultCollection/

The following example allows members of the leads group to change their local copies of all items in the $/baseobjects TFVC server folder:

c:\projects>tf permission /allow:PendChange /group:[teamproject]\leads $/baseobjects

The following example removes all permission-related settings from the $/baseobjects folder for members of the developers group:

c:\projects>tf permission /remove:* /group:developers $/baseobjects

The following example allows the testers group to change their local copies of all items in $/testproject:

c:\projects>tf permission /allow:PendChange /group:testers$/testproject

The following example allows user somealias to make pending changes to their local copy of $/testproject/314.cs in their workspace:

c:\projects>tf permission /allow:PendChange /user:somealias $/testproject/314.cs.

The following example denies user somealias the ability to make pending changes to their local copy of $/testproject/1256.cs:

c:\projects>tf permission /deny:PendChange /user:somealias $/testproject/1256.cs