Restricting Ability to Run Build Types
In the MSDN Team Foundation - Build Automation Forums someone asked last night about restricting access so that only specific users could kick off specific build types. The question below:
"Is it possible to set up different permissions for different builds in the same TFS project? Currently, we have Dev build, QA build and Prod build, and we want only a couple of people to trigger Prod build."
It got me thinking. A very reasonable request and one I'm sure plenty of other folks have taken care of but I have not. My immediate thought was to control permissions on the actual build type folder in source control with the theory that if the user cannot see (read) the build type in version control then they will not see it in their list of build types and will not be able to run it. Guess what. It works. But you likely already knew that. It doesn't show up in Team Explorer in the build type list, nor can it be run from a command line with tfsbuild. All goodness.
If you have the scenario described above simply turn off inheritance on the build type folders you wish to restrict in version control and set the security for read, label and lock at a minimum for the users that can run those builds. Don't forget to give Build Services the permissions for read, label and lock when you remove inheritance and administrators full control. Removing inheritance removes all permissions and starts as a blank slate.
This all relates to TFS 2005 though I can't see why it would not also apply to TFS 2008 as well.