Making a TFS Branch Read-Only

StackOverflow https://stackoverflow.com/questions/1038595

  •  10-07-2019
  •  | 
  •  

Question

We are trying to follow the branching strategy from the TFS Branching Guide and have reached the point where we have made a branch representing a release, which should now be made read-only.

In the Properties|Security tab for the branch, it presents six user groups each with 10 permissions other than Read. Do I have to go through and click Deny on 60 check boxes, or is there a better way to make this branch read-only?

Was it helpful?

Solution

Right-click the branch in the Source Control Explorer, and select the Lock... option

EDIT: This seems to get missed a lot when people are finding this so I'll make it more obvious.

Locks appear as a "pending change" for the person who locked the item. As long as the lock is in effect, it will appear as a pending change. When a commit is made of that pending change, the lock is released. While the lock is in effect, the locked branch is effectively read-only, since (to simplify) the locker is the only user who can make commits. The act of committing is what releases any locks on the branch.

h/t @AakashM for pointing that out in the comments

OTHER TIPS

As a quick-n-dirty, you could Lock it for Check Out (although the locker would have to remember to keep the lock in their pending changes forever... which makes me think there's a better way)

To answer the 2nd part of the question -- removing or denying the Read permission effectively denies everything else.

As is mentioned above locking is not a very nice strategy. The correct way of handling this is setting permissions.

You can effectively make files readonly. Users trying to modify the files will get a message 'checkout denied'

https://msdn.microsoft.com/en-us/library/ms252587.aspx#project_level

In VS2013: Team Explorer -> Settings -> Security/Version Control

Deny Check In for domain\domain users

If you have inheritance set to 'On', the best way I've found is to:

  1. 'Deny' all permissions except 'Read' to the 'Reader' group, and
  2. Add all other groups (except Project Administrators) to the 'Reader' group.

Then, all groups within the Reader group will inherit the 'Deny' permissions and not be able to do anything but read.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top