Tuesday, November 23, 2010

TFS Security Overview

TFS security can be an interesting beast to work with from an administration point of view.
Not only do you have to manage the permissions assignments in 3 different places (TFS, SharePoint and Reporting Services), but the TFS security model takes on a very layered approach, where different permissions apply on different “levels”.

Most of the groups discussed below are configured and maintained in TFS, so where possible you would probably want to create Active Directory Groups and have these assigned to the correct TFS, SharePoint and Reporting Services groups. This allows you to assign and remove users from a single point (AD) and then this applies across the board.

Additionally TFS rights can be either “Allowed”, “Denied” or “Unset”. Unset means they are neither denied or allowed and means that the inheritance of that right from another group takes precedence. Also note that “Deny” takes precedence in most cases.

If you appear in two groups, one group allowing a feature and in another group that feature is denied, you will have that feature denied. The only exception is if you exist in an administrators group (“Project Administrators”, “Project Collection Administrators” or “Team Foundation Administrator”), the deny is overridden by the rights assignment in the administration group for the associated level.

Administration Console
This level is really assigned to individuals who are responsible for the administration of TFS itself. You cannot assign groups into this role (only users) and assigning this actually modifies rights on the physical aspects such the databases, SharePoint etc.
I would recommend that you limit the amount of users in this group to administrators responsible for TFS maintenance and high level configuration.
TFS Admin Console Assignment

Server Level Permissions
Focussed more at operational aspects of TFS on a server level and not specific to a project collections. These groups can only be modified from within the TFS Administration Console.
The default groups created at this level are:
  • SharePoint Web Application Services
  • Team Foundation Administrators
  • Team Foundation Service Accounts
  • Team Foundation Valid Users
  • Work Item Only View Users
This is where you assign permissions such as being able to create or delete project collections. The “Team Foundation Valid Users” and “Team Foundation Service Accounts” groups cannot be added to directly. The “Valid Users” group is an aggregated list of all the Server Level Permissions as well as the individual Project Collection “Valid Users” groups’ and merely assigns access to the TFS Web portal and viewing instance related information. The “Work Item Only View Users” is a group where you would typically assign project managers or the likes, that is only able to create and manage work items from the web portal, in other words you do not see build information and source code browser etc..
Permissions available on this level include:
  • Administer Warehouse
  • Create team project collection
  • Delete Team project collection
  • Edit instance-level information
  • Make requests on behalf of others
  • Use full Web Access features
  • View instance-level information

Collection Level Permissions
These are specific to the project collection. The reason for having this level is to segregate project collections from each other, providing something of a contained “eco-system” for each project collection. These can be modified from the TFS Administration Console as well as directly through Team Explorer.
The default groups created at this level are:
  • Project Collection Administrators
  • Project Collection Build Administrators
  • Project Collection Build Service Accounts
  • Project Collection Proxy Service Accounts
  • Project Collection Service Accounts
  • Project Collection Test Service Accounts
  • Project Collection Valid Users Collection 
As you can probably deduce from the names – these are still very much administration related groups, but as mentioned previously contained to a project collection.
Permissions available on this level include:
  • Administer shelved changes
  • Administer workspaces
  • Alter trace settings
  • Create a workspace
  • Create new projects
  • Delete team project
  • Edit collection-level information
  • Make requests on behalf of others
  • Manage build resources
  • Manage process template
  • Manage test controllers
  • Manage work item link types
  • Trigger Events
  • Use build resources
  • View build resources
  • View collection-level information
  • View system synchronization information
Project Level Permissions
This level is specific to a project and can only be managed through Team Explorer. This is also where things become interesting… setting permissions on this level, you need to consider the Build, Area’s, Iterations and Version Control, as each exhibits its own set of permissions. So to draw a comprehensive security model on this level you would need to draw together all the required permissions and then allocated the appropriate permissions in each of these functional areas. Once again if you have a large number of teams working on different projects, Active Directory Groups are definitely the way to go.
The number of default groups are small and include merely:
  • Builders
  • Contributors
  • Project Administrators
  • Readers
Areas and Iterations:
To my mind these are ways of grouping work. They are very similar in structure with only the permissions between the two differing. I quite like the description of having Areas denote the “logical, physical, or functional” grouping vs. Iterations that denote the time based grouping.
Right click on the project name in Team Explorer and select “Team Project Settings” then “Areas and Iterations”. This will display the dialog for managing the Areas and Iterations. At the bottom of the dialog next to the “Close” button you will find the “Security” button.
The permissions can be set at each node of the hierarchy and the permissions set at the lower nodes override the inherited permissions.
Permissions include:
Areas:
  • Create and order child nodes
  • Delete this node
  • Edit this node
  • Edit work items in this node
  • Manage test plans
  • View this node
  • View work items in this node
Note the work item permissions here. This allows you to “group” work items in the project and only allow certain users to “see” certain work items. This comes in handy when you subscribe to having a single project containing a number or individual projects.
Iterations
  • Create and order child nodes
  • Delete this node
  • Edit this node
  • View this node
Build
These permissions are specific to the build infrastructure that TFS provides. In Team Explorer under the appropriate project right click on the “Build” node and select “Security”.
Permissions available here are:
  • View builds
  • Edit build quality
  • Retain indefinitely
  • Delete builds
  • Manage build qualities
  • Destroy builds
  • Update build information
  • Queue build
  • Manage build queue
  • Stop builds
  • View build definition
  • Edit build definition
  • Delete build definition
  • Override check-in validation by build

