I was asked to take over a TFS installation. Apparently, there was no one, previously, knowledgeable in administering Team Foundation Server because there were many installation and configuration issues – it was a mess.
One such issue was misassignment of user permissions. For instance, the business needed multiple users to have access to the TFS analysis cube in order to generate reports and pivot tables in Excel. The business’s solution to granting users “read” access to the cube was to grant them TFS Administrator privileges. In fact, there were over 20 users who were authorized as Team Foundation Administration Console Users.
By doing this, not only does the user have incredibly insane permissions around TFS, but they have administrative privileges (Read/Write) to the analysis cube – they would be added as a member of theTfsWarehouseAdministrator role group on the analysis server.
Grant Users Read Access to TFS Analysis Cube
- Open SQL Management Studio
- Click Connect and choose “Analysis Services”
- Enter the server name of the TFS data tier. (HINT: If the Analysis Services is located on the machine that you’re running SQL Management Studio, type (local) as the Server name.)
- Expand the hierarchy of the server tree to Databases -> Tfs_Analysis -> Roles
- Right-click on “TfsWarehouseDataReader”
- In the Edit Role dialog, choose Membership.
- Click the “Add” button at the bottom-right of the dialog membership panel and add the user’s domain account.