Tiago Pascoal's WebLog

Hello Good Evening and welcome to nothing much.

Team Foundation Server: Restricting Work Item creation based on a role


A while ago, i was asked a simple question. How can we restrict work item creation based on a user role. For example on MSF CMMI template, only testers can create Scenario Work Items.

To my knowledge there was no straightforward way to do it, but i though of a way to do it.

  1. Create (or use an existing one) mandatory field, and then place a restriction that the field is readonly for certain roles.
  2. On the workflow definition, create a restriction saying that only permitted roles are allowed to transition to a given state. In this case the given state would be the initial state (Active normally).

Technique number one, is not possible. since it is contradiction to have a field mandatory and read only (even if conditional)

Technique number two, can be achieved with the following XML, (placed on the TRANSICTIONS element, inside the the WORKFLOW element of the work item, to which you want to place the restrition)

<TRANSITION from="" to="Active" not="[global]\Team Foundation Administrators">

If you are thinking that this solution, is nothing more than a hack you are absolutely true. It is an hack, but it works. Although in a very inelegant way. If you implement this solution and try to create a "restricted" work item type you get the following error:

TF26212: Team Foundation Server could not save your changes. There may be problems with the work item type definition. Try again or contact your Team Foundation Server administrator.

No elegance at all indeed.

Does anyone know of a cleaner way to do it?

[Cross posted on http://www.agilior.pt/blogs/tiago.pascoal/archive/...]

Posted: Dec 31 2006, 06:32 PM by tspascoal | with 9 comment(s)
Filed under:


Yosi Taguri said:

You could write a Visual Studio Addin to catch the save event of a workitem and then throw an expception if you don't want to save it. the problem with this scenario is that: 1. You have to throw an exception to say "I don't want to save". 2. you need to install it on the clients.

# December 31, 2006 5:00 PM

tspascoal said:

Apart from the hassle of the (already mentioned) to install the plugin on the client, it seems too much trouble for such a simple requirement.

In a controlled environment i would rather use the "TF26212: ..." ugly message and educate the users about it's meaning. :-)

In a perfect world, yeah the plugin would be a lot cleaner. :-) Althoug much less centralized then template/work item definition.

# January 2, 2007 5:59 AM

patrick said:

Nice post...your writing quality is really impressive.

# December 21, 2009 2:12 AM

ipad app prices said:

Nothing for nothing.


# December 18, 2010 3:21 PM

ipad app said:


"Hey - good blog. Just checking out some blogs, seems a fairly nice platform you are using. I'm currently employing Wordpress for a couple of my blogs but I'm not happy with it so a good deal. I am searching to change one of them over to a system an identical to yours (BlogEngine) as being a trial run. Anything in certain you'd recommend about it?"

# January 3, 2011 1:13 AM

Leola Mcauly said:

The following absolutely a great web web page you've visiting this web site. The matter is quite useful in addition to direct clear. Ecstatic to discover to read yet another recommendation of your weblog next time.

# July 4, 2011 9:30 PM

Steven said:

Yeah, it happens sometimes ... Nothing special.

# February 11, 2013 7:12 PM

Nail said:

Does your website have a contact page? I'm having a tough time locating it but, I'd like to shoot you an email.

I've got some ideas for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it grow over time.

# April 22, 2013 12:45 AM