How to add Windows group as “Readers” to all projects in TFS 2010 collection?

Question

I asked this question originally on ServerFault.com, but there seems to me more activity regarding TFS 2010 on StackOverflow.com, so I decided to re post it here...

Answer 1

My approach is based on the fact that TFS permissions are inherited unless explicitly denied.

To create an user group that will automatically access with read only permissions to all existent projects as well as the futures ones, follow those steps:

1. Create a new security group at the project collection level. You can do it in Visual Studio using the "Team/Team Project Collection Settings/Group Membership" menu.

2. Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.

3. Limit the permissions of the new group to remove the administrator permissions inherited. To force the read only access, Deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information".

The users of this group will have read access to source code, work items, and build definitions of all projects in the collection.

Answer 2

To have this AD group added to a TFS group for your upcoming projects you have to modify your project template. There you can preconfigure your projects, exspecially set permissions to groups and users.

For the existing projects you have to do it by hand. I don't know any other way than that.