Team Foundation Server Permissions Oddity

I came across an interesting bug this morning in Team Foundation Server 2013 Update1 were a team member was in the Readers, Contributors, and Project Administrators groups for a project. You would expect him to have a union of the permissions granted by those roles as long as none of the roles explicitly denied a permission. That is the behavior described in the MSDN documentation. That was not the case because he couldn’t checkout a file or doing anything else beyond reader level access. Once we realized he was in all three groups and guessed that might be the issue we removed him from the readers and contributors groups and he was then able to checkout files. I have included two images below of the Reader and Contributors version control permissions as proof that none of the permissions were explicitly denied.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

%d bloggers like this: