Geeks With Blogs

News




View Tarun Arora's profile on LinkedIn

profile for Tarun Arora at Stack Overflow, Q&A for professional and enthusiast programmers

Tarun Arora - Visual Studio ALM MVP ALM, Agile, Automation, Performance Testing, Software QA, Cloud, ...

 

Download a working Demo:

Working Demo Download

In this blog post I'll show you how to use the TFS API to get the security groups, members, permissions and security settings of users in Team Projects in TFS.

Problem

I would like to see the version control permissions and security settings for each user in a Group for each Team Project. Can I see all of this in one place in a report?

Solution

Is the report below similar to what you are looking for? Let’s build one using the TFS SDK… if you enjoy the post, remember to subscribe to http://feeds.feedburner.com/TarunArora.

image

 

=> Connect to TFS programmatically

I have a separate blog post on how to connect to TFS programmatically using the TFS API. In the below code snippet you can see I am getting a list of team projects using the VersionControlServerService.

var tfs = TfsTeamProjectCollectionFactory
                .GetTeamProjectCollection(new Uri("https://avanade.tfspreview.com/defaultcollection")); 
tfs.EnsureAuthenticated();
// Version control service exposes methods to work with TFS version control
var vcs = tfs.GetService<VersionControlServer>();

// Since we'll be reporting groups for all team projects, imp to get all team projects
var teamProjects = vcs.GetAllTeamProjects(false);

=> Get all Application Groups programmatically

When I say application groups I am referring to the list of groups that you expect to see if you were to right click on Team Project => Click Team Project Settings => And choose Group Membership. I will be using the IGroupSecurityService service to get the list of application groups.

image

 

// Group Security service exposes methods to get groups, users and security details
var sec = tfs.GetService<IGroupSecurityService>();
Identity[] appGroups = sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);

 

=> Get all members with in the Application Groups programmatically

When I say application groups I am referring to the list of users you would expect to see if you double click on the group name in the group membership window. This will allow you to get the details of which group the user is a member of as well.

image

 

foreach (Identity group in appGroups)
{
     Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid, new string[] { group.Sid }, QueryMembership.Expanded);
                    
     foreach (Identity member in groupMembers)
     {
         var groupM = new GroupMembership {GroupName = member.DisplayName, GroupSid = member.Sid};
                        
         if (member.Members != null)
         {
             foreach (string memberSid in member.Members)
             {
                 Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded);

                 var userName = memberInfo.Domain + "\\" + memberInfo.AccountName;
                 var permissions = vcs.GetEffectivePermissions(userName, teamProject.ServerItem);

 

=> Get the security settings of a user programmatically

When I say security settings I am referring to the list of project security that you expect to see if you were to right click on Team Project => Click Team Project Settings => And choose Security. I will be using the VersionControlServer service to get the list of permissions. This will allow me to see if these permissions have been inherited or explicitly allowed or denied.

image

 

var actualPermission = vcs.GetPermissions(new string[] { teamProject.ServerItem },
                                                                          RecursionType.Full);
foreach (var memberOf in memberInfo.MemberOf)
{
      // Get information about the members
}

=> Version Control Permissions

When I say Version Control permissions I am referring to the list of permissions you expect to see if you were to right click on Team Project => Security. I will be using the VersionControlServer service to get the list of permissions.

image

var permissions = vcs.GetEffectivePermissions(userName, teamProject.ServerItem);

foreach (var permission in permissions)
{
     versionControlPermissions.Add(new VersionControlPermission(){Name = permission});
}

=> Putting everything together

Lets put all the snippets together, you can also download the working demo Linqpad query from this blog post. Look for the demo download link at the top of the post.

        public class TeamProject
        {
            public string Name { get; set; }
            public string TeamProjectCollectionName { get; set; }
        }

        public class GroupMembership
        {
            public string GroupName { get; set; }
            public string GroupSid { get; set; }
            public List<GroupMember> GroupMember { get; set; }
        }

        public class GroupMember
        {
            public string MemberName { get; set; }
            public string MemberSid { get; set; }
            public string Domain { get; set; }
            public string Email { get; set; }
            public List<VersionControlPermission> VersionControlPermissions { get; set; }
        }

        public class VersionControlPermission
        {
            public string Name { get; set; }
        }

        public class Security
        {
            public TeamProject TeamProject { get; set; }
            public List<GroupMembership> GroupMembership { get; set; }

        }

        void Main()
        {
            // Connect to TFS - VersioControlServer service
            var tfs =
                TfsTeamProjectCollectionFactory
                .GetTeamProjectCollection(new Uri("https://avanade.tfspreview.com/defaultcollection")); 
            tfs.EnsureAuthenticated();

            // Group Security service exposes methods to get groups, users and security details
            var sec = tfs.GetService<IGroupSecurityService>();

            // Version control service exposes methods to work with TFS version control
            var vcs = tfs.GetService<VersionControlServer>();

            // Since we'll be reporting groups for all team projects, imp to get all team projects
            var teamProjects = vcs.GetAllTeamProjects(false);

            var securities = new List<Security>();

            for (int i = 0; i < 1; i++)
            {
                var teamProject = teamProjects[i];
                var security = new Security();
                var myTeamProj = new TeamProject();
                myTeamProj.Name = teamProject.Name;
                myTeamProj.TeamProjectCollectionName = teamProject.TeamProjectCollection.Name;
                security.TeamProject = myTeamProj;
                var groupMemberships = new List<GroupMembership>();
                Identity[] appGroups = sec.ListApplicationGroups(teamProject.ArtifactUri.AbsoluteUri);

                foreach (Identity group in appGroups)
                {
                    Identity[] groupMembers = sec.ReadIdentities(SearchFactor.Sid, new string[] { group.Sid }, QueryMembership.Expanded);

                    foreach (Identity member in groupMembers)
                    {
                        var groupM = new GroupMembership { GroupName = member.DisplayName, GroupSid = member.Sid };

