In this blog post, I'll show you how to use the TFS API to get the security groups, members, permissions and security settings of users in Team Projects in TFS.
Problem
I would like to see the version control permissions and security settings for each user in a Group for each Team Project. Can I see all of this in one place in a report?
Solution
Is the report below similar to what you are looking for? Let’s build one using the TFS SDK… if you enjoy the post, remember to subscribe to http://feeds.feedburner.com/TarunArora.
Connect to TFS Programmatically
I have a separate blog post on how to connect to TFS programmatically using the TFS API. In the below code snippet, you can see that I am getting a list of team projects using the VersionControlServerService.
var tfs = TfsTeamProjectCollectionFactory
.GetTeamProjectCollection(new Uri("https://avanade.tfspreview.com/defaultcollection"));
tfs.EnsureAuthenticated();
var vcs = tfs.GetService<VersionControlServer>();
var teamProjects = vcs.GetAllTeamProjects(false);
Get all Application Groups Programmatically
When I say application groups, I am referring to the list of groups that you expect to see if you were to right click on Team Project => Click Team Project Settings => and choose Group Membership. I will be using the IGroupSecurityService service to get the list of application groups.
var sec = tfs.GetService<IGroupSecurityService>();
Identity[] appGroups = sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);
Get All Members Within the Application Groups Programmatically
When I say application groups, I am referring to the list of users you would expect to see if you double click on the group name in the group membership window. This will allow you to get the details of which group the user is a member of as well.
foreach (Identity group in appGroups)
{
Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid,
new string[] { group.Sid }, QueryMembership.Expanded);
foreach (Identity member in groupMembers)
{
var groupM = new GroupMembership {GroupName = member.DisplayName, GroupSid = member.Sid};
if (member.Members != null)
{
foreach (string memberSid in member.Members)
{
Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid,
memberSid, QueryMembership.Expanded);
var userName = memberInfo.Domain + "\\" + memberInfo.AccountName;
var permissions = vcs.GetEffectivePermissions(userName, teamProject.ServerItem);
Get the Security Settings of a User Programmatically
When I say security settings, I am referring to the list of project security that you expect to see if you were to right click on Team Project => Click Team Project Settings => and choose Security. I will be using the VersionControlServer
service to get the list of permissions. This will allow me to see if these permissions have been inherited or explicitly allowed or denied.
var actualPermission = vcs.GetPermissions(new string[] { teamProject.ServerItem },
RecursionType.Full);
foreach (var memberOf in memberInfo.MemberOf)
{
}
Version Control Permissions
When I say Version Control permissions, I am referring to the list of permissions you expect to see if you were to right click on Team Project => Security. I will be using the VersionControlServer
service to get the list of permissions.
var permissions = vcs.GetEffectivePermissions(userName, teamProject.ServerItem);
foreach (var permission in permissions)
{
versionControlPermissions.Add(new VersionControlPermission(){Name = permission});
}
Putting Everything Together
Let's put all the snippets together, you can also download the working demo Linqpad query from this blog post. Look for the demo download link at the top of the post.
public class TeamProject
{
public string Name { get; set; }
public string TeamProjectCollectionName { get; set; }
}
public class GroupMembership
{
public string GroupName { get; set; }
public string GroupSid { get; set; }
public List<GroupMember> GroupMember { get; set; }
}
public class GroupMember
{
public string MemberName { get; set; }
public string MemberSid { get; set; }
public string Domain { get; set; }
public string Email { get; set; }
public List<VersionControlPermission> VersionControlPermissions { get; set; }
}
public class VersionControlPermission
{
public string Name { get; set; }
}
public class Security
{
public TeamProject TeamProject { get; set; }
public List<GroupMembership> GroupMembership { get; set; }
}
void Main()
{
var tfs =
TfsTeamProjectCollectionFactory.GetTeamProjectCollection(
new Uri("https://avanade.tfspreview.com/defaultcollection"));
tfs.EnsureAuthenticated();
var sec = tfs.GetService<IGroupSecurityService>();
var vcs = tfs.GetService<VersionControlServer>();
var teamProjects = vcs.GetAllTeamProjects(false);
var securities = new List<Security>();
for (int i = 0; i < 1; i++)
{
var teamProject = teamProjects[i];
var security = new Security();
var myTeamProj = new TeamProject();
myTeamProj.Name = teamProject.Name;
myTeamProj.TeamProjectCollectionName = teamProject.TeamProjectCollection.Name;
security.TeamProject = myTeamProj;
var groupMemberships = new List<GroupMembership>();
Identity[] appGroups =
sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);
foreach (Identity group in appGroups)
{
Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid,
new string[] { group.Sid }, QueryMembership.Expanded);
foreach (Identity member in groupMembers)
{
var groupM =
new GroupMembership { GroupName = member.DisplayName, GroupSid = member.Sid };
if (member.Members != null)
{
var groupMCollection = new List<GroupMember>();
foreach (string memberSid in member.Members)
{
Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid,
memberSid, QueryMembership.Expanded);
var groupMM = new GroupMember();
groupMM.MemberName = memberInfo.AccountName;
groupMM.MemberSid = memberInfo.Sid;
groupMM.Domain = memberInfo.Domain;
groupMM.Email = memberInfo.MailAddress;
var userName = memberInfo.Domain + "\\" + memberInfo.AccountName;
var permissions =
vcs.GetEffectivePermissions(userName, teamProject.ServerItem);
var actualPermission =
vcs.GetPermissions(new string[] { teamProject.ServerItem },
RecursionType.Full);
var versionControlPermissions = new List<VersionControlPermission>();
foreach (var permission in permissions)
{
versionControlPermissions.Add(
new VersionControlPermission() { Name = permission });
}
groupMM.VersionControlPermissions = versionControlPermissions;
foreach (var memberOf in memberInfo.MemberOf)
{
}
groupMCollection.Add(groupMM);
}
groupM.GroupMember = groupMCollection;
}
groupMemberships.Add(groupM);
}
}
security.GroupMembership = groupMemberships;
securities.Add(security);
}
securities.Dump(10);
}
Enjoyed the post? Remember to subscribe to http://feeds.feedburner.com/TarunArora? Have ideas/feedback/questions, please feel free to add comments.