Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Error TF215106 or TF225000 when trying to Delete or Create a New Build Definition In Team Foundation Server 2010 Team Build

Error TF215106 or TF225000 when trying to Delete or Create a New Build Definition In Team Foundation Server 2010 Team Build

Symptoms

TFS security Permissions on Builds and Build Definitions will be incorrect for Team Project Administrators if those build definitions were part of a Team Project Migration from 2008 to 2010.  

After Migrating from Team Foundation Server (TFS) 2008 to TFS 2010, you may receive one of the following error when trying to delete a build definition, queue a new build, or delete an existing build.

Team Foundation Error

TF215106: Access denied. Domain\User needs Delete build definition permissions for the build definition MybuildDefintion in team project MyTeamProject to perform this action.


Team Foundation Error

TF225000: You do not have permission to create a new build definitions.


After upgrading your Team Foundation project that contain build definitions from 2008 to 2010, right-click on a build definition and select 'Security...'. 
Note that Project Administrators group only has 'View builds' and 'View build definition' permissions (the Contributors group even has more permissions than the Administrators group). Project Administrators should have full permission to each build definition or at least same permissions as Project Collection Administrators. For some team projects, the Project Administrators group may not have any permissions, so you might not even see this group present in Builds -> Security.

↑ Back to the top

Cause

The root cause of these problems is that the build permissions of the “Project Administrators” group were implicit in 2008. In 2010, they become explicit. In the migration we only updated groups with explicit permissions, so we missed this one.

↑ Back to the top

Resolution

1.      Make sure you have the right collection-level permissions to update build permissions for all the team projects in the collection. If you’re a team project collection administrator then you should be good.

2.      Create a console application in Visual Studio.

3.      Add the code below to the Program.cs file of your new project.

4.      Update the collection URL to point to your TFS collection.

5.      Run the program.

using System;
using Microsoft.TeamFoundation;
using Microsoft.TeamFoundation.Build.Common;
using Microsoft.TeamFoundation.Client;
using Microsoft.TeamFoundation.Framework.Client;
using Microsoft.TeamFoundation.Framework.Common;
using Microsoft.TeamFoundation.Server;
 
namespace UpdateProjectAdministratorsGroupPermissions
{
    partial class Program
    {
        static void Main(string[] args)
        {
            Uri tpcURI = new Uri(s_serverUrl);
 
            TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(tpcURI);
            ICommonStructureService css = tpc.GetService<ICommonStructureService>();
            IIdentityManagementService ims = tpc.GetService<IIdentityManagementService>();
            ISecurityService securityService = tpc.GetService<ISecurityService>();
 
            SecurityNamespace buildSecurity = securityService.GetSecurityNamespace(BuildSecurity.BuildNamespaceId);
 
            Int32 permissionsToGrant = BuildPermissions.AllPermissions
                & ~BuildPermissions.UpdateBuildInformation
                & ~BuildPermissions.OverrideBuildCheckInValidation;
 
            foreach (ProjectInfo projectInfo in css.ListProjects())
            {
                if (projectInfo.Status == ProjectState.WellFormed)
                {
                    // Look up the project administrator group.
                    TeamFoundationIdentity[] groups = ims.ListApplicationGroups(projectInfo.Uri, ReadIdentityOptions.None);
 
                    // Find the administrators group.
                    TeamFoundationIdentity adminGroup = null;
                    foreach (TeamFoundationIdentity group in groups)
                    {
                        if (group.GetAttribute("SpecialType", String.Empty) == "AdministrativeApplicationGroup")
                        {
                            adminGroup = group;
                            break;
                        }
                    }
 
                    if (adminGroup != null)
                    {
                        String securityToken = LinkingUtilities.DecodeUri(projectInfo.Uri).ToolSpecificId;
 
                        buildSecurity.SetPermissions(securityToken, adminGroup.Descriptor, permissionsToGrant, 0, true);
                    }
                }
            }
        }
 
        // Defines your collection url here
        private static string s_serverUrl = "http://localhost:8080/tfs/DefaultCollection";
    }
}



↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2533860
Revision : 1
Created on : 1/7/2017
Published on : 5/17/2011
Exists online : False
Views : 243