                        if (member.Members != null)
                        {
                            var groupMCollection = new List<GroupMember>();
                            foreach (string memberSid in member.Members)
                            {
                                Identity memberInfo = sec.ReadIdentity(SearchFactor.Sid, memberSid, QueryMembership.Expanded);
                                
                                // The above is a group and so build a collection of users in the group
                                // Member Name and other available properties about the user

                                var groupMM = new GroupMember();
                                groupMM.MemberName = memberInfo.AccountName;
                                groupMM.MemberSid = memberInfo.Sid;
                                groupMM.Domain = memberInfo.Domain;
                                groupMM.Email = memberInfo.MailAddress;

                                var userName = memberInfo.Domain + "\\" + memberInfo.AccountName;
                                var permissions = vcs.GetEffectivePermissions(userName, teamProject.ServerItem);
                                var actualPermission = vcs.GetPermissions(new string[] { teamProject.ServerItem },
                                                                          RecursionType.Full);
                                var versionControlPermissions = new List<VersionControlPermission>();
                                
                                foreach (var permission in permissions)
                                {
                                    versionControlPermissions.Add(new VersionControlPermission() { Name = permission });

                                }
                                groupMM.VersionControlPermissions = versionControlPermissions;

                                foreach (var memberOf in memberInfo.MemberOf)
                                {
                                }

                                groupMCollection.Add(groupMM);
                            }
                            groupM.GroupMember = groupMCollection;
                        }
                        groupMemberships.Add(groupM);

                    }
                }
                security.GroupMembership = groupMemberships;
                securities.Add(security);
            }

            securities.Dump(10);
        }

 

Enjoyed the post, remember to subscribe to http://feeds.feedburner.com/TarunArora? Have ideas/feedback/questions, please feel free to add comments.

Cheers, Tarun

Share this post :
Posted on Friday, September 30, 2011 9:42 PM TFS2010 , TFS API , TFS2012 | Back to top


Comments on this post: TFS SDK Get Groups Users Permissions using TFS API with Linqpad

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
Download link doesn't work
Left by Merc on Oct 03, 2011 5:11 PM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
Hi Merc,

Thanks for pointing the broken link out. I'll correct that and post an updated link shortly.

Cheers, Tarun
Left by Tarun Arora on Oct 03, 2011 5:25 PM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
Hi Marc,

I have corrected the download link. Please give it another try.

Cheers, Tarun
Left by Tarun Arora on Oct 03, 2011 7:39 PM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
Hi Tarun,

Could you please share the dump method. I really like to the excel layout that you "dumped"

Thanks
Oran
Left by Oran on Dec 01, 2011 11:59 AM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
Hi Oran,

You already have it, navigate to "C:\Program Files (x86)\Microsoft Visual Studio 10.0\Samples\1033\CSharpSamples\LinqSamples\ObjectDumper" (the path might vary between Program x86 or program depending on x86 or x64 bit).

The Object Dumper project shows you a sample implementation of the Dump() method, include that in your project add ref and you should be able to use it right away.

Feedback, questions, suggestion, feel free to add to the thread.

Cheers, Tarun
Left by Tarun Arora on Dec 01, 2011 12:28 PM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
What I don't see is the work item permissions. These are controlled primarily from area path permissions. I think many of us set permissions on the root area node and inherit by default on the descendant nodes. Would be helpful to have those permissions as well.
Left by Tim Pacl on Feb 24, 2012 8:21 PM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
That's very helpful! This morning, someone did ask me why some accounts of our managers appeared in the TFS Valid User Group. This program did help me to find to which projects they had access, as well as via which TFS Group. You saved me a bunch of hours!

May I ask you how you would get efficiently the "TeamProject" to which a group belongs ? Ex.: assume I have the "Identity" of a group named [myTeamProjectXYZ]\Readers, is there any property/method to find the TeamProject without nested loops on all the existing TeamProjects/Groups (via GetAllTeamProjects and ListApplicationGroups) ?
Left by vletroye on Oct 12, 2012 12:44 PM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
Thanks Tarun

Can you point me on how i can run a .linq file ? I have vs2010 installed and am a bit lost. The file format is not capatible with being a C# file, yet most of it is C#.
Left by Grge Roberts on Jan 22, 2013 6:08 AM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
@Tarun, the demo download is a Linq file, download LinqPad and it will open in there, http://www.linqpad.net/.
Left by John Calvert on Feb 12, 2013 9:53 PM

# re: TFS SDK Get Groups Users Permissions using TFS API with Linqpad
Requesting Gravatar...
P.S. If you have VS 2012 and not VS 2010 you will need to update the references in the *.linq file to the TFS assemblies. In LinqPad hit F4 for the query properties, then one by one select each invalid (red) reference and click Browse to the correct file in C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\ReferenceAssemblies\v2.0.
Left by John Calvert on Feb 12, 2013 10:18 PM

comments powered by Disqus

Copyright © Tarun Arora [Microsoft MVP] | Powered by: GeeksWithBlogs.net