In my environment we have Dev, Main and Production branches. We also have Business and Architecture teams. What I would like to achieve is the following:
- Both teams can Contribute to Dev
- The Business team can only read Main and Production
- The Architecture team can only merge into Main and Production
Currently, both teams are members of the Contributors group on the Team Project.
Final Solution:
- Created a Group called Promo Officers at the collection level
- Added the Architecture team to the new group
- Added the Promo group to the permissions at the collection level (in Source Control Explorer right-click the collection, select properties and click permissions
- Gave Promo Officers Read, Check Out, Check In, Label, Admin Labels, Merge and Manage Branch permissions
- Turned off Inherit Security for the Main and Production branches.
- Set the permissions for Contributors to just Read.
NB: You can’t deny the unwanted permissions for Contributors because if a user is both in Contributors and Promo Officers, then the deny takes precedence and they won’t have the correct permissions. Secondly, I wasn’t able to achieve my goal of only allowing merges to Main and Production as you need Check In and Check out permissions to do merges.
If you right-click a folder in Source Control Explorer and go to Properties -> Security you can manage permissions right down to the folder/branch level.