Source Control
The version control repository where all files are checked into. Open the source control window by double clicking on “Source Control” node under the appropriate project. You should see the source control layout that looks similar to a folder structure. Right click on any of the “folders” select “Properties”. The dialog that is displayed will have a “Security” tab on. Note that if you have a folder marked as a branch the dialog looks different and the security functionality is under the “Permissions” tab. Similar to the Areas and Iterations the inherited permissions are overwritten.
Permissions available here are:
  • Read
  • Check out
  • Check in
  • Label
  • Lock
  • Revise other user's changes
  • Unlock other user's changes
  • Undo other user's changes
  • Administer labels
  • Manage permissions
  • Check in other user's changes
  • Merge
  • Manage branch

The TFS security model does give you a lot of flexibility, but it is not always that easy to navigate and manage. I have come across very few instances where there was a need to create additional groups within TFS, the default groups that are created are adequate for most deployments. If the need does arise to create custom groups, you should be aware of all the various aspects that it may encompass.

Friday, October 29, 2010

TFS on Windows Azure

Big news if you following Microsoft PDC 2010 is that Mr TFS : Brian Harry did a demo on how they took TFS 2010 and modified it to run on Windows Azure.

This is obviously concerning from a competition point of view if you are hosting TFS, as Microsoft is most likely going to have TFS as an subscription service on Azure.

That aside, it is interesting to see the effort involved in “porting” a large scale application to Windows Azure and the caveats that you have to address to have something running successfully.

On the plus side they made some improvements to TFS itself, which makes more sense for it to run “in the cloud”. One of the major changes in my mind is that fact that they changed the Build Controller to have a client as opposed to a peer relationship.

I always hated the cyclical relationship between TFS and the Build Controllers. Working in distributed teams it was a mission setting up continuous integration and then with limited access to the TFS Build servers, we would either have to commute to the office to fix a build issue or, what tended to happen more often, you live with a broken build for a couple of weeks until someone went in to the office that could fix it.

I really hope that we will see these changes becoming available in the mainstream application.

Monday, October 25, 2010

Is competition bad?

 

Being a very young, niche service provider in South Africa, I’m very concerned about competition. I heard about a fairly well known American company doing TFS and Visual Studio consulting and training, busy establishing a presence in South Africa: you know that sinking sensation that a person gets?!

Not long after this I was speaking to Paul Hacker who hosts TFS, and noticed that there was yet another company that has just started hosting TFS in the States. I forwarded him the details and we got to chatting around the subject of competition.

Between our discussion and reflecting on my actions after I heard about the competition coming into this country, I have concluded that:

Competition is not always that bad.

Sure it gives you less of a market and it means that you need to start working even harder for business, but primarily I think you should take a step back and re-evaluate yourself, your market proposition and your target market.

You could decide to redesign your offering to be more applicable, or have a more focussed approach to your existing market, or even address those tasks that you had on your backlog that suddenly becomes top priority because your competitor is doing it..

Either way you would need to streamline your business and have a more focussed vision, ensuring an environment where the “customer wins” .

Another option is to consider an alliance or partnership of sorts. One of my friends who runs his own successful business told me that “A competitor is not always a competitor”. You could leverage each other and learn from each other to enhance your own portfolio and strengthen your own brand.

Even though I’m still very wary of competition, that sinking feeling has subsided. I have redesigned my offerings, focussing on, and better structuring areas that were a bit neglected. All in all I think creating a more holistic offering.

