Making a TFS Branch Read-Only

Question

We are trying to follow the branching strategy from the TFS Branching Guide and have reached the point where we have made a branch representing a release, which should now b

Answer 1

As a quick-n-dirty, you could Lock it for Check Out (although the locker would have to remember to keep the lock in their pending changes forever... which makes me think there's a better way)

Answer 2

Deny Check In for domain\domain users

Answer 3

Right-click the branch in the Source Control Explorer, and select the Lock... option

EDIT: This seems to get missed a lot when people are finding this so I'll make it more obvious.

Locks appear as a "pending change" for the person who locked the item. As long as the lock is in effect, it will appear as a pending change. When a commit is made of that pending change, the lock is released. While the lock is in effect, the locked branch is effectively read-only, since (to simplify) the locker is the only user who can make commits. The act of committing is what releases any locks on the branch.

h/t @AakashM for pointing that out in the comments

Answer 4

As is mentioned above locking is not a very nice strategy. The correct way of handling this is setting permissions.

You can effectively make files readonly. Users trying to modify the files will get a message 'checkout denied'

https://msdn.microsoft.com/en-us/library/ms252587.aspx#project_level

In VS2013: Team Explorer -> Settings -> Security/Version Control

Answer 5

If you have inheritance set to 'On', the best way I've found is to:

1. 'Deny' all permissions except 'Read' to the 'Reader' group, and
2. Add all other groups (except Project Administrators) to the 'Reader' group.

Then, all groups within the Reader group will inherit the 'Deny' permissions and not be able to do anything but read.

Answer 6

To answer the 2nd part of the question -- removing or denying the Read permission effectively denies everything else.