Managing User Permissions for Lab Management

You can control the level of access that various members of your team have to Lab Management resources by adding each member to security groups for each team project. By default, Team Foundation creates several groups for each project, and each group has its own set of permissions and rights for that project. If the default groups do not provide the appropriate permissions, you can create custom groups that have a specific combination of permissions. For more information about adding users to the default groups, see Adding and Removing Users To and From Groups. For more information about creating custom groups, see Custom Groups.

Default Groups and Permissions

When you create a team project collection, Team Foundation automatically creates the following default collection-level groups:

  • Project Collection Administrators

  • Project Collection Valid Users

  • Project Collection Service Accounts

  • Project Collection Build Service Accounts

  • Project Collection Proxy Service Accounts

  • Project Collection Test Service Accounts

Of these groups, the Project Collection Administrators and the Project Collection Build Service Accounts are given explicit permissions to access or control Lab Management resources. For more information about all the default collection-level groups, see Default Groups in Team Foundation Server.

Similarly, when you create a team project, Team Foundation automatically creates the following default project-level groups:

  • Project Administrators

  • Contributors

  • Readers

  • Builders

Of these groups, the Project Administrators, Contributors, and Readers are given explicit permissions to access or control Lab Management resources. For more information about the permissions for all the default collection-level and project-level groups, see Permission reference for Team Foundation Server.

The following table lists the specific Lab Management permissions that are assigned to users when you add the user to a default group. For many team projects, assigning users to either the Project Administrators group or the Contributors group is sufficient for the individual people to do their jobs.

Name of Lab Management permission

Name of the permission at the command line

Users who have this permission can:

Project Collection Administrators

Project Collection Build Service Accounts

Project Administrators

Contributors

Readers

View Lab Resources

Read

View information for the various Lab Management resources, which include collection host groups, project host groups, and environment. To view information about a specific lab resource, you must have the View Lab Resources permission for that resource.

X

X

X

X

X

Import Virtual Machine

Create

Import a virtual machine from a VMM library share. This permission differs from Write because users can create an object in Lab Management but not write anything to the Virtual Machine Manager host group or library share.

X

 

X

X

 

Write Environment and Virtual Machines

Write

Users who have this permission for a project host group can create environments. Users who have this permission for a project library share can store environments and templates.

X

X

X

X

 

Edit Environment and Virtual Machines

Edit

Users who have this permission can edit environments and templates. The permission is checked for the object that is being edited.

X

X

X

X

 

Start

Start

Start an environment.

X

X

X

X

 

Stop

Stop

Stop an environment.

X

X

X

X

 

Pause Environment

Pause

Pause an environment.

X

X

X

X

 

Manage Snapshots

ManageSnapshots

Users who have this permission can perform all snapshot management tasks for an environment, which include taking a snapshot, reverting to a snapshot, renaming a snapshot, deleting a snapshot, and reading a snapshot.

X

X

X

X

 

Delete Environment and Virtual Machine

Delete

Delete environments and templates. The permission is checked for the object that is being deleted.

X

 

X

 

 

Manage Lab Location

ManageLocation

Edit the locations of Lab Management resources, which include collection host groups, collection library shares, project host groups, and project library shares. To change a specific location, you must have the Manage Lab Locations permission for that location. This permission for collection-level locations (collection host groups and collection library shares) also lets you create project-level locations (project host group and project library share).

X

 

X

 

 

Delete Lab Locations

DeleteLocation

Delete the locations for Lab Management resources, which include collection host groups, collection library shares, project host groups, and project library shares. To delete a location, you must have the Delete Lab Location permission for that location.

X

 

X

 

 

Manage Child Permissions

ManageChildPermissions

Users who have this permission can change the permissions of all the child Lab Management objects. For example, if a user has Manage Child Permission for a team project host group, the user can change permissions for all the environments under that team project host group.

X

 

X

 

 

Manage Permissions

ManagePermissions

Modify the permissions for a Lab Management object. This permission is checked for the object whose permissions are being modified.

X

 

 

 

 

Custom Groups and Permissions

If the permissions granted by the default Team Foundation security groups are too inclusive or exclusive, you can create new security groups that have different combinations of permissions. For example, your team might have some users who function as test leads and other users who function as just testers. The policies in your organization require that only test leads are authorized to create virtual machines and templates. Because adding a tester to the default Contributors group would automatically give the tester permission to create new virtual machines and templates, you might want to create a custom group named "Tester" that has just the permissions indicated in the following table. Similarly, your organization has some users who function as a team project administrator and other users who function as test lab administrators. The policies in your organization require that only team project administrators can manage user permissions. Because adding a lab administrator to the default Project Administrators group would automatically give the test lab administrator the ability to manage permissions, you may want to create a custom group named "Lab Administrators." The following table illustrates the specific permissions that might be given to the "Lab Administrators" group and three other custom groups that differ from the permissions in the default groups. For the steps to create custom groups, see Custom Groups in Team Foundation Server.

Name of Lab Management permission

Custom group: Lab Administrator

Custom group: Test Lead

Custom group: Tester

Custom group: Developer

View Lab Resources

X

X

 X

 X

Create VM Template using VMM Virtual Machines

X

X

 

 

Write Environment and Template

X

X

 

 

Edit Environment and Templates

X

X

X

X

Start Environment

X

X

X

X

Stop Environment

X

X

X

X

Pause Environment

X

X

X

X

Manage Environment Snapshots

X

X

X

X

Delete Environment and Templates

X

X

 

 

Manage Lab Location

X

 

 

 

Delete Lab Location

X

 

 

 

Manage Child Permissions

 

 

 

 

Manage Permissions

 

 

 

 

After you create the custom group, you must add users to those groups. Use the command line utility TFSLabConfig to manage the Lab Management permissions for groups or users. For the syntax and other considerations, see Configure Lab Management with TFSLabConfig.

To view what groups or users have existing permissions on the various Lab Management objects, see the TFSLabConfig Permissions Command.

See Also

Concepts

Configure Lab Management for SCVMM environments

Other Resources

Change Existing Lab Management Configurations