index > Team Foundation Server - Work Item Tracking > Can't browse work items

Can't browse work items

hi

we are having a strange problem and i think its related to our environment as i didnt found anything similar to it on the net. The problem is few(particular) of our team users can't browse the work items at all i.e. none of the query returns any workitems, wat we have to do is to remove them from the project and add again then they can view the work items. It started happening quite frequently now like 4-5 times in a day. Any hint, clue why its happening?

regards
faraz

Faraz_Ahmed

Hi,

Check on the permissions.

Work Item Tracking Area-Level Permissions

Area-level permissions are specific to a single project's users and groups. You can set these permissions by right-clicking the project in Team Explorer, clicking Areas and Iterations, and on the Area tab, clicking Security. Additionally, you can set these permissions by using the TFSSecurity command-line utility.

Guruprasad H R

hi guru,

i appreciate ur reply but its not like that they cant browse workitems at all.. they do.. but sometimes they cant .. then we have to readd them in the project.. so that they can see workitems again.. and its quite annoying..

regards

Faraz_Ahmed

Hi Faraz & Guruprasad,

Faraz, have you noticed anything that the "few(particular) of our team users" have in common, with regard to Team Foundation Security?

For example, I gather from your posting you have added them directly; are they also members of security groups that otherwise have Team Foundation permissions?

Any information regarding how you structure your permissions may help in figuring this out.

Thanks,

Kevin McMurry - MSFT

well we are following the simple way of adding users as others are doing.. which is, we add domain users to different groups of team project like developers, contibuters etc and the groups has required tfs permissions set..
again i think if theres something related to security settings.. then either it shuldn't work at all or shuld work fine.. but in our case it works fine.. but some times it doesnt..

regards
faraz

Faraz_Ahmed

Hi Faraz,

Thanks for your reply. The most likely cause that suggests itself is that these particular uses may also be members of some other TFS group that has deny permission set and that upon background processing that the deny trumps the grant permission. I'll check to see if there may be other known causes and reply back.

Thanks,

Kevin

Kevin McMurry - MSFT

yeah we did verified it as we already had this issue before, & since then we are carefull about it, so the reason is something else.. i really appreciate ur response..

regards
faraz

Faraz_Ahmed

Hi Faraz,

My pleasure and thank you for your reply. In my checking I have not found any other known causes of this behavior and am following-up in-person with those who have worked most closely on the feature. I'll let you know how this goes.

Meanwhile just in-case it may be helpful: even if all your permissions in TFS are setup as you expect, if anyone (else) added the affected users to a domain security group that indirectly has a deny privilege in TFS, it would account for this behavior.

I'm not suggesting this is the case, but only mention it to callout that it may not be easy to 'be careful'. I've logged a suggestion on that by the way.

Thanks again,

Kevin

Kevin McMurry - MSFT

Thanks a lot for following up, but again if there wuld v something like you have mentioned then it shuld not work altogether, rite? instead in our case it works fine.. and even no body touches the security settings, nothing.. suddenly it stops exploring workitems..

btw is there any tool/way through which i can find out the overall rights(permission level) available to a particular user?

regards

Faraz_Ahmed

Hi Faraz,

Regarding your first point, no, the following scenario is expected behavior and I believe it or similar could explain the problem you are having:

1) user 'mydomain\Bob' has TFS 'Allow' permission to team project [Myproject]\Contributors

2) domain group 'mydomain\RestrictedUsers' has TFS 'Deny' permission in team project [Myproject]\Contributors

3) user 'mydomain\Bob' is a member of domain group 'mydomain\guestprojectcontributors'

4) user 'mydomain\Bob' can read and write work items ok

5) domain group 'mydomain\guestprojectcontributors' is added to domain group 'mydomain\RestrictedUsers'

6) background process takes place following which 'mydomain\Bob' no longer can access work items in 'Myproject'

7) you remove 'mydomain\Bob' from [Myproject]\Contributors, then re-add 'mydomain\Bob' to [Myproject]\Contributors

result: 'mydomain\Bob' can read and write work items for awhile, until background processing completes, at which point he can no longer access work items in the project.

Regarding your second point, we have not released a tool that performs this analysis, however:

- it can be done manually, by tracing through the domain security groups and TFS groups involved to find the 'hidden deny'.

- please also feel free to email me directly and I may be able to help further via direct communication (outside the forum)

Please let me know if this helps!

Thanks,

Kevin

Kevin McMurry - MSFT

reply 10