Restrict Access to Valid Users group across Team Projects
It's been a while since I did Blogging here as I was stuck in couple of other issues. This time thought of speaking about this topic (Restrict Access to Valid Users group across Team Projects). Though it is a very low level feature, I felt that lot of people will agree with me when I say "Valid Users group should not have access to all the data of projects on a TFS Server (though in read only mode) as it can contain sensitive/confidential data". Here we will see how to restrict this access by removing the read only permission to Valid Users Group during the project creation time.
When a team project is created it does raise events like WorkItemChangedEvent, ProjectCreatedEvent, etc. One can subscribe to these events either through code or using bissubscribe utility located in <Drive>:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\TF Setup. Programmatically subscribing looks like
DeliveryPreference delPrev = new DeliveryPreference();
delPrev.Type = DeliveryType.Soap;
delPrev.Schedule = DeliverySchedule.Immediate;
delPrev.Address = WSUrl; // Url of the asmx which contains the notify method
string filterquery = null;
int subIDProjCreate = eventEndpoint.SubscribeEvent(userId, "ProjectCreatedEvent", filterQuery, delPrev);
These parameters will be passed as arguments with the utility tool. (This makes an entry in the tbl_subscription in the TFSIntegration Database)
With this when a Team Project is created either programmatcally or using wizard, the event is fired and the notify method is invoked. (for people who are not aware of the notify method, this is the generic Web Service method which will get invoked when ever an event is raised by TFS infrastructure. The xml method will be populated with all the event related information. More information on this can be found in MSDN).
The NotifyMethod for this will look like
[SoapDocumentMethod(Action = "http://schemas.microsoft.com/TeamFoundation/2005/06/Services/Notification/03/Notify", RequestNamespace = "http://schemas.microsoft.com/TeamFoundation/2005/06/Services/Notification/03")]
[WebMethod(MessageName = "Notify")]
public EventResult Notify(string eventXml)
{
XmlDocument objXML = new XmlDocument();
objXML.LoadXml(eventXml);
string projectName = (objXML.GetElementsByTagName("PortfolioProject")[0] as XmlElement).InnerText;
if (objXML.DocumentElement.Name == "ProjectCreatedEvent")
try
{
string strTFSServer = System.Configuration.ConfigurationManager.AppSettings["TFSServer"];
TeamFoundationServer tfs = TeamFoundationServerFactory.GetServer(strTFSServer);
IGroupSecurityService secproxy = tfs.GetService(typeof(IGroupSecurityService)) as IGroupSecurityService;
ICommonStructureService commproxy = tfs.GetService(typeof(ICommonStructureService)) as ICommonStructureService;
IAuthorizationService authproxy = tfs.GetService(typeof(IAuthorizationService)) as IAuthorizationService;
Identity tfsValidUsersSid = secproxy.ReadIdentityFromSource(SearchFactor.EveryoneApplicationGroup, null);
string projectUri = commproxy.GetProjectFromName(projectName).Uri;
authproxy.RemoveAccessControlEntry("$PROJECT:" + projectUri, new AccessControlEntry("GENERIC_READ", tfsValidUsersSid.Sid, false));
}
catch (Exception e)
{
ExceptionManager.Publish(e);
}
return new EventResult();
}
This is pretty much a self explanatory code where
· eventXML is loaded into an xml document and the project name is read
· checking if the event that got raised in ProjectCreated Event (one can have switch case if he/she is subscribing to more TFS events).
· Server Name here is read from a configuration file
· With the help of Security, Common and Authorization Service, the generic read access for the TFS Valid Users group is removed.
Hope this was useful... Next post I planning to post on custom control feature of SP1. Watch out...
Thanks and Regards
PrashanthG
DeliveryPreference delPrev = new DeliveryPreference();
delPrev.Type = DeliveryType.Soap;
delPrev.Schedule = DeliverySchedule.Immediate;
delPrev.Address = WSUrl; // Url of the asmx which contains the notify method
string filterquery = null;
int subIDProjCreate = eventEndpoint.SubscribeEvent(userId, "ProjectCreatedEvent", filterQuery, delPrev);
These parameters will be passed as arguments with the utility tool. (This makes an entry in the tbl_subscription in the TFSIntegration Database)
With this when a Team Project is created either programmatcally or using wizard, the event is fired and the notify method is invoked. (for people who are not aware of the notify method, this is the generic Web Service method which will get invoked when ever an event is raised by TFS infrastructure. The xml method will be populated with all the event related information. More information on this can be found in MSDN).
The NotifyMethod for this will look like
[SoapDocumentMethod(Action = "http://schemas.microsoft.com/TeamFoundation/2005/06/Services/Notification/03/Notify", RequestNamespace = "http://schemas.microsoft.com/TeamFoundation/2005/06/Services/Notification/03")]
[WebMethod(MessageName = "Notify")]
public EventResult Notify(string eventXml)
{
XmlDocument objXML = new XmlDocument();
objXML.LoadXml(eventXml);
string projectName = (objXML.GetElementsByTagName("PortfolioProject")[0] as XmlElement).InnerText;
if (objXML.DocumentElement.Name == "ProjectCreatedEvent")
try
{
string strTFSServer = System.Configuration.ConfigurationManager.AppSettings["TFSServer"];
TeamFoundationServer tfs = TeamFoundationServerFactory.GetServer(strTFSServer);
IGroupSecurityService secproxy = tfs.GetService(typeof(IGroupSecurityService)) as IGroupSecurityService;
ICommonStructureService commproxy = tfs.GetService(typeof(ICommonStructureService)) as ICommonStructureService;
IAuthorizationService authproxy = tfs.GetService(typeof(IAuthorizationService)) as IAuthorizationService;
Identity tfsValidUsersSid = secproxy.ReadIdentityFromSource(SearchFactor.EveryoneApplicationGroup, null);
string projectUri = commproxy.GetProjectFromName(projectName).Uri;
authproxy.RemoveAccessControlEntry("$PROJECT:" + projectUri, new AccessControlEntry("GENERIC_READ", tfsValidUsersSid.Sid, false));
}
catch (Exception e)
{
ExceptionManager.Publish(e);
}
return new EventResult();
}
This is pretty much a self explanatory code where
· eventXML is loaded into an xml document and the project name is read
· checking if the event that got raised in ProjectCreated Event (one can have switch case if he/she is subscribing to more TFS events).
· Server Name here is read from a configuration file
· With the help of Security, Common and Authorization Service, the generic read access for the TFS Valid Users group is removed.
Hope this was useful... Next post I planning to post on custom control feature of SP1. Watch out...
Thanks and Regards
PrashanthG
Comments
Is it in any way possible to do this on an already existing project?
Poul Ingwersen
Posted by: Poul Ingwersen | August 30, 2007 07:50 AM