What I intend to do is lock the whole release branch down so nobody can do check-in.
But there's one developer that does a lot of installer changes, so he has to be able to submit changes.
Is there a way to do it?
Assuming you are an admin for the project: right-click a folder (in your case, your branch root) in source control explorer, click "Advanced/Security" in the menu, and then choose your settings. You may wish to create a new user group, or just add the user individually.
As a side note, it's often more user-friendly if you deny lock and check-in rights (rather than denying check out): if a developer is browsing the code, VS will often try to check out various files, and the error dialogs this shows when security-blocked can be quite intrusive.
Related
In this GitLab docs https://docs.gitlab.com/ee/administration/housekeeping.html it has been mentioned that:
You can change how often this happens or turn it off:
On the top bar, select Menu > Admin. On the left sidebar, select Settings > Repository.
But when I open Menu but there is no Admin button. How can I add Admin button into Menu and also use it? Is it free to access using Admin option?
The admin menu is restricted to GitLab administrators. If you do not see an Admin button, this most likely means you are not a GitLab Administrator. If you are using gitlab.com, this is the case for pretty much all gitlab.com users.
If you are an admin, in modern versions of GitLab you should see the button at the bottom of the dropdown:
In older versions, the admin button is directly in the top bar.
If you are an admin on a self-hosted GitLab instance, you can also attempt to access the admin area directory directly at the path /admin. If you are logged in and get a 404, it means you are not an admin (or your instance has admin mode setting enabled).
Note that this documentation is under the "Administration" section, meaning this is intended for (self-managed) administrators only. The docs could probably also be updated to make this more clear:
Administrators can change how often this happens or turn it off:
Currently i generated excel file from TFS 2013.
I want to disable editing this file for some specific users.
I tried to add these users in the group Reader only, but they can modify the excel file then publish it.
On the other side, i want to give them the ability to refresh the excel file and get the latest status.
By "publish" I assume you mean the Check In permission. Readers don't have an explicit Deny on Check In by default, so you may find that people who can still Check In are members of another group with permissions. The usual group being the Contributors group.
To force the matter you can go to the file in question in Source Control Explorer, right click it and select Advanced -> Security and then explicitly set the Reader group to Deny for the Check In right.
I assume that you mean "publishing work items". If you do then people in the readers group will not be able to publish unless they also have contributed rights. So while they can click "publish" they will not be able to make changes on TFS, and they will be able to refresh.
I have directories in TFS (server is 2010, users are using VS 2012 and 2013), which I want to prevent anyone from working in. I still want them to be there, so users can read the files and view history, but I don't want to let them check anything out or in.
The reason is that we have a bunch of outdated branches which people have created all willy-nilly with terrible names over the years, and we're hoping to not have to move/reorganize them all right now - but I don't want anyone new to accidentally work on one of the old branches without realizing it.
I can lock the directories, but then they show up indefinitely in my on personal changes as locked - I don't want this junking up my workspace, and if I ever leave, I'm sure my locks will be removed anyway.
Is there any "disable" command or anything else I can do to stop checkouts/checkins on directories?
if you right click on the branch you should get security options. in TFS 2013 its Advanced > Security (sorry not got 2010 instance in front of me)
you can then set permissions on the branch, set read for your normal users and disable Check in / check out for them
I have two reports that I need to build. One that has a dozen or so columns. The other has the same columns + 2 extra. The first one is aimed at employees the second with the additional columns is aimed at Sr. Management.
I have a windows group set up for the proper Sr. Mgt users.
I am using SQL 2012.
I've done some SSRS stuff, but not enough to say I'm competent to do more difficult reports.
The problem I'm having is that we do not want the employees to see the sensitive information in those two columns. Frankly, we don't even want them to know the existence of a different report.
Option 1: I was thinking I can just create a folder in SSRS and add the report there and hide the folder. I created it and applied the security but it seems that everyone can see the folder. Maybe they can't edit anything in it or even maybe they can't read anything in it, but this solution, if unchanged, will not meet the goal of having them not even see it exists.
Option 2: I was thinking that I can use the UserID condition to hide the columns in the report and just create one report that differs depending on who was viewing. There are two issues that surfaced in my research. First, there is no facility for using Windows Groups instead of userid. That would mean I have to maintain the list of people inside the report and boy would that be a pain. And second, my understanding is that the export facility does not respect the column actions -- like hiding.
Am I making this too complicated? Is there an easier way to do this? With no other solution, so I need to put up another instance of SSRS for management and make them go back and forth?
Thanks for your time
Option1: You should not be able to 'browse' for folders unless the 'parent' level permission has an 'everyone' user set up to browse on the higher level. Set up a test account and RDP to a box you can use the test account on. Generally under 'Folder Settings' you set up permission and it cascades down until interupted. If you have a parent permission to browse and a lower one not to, they may be able to browse directories. You can ensure that the directory has ONLY dedicated users and the inherited settings are removed manually.
Option2: I would NOT do this. You will have a maintenance nightmare on your hands as you would have to determine in code who was what and update a list that would probably need to be updated somewhere in SQL or a service. As far as I know SSRS does not work with getting parameters and such directly from AD so you would have to code this time and again. For this reason and security context I would avoid this.
Option3: Set up a 'Subscription' to save the report to a file format(excel, pdf, word, etc) or email on a scedule and turn off permission for everyone but admins. If someone can still see the report or directory there is most likely a security context issue.
Option4: You can do a cheapy 'Hide in tile view' move that for most users will hide the directory unless they go to the URL directly and have access. Click on a folder then choose 'Folder Settings' then check 'hide in tile view' and hit okay. Directory is now gone for most part for regular users browsing in default mode.
I think we can just fix your problem, and avoid inventing a complicated and unnecessary solution:
Option 1: I was thinking I can just create a folder in SSRS and add the report there and hide the folder. I created it and applied the security but it seems that everyone can see the folder. Maybe they can't edit anything in it or even maybe they can't read anything in it, but this solution, if unchanged, will not meet the goal of having them not even see it exists.
Chances are that either you set up the security settings wrong, or there's a bigger configuration nightmare to worry about. What you should do is create the folder, go into the settings of the folder, and edit the security (thus breaking inheritance from the parent folder). Before even adding groups, you need to remove anyone that doesn't belong - namely entries like "YOU\Domain Users" - that gives access to anyone on your domain. Once you've cleaned out whomever shouldn't have access, you can add the users/groups that should. Problem solved.
Now, if that doesn't work, then it would seem to me that your SSRS instance is somehow granting everyone sysadmin access - check the Site Settings to see what users and groups are in the System Administrator role. Investigate any groups thoroughly - is BUILTIN\Administrators a sysadmin in SSRS? Check the group locally on the computer - is there another blanket domain group shown there?
If everyone on your domain has complete access to the SSRS instance, then your goal of "hiding" things is impossible.
I'm trying to find what is the permission security for allowing visibility of the Alias function in the Presentation tab ribbon.
For the user in question i've browsed to the core database, and under Access viewer, i'm looking that all the items under Applications/Content Editor have read-enabled permissions, specifically the item /sitecore/content/Applications/Content Editor/Ribbons/Strips/Presentation/Page Urls as well as /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Page Urls are read-enabled
However, when login as this user there is no presentation tab.
I've tried resetting the cache and still nothing changes. I'm using sitecore 6.5.0
I think you are almost there, but you still need to give the user sufficient access to the /sitecore/system/Aliases item.
Create a new role(or use an existent one), for example sitecore\Sitecore Client Aliases. Use this role to add the following permissions.
Switch to the Core database and allow Read