TFS SDK Get Groups Users Permissions using TFS API with Linqpad

Tarun_Arora

4.00/5 (4 votes)

1 Oct 2011CPOL2 min read

37.5K

How to use the TFS API to get the security groups, members, permissions and security settings of users in Team Projects in TFS

Download working demo

In this blog post, I'll show you how to use the TFS API to get the security groups, members, permissions and security settings of users in Team Projects in TFS.

Problem

I would like to see the version control permissions and security settings for each user in a Group for each Team Project. Can I see all of this in one place in a report?

Solution

Is the report below similar to what you are looking for? Let’s build one using the TFS SDK… if you enjoy the post, remember to subscribe to http://feeds.feedburner.com/TarunArora.

Connect to TFS Programmatically

I have a separate blog post on how to connect to TFS programmatically using the TFS API. In the below code snippet, you can see that I am getting a list of team projects using the VersionControlServerService.

var tfs = TfsTeamProjectCollectionFactory
                .GetTeamProjectCollection(new Uri("https://avanade.tfspreview.com/defaultcollection")); 
tfs.EnsureAuthenticated();

// Version control service exposes methods to work with TFS version control
var vcs = tfs.GetService<VersionControlServer>();

// Since we'll be reporting groups for all team projects, imp to get all team projects
var teamProjects = vcs.GetAllTeamProjects(false);

Get all Application Groups Programmatically

When I say application groups, I am referring to the list of groups that you expect to see if you were to right click on Team Project => Click Team Project Settings => and choose Group Membership. I will be using the IGroupSecurityService service to get the list of application groups.

// Group Security service exposes methods to get groups, users and security details
var sec = tfs.GetService<IGroupSecurityService>();

Identity[] appGroups = sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);

Get All Members Within the Application Groups Programmatically

When I say application groups, I am referring to the list of users you would expect to see if you double click on the group name in the group membership window. This will allow you to get the details of which group the user is a member of as well.

foreach (Identity group in appGroups)
{

 Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid, 
                new string[] { group.Sid }, QueryMembership.Expanded);
                    
 foreach (Identity member in groupMembers)
 {
     var groupM = new GroupMembership {GroupName = member.DisplayName, GroupSid = member.Sid};
                    
     if (member.Members != null)
     {
         foreach (string memberSid in member.Members)
         {
             Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, 
                                   memberSid, QueryMembership.Expanded);

             var userName = memberInfo.Domain + "\\" + memberInfo.AccountName;
             var permissions = vcs.GetEffectivePermissions(userName, teamProject.ServerItem);

Get the Security Settings of a User Programmatically

When I say security settings, I am referring to the list of project security that you expect to see if you were to right click on Team Project => Click Team Project Settings => and choose Security. I will be using the VersionControlServer service to get the list of permissions. This will allow me to see if these permissions have been inherited or explicitly allowed or denied.

var actualPermission = vcs.GetPermissions(new string[] { teamProject.ServerItem },
                                          RecursionType.Full);
foreach (var memberOf in memberInfo.MemberOf)
{
      // Get information about the members
}

Version Control Permissions

When I say Version Control permissions, I am referring to the list of permissions you expect to see if you were to right click on Team Project => Security. I will be using the VersionControlServer service to get the list of permissions.

var permissions = vcs.GetEffectivePermissions(userName, teamProject.ServerItem);

foreach (var permission in permissions)
{
     versionControlPermissions.Add(new VersionControlPermission(){Name = permission});
}

Putting Everything Together

Let's put all the snippets together, you can also download the working demo Linqpad query from this blog post. Look for the demo download link at the top of the post.

public class TeamProject
{
    public string Name { get; set; }
    public string TeamProjectCollectionName { get; set; }
}

public class GroupMembership
{
    public string GroupName { get; set; }
    public string GroupSid { get; set; }
    public List<GroupMember> GroupMember { get; set; }
}

public class GroupMember
{
    public string MemberName { get; set; }
    public string MemberSid { get; set; }
    public string Domain { get; set; }
    public string Email { get; set; }
    public List<VersionControlPermission> VersionControlPermissions { get; set; }
}

public class VersionControlPermission
{
    public string Name { get; set; }
}

public class Security
{
    public TeamProject TeamProject { get; set; }
    public List<GroupMembership> GroupMembership { get; set; }
}

void Main()
{
    // Connect to TFS - VersioControlServer service
    var tfs =
        TfsTeamProjectCollectionFactory.GetTeamProjectCollection(
          new Uri("https://avanade.tfspreview.com/defaultcollection")); 
    tfs.EnsureAuthenticated();

    // Group Security service exposes methods to get groups, users and security details
    var sec = tfs.GetService<IGroupSecurityService>();

    // Version control service exposes methods to work with TFS version control
    var vcs = tfs.GetService<VersionControlServer>();

    // Since we'll be reporting groups for all team projects, imp to get all team projects
    var teamProjects = vcs.GetAllTeamProjects(false);

    var securities = new List<Security>();

    for (int i = 0; i < 1; i++)
    {
        var teamProject = teamProjects[i];
        var security = new Security();
        var myTeamProj = new TeamProject();
        myTeamProj.Name = teamProject.Name;
        myTeamProj.TeamProjectCollectionName = teamProject.TeamProjectCollection.Name;
        security.TeamProject = myTeamProj;
        var groupMemberships = new List<GroupMembership>();
        Identity[] appGroups = 
          sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);

        foreach (Identity group in appGroups)
        {
            Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid, 
                       new string[] { group.Sid }, QueryMembership.Expanded);

            foreach (Identity member in groupMembers)
            {
                var groupM = 
                  new GroupMembership { GroupName = member.DisplayName, GroupSid = member.Sid };

                if (member.Members != null)
                {
                    var groupMCollection = new List<GroupMember>();
                    foreach (string memberSid in member.Members)
                    {
                        Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, 
                                 memberSid, QueryMembership.Expanded);
                        
                        // The above is a group and so build a collection of users in the group
                        // Member Name and other available properties about the user

                        var groupMM = new GroupMember();
                        groupMM.MemberName = memberInfo.AccountName;
                        groupMM.MemberSid = memberInfo.Sid;
                        groupMM.Domain = memberInfo.Domain;
                        groupMM.Email = memberInfo.MailAddress;

                        var userName = memberInfo.Domain + "\\" + memberInfo.AccountName;
                        var permissions = 
                            vcs.GetEffectivePermissions(userName, teamProject.ServerItem);
                        var actualPermission = 
                            vcs.GetPermissions(new string[] { teamProject.ServerItem },
                                               RecursionType.Full);
                        var versionControlPermissions = new List<VersionControlPermission>();
                                
                        foreach (var permission in permissions)
                        {
                            versionControlPermissions.Add(
                               new VersionControlPermission() { Name = permission });

                        }
                        groupMM.VersionControlPermissions = versionControlPermissions;

                        foreach (var memberOf in memberInfo.MemberOf)
                        {
                        }

                        groupMCollection.Add(groupMM);
                    }
                    groupM.GroupMember = groupMCollection;
                }
                groupMemberships.Add(groupM);

            }
        }
        security.GroupMembership = groupMemberships;
        securities.Add(security);
    }

    securities.Dump(10);
}

Enjoyed the post? Remember to subscribe to http://feeds.feedburner.com/TarunArora? Have ideas/feedback/questions, please feel free to add comments.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)