问题
TeamA has developers, QA and business people all of who need access to workitems. They get added to the Contributors group. However, Contributors has access to source code which only devs should have.
We want to turn off Contributor access to repository branches to keep non-devs out of source code.
We created a DeveloperAccess group and gave it the same permissions as the default Contributor group. We then set Contribute, Create branch, Create Tag etc permissions of Contribute to Denied ('Not set' is not a valid option here)
As soon as we do, the users in DeveloperAccess can no longer use the repository.
I then tried to turn off Inheritance with no change in dev access.
I would expect that if DeveloperAccess had permissions to Contribute, Contribute to pull requests, Create Branch, Create tag, Manage notes and Read then any user in that group would be able to contribute to the branch regardless of the access or membership of the default TFS Contributor group.
Obviously, I'm missing something.
回答1:
I believe I just found the answer. I didn't try all combinations of the inheritance.
I turned off inheritance and then I was able to set the permissions in the Contributor group to 'Not set'.
'Not set' seems to be the answer, now my DeveloperAccess group controls access to the branch as expected.
And Contributor no longer shows in the Security listing for the repository.
来源:https://stackoverflow.com/questions/53917708/overriding-the-contributor-group-permissions