BTW: I actually met and had a chat with the president of “the competition” and it turns out he is not such a bad person after all Winking smile

Monday, September 20, 2010

GoogleBot is thy friend

When starting the site I was considering using a couple of forms of paid advertising (such as Google AdWords) to gain visibility for the site. After playing around a bit with words and phrases (AdWords have a nice (free) feature that you can actually have a look and “estimate” potential impressions and costs) it turned out to be a bit pricey for what we were trying to accomplish. The next step was to put in effort to get the site noticed and recognised by google and organically obtain a high rank on searches.
One of the approaches is to use google’s webmaster tools to give google a “deeper” insight into the site.
Step one is to expose a “robots.txt” on your site to “hide” areas that you want to hide and to give googlebot the go ahead to check out everything else.
Step two, point google in the direction of a decent site map. The problem I faced with this is that google is not too happy with any format for this site map. After some trial and error I eventually found that the plain text version worked perfectly (go here to generate a quick version to start off with).
So now that google can see into your site we revised a lot of wording to emphasise words and phrases that we would like to be found on. You might have noticed “Microsoft Visual Studio Team Foundation Server” being repeated on the various pages a couple of times.
Now finally we tried to get other sites linking to Team Foundation once again in an attempt to get the “web presence” increased. So we looked around at the popular business listing sites and started listing on the free, no-catch sites we could find.
All this has brought us to be top of the list when searching on google in South Africa for phrases such as “TFS consulting”. All this without spending a cent!

Tuesday, September 14, 2010

Free Ebook: Moving to Microsoft Visual Studio 2010

Get it while it's hot..


http://blogs.msdn.com/b/microsoft_press/archive/2010/09/13/free-ebook-moving-to-microsoft-visual-studio-2010.aspx

Some bed time reading on how to upgrade yourself from previous versions to Visual Studio 2010. It gives a detailed overview of how things change and what new features are available in a fairly unique approach.

You can find a detailed overview of the book here.
 
(cross posted from http://devtendencies.blogspot.com/2010/09/moving-to-microsoft-visual-studio-2010.html)

Saturday, September 11, 2010

Licensing...

It is surprising how quickly a day goes when you go from one meeting to another, but all in all a very positive day. First was a large corporate retailer with the potential of establishing TFS as their primary corporate work item management system (well if I get my way at least J ). There is a lot of potential here, but as we all know, corporates aren’t the most agile of entities, change takes time. One of their primary issues will be around licensing, as they do a lot of non-Microsoft (read Java and mainframe) development and testing – hence a bunch of licenses that would be required outside of the MSDN subscriptions that the MS developers already have. Microsoft has covered the Java market very nicely with Team Foundation Everywhere. But the primary problem is testers logging bugs and users logging work items.
Obviously the caveat exists where using "Team System Web Access" (TSWA) you can log bugs and work items without a CAL as long as you do not access work items that were not created by yourself. Unfortunately not viable in this corporate’s situation as teams manage buckets of items.
The next option is to look at buying additional CAL’s. At approx. $500 a CAL in South African terms not a cheap exercise.
The person I spoke to then spoke about an “external connecter” licence. But even if you could afford it, I don’t think that his situation would qualify for this licensing scheme.
Fortunately they use a fairly expensive product as it is to do test management, so a potential re-allocation of costs could be an option and getting back and reading up a bit I started looking at the possibility of SPLA licensing in a situation like this. It would definitely reduce initial costs, and be flexible to the amount of users on a monthly basis. Maybe something I must look into a bit closer.
The moral of the story: The complexity of the Microsoft licensing really causes headaches for the people on the ground that is supposed to use / purchase these licenses. I read an article stating that they would be surprised if a large number of the “fully” licensed companies were in fact fully licensed, possibly even paying too much.
On the positive side: when I got back fairly late in the afternoon, I was surprised by an email from a company asking about me. I had no contact with them before and have no idea how they got to me, but it was a real highlight. Maybe there is some hope after all.

Thursday, September 9, 2010

Update

Well it has been a while, so I thought I would give a general update on what has happened so far. Unfortunately I have to say … not much.
I’ve made some progress with the licensing side of things; I’ve broken through the Microsoft guards and procedures to have access to the volume licensed software now.  The problem is that as a ‘hoster’ you need to have a Service Provider Licensing Agreement in place.
Check. Got that.
The next step is to give Microsoft their money, you need to report monthly usage so that they can bill accordingly (you pay for the actual usage, which you again (hopefully) bill the clients for). This should be done on the SPLA essentials “site”. 
This is where most of the registration pain has originated thus far. One and a half months later I still have not been able to get access to this site (even though this is what initiated the process of getting onto the spla and volume licensing agreements in the first place). I seem to be stuck in a : “I don’t have access; No our systems show you have access; but I don’t have access; but our systems show etc.  etc. etc..” communication cycle with the various levels of support around this issue.
Besides me consuming vast amounts of pricey bandwidth trying to get through MS support, I’ve been digging up old acquaintances and everybody that I have had some amicable interactions with to see if I can at least get the word out and in the process find some leads. Things are going slow (as expected) and I have no solid leads as yet, but still going strong.