I came across an interesting bug this morning in Team Foundation Server 2013 Update1 were a team member was in the Readers, Contributors, and Project Administrators groups for a project. You would expect him to have a union of the permissions granted by those roles as long as none of the roles explicitly denied a permission. That is the behavior described in the MSDN documentation. That was not the case because he couldn’t checkout a file or doing anything else beyond reader level access. Once we realized he was in all three groups and guessed that might be the issue we removed him from the readers and contributors groups and he was then able to checkout files. I have included two images below of the Reader and Contributors version control permissions as proof that none of the permissions were explicitly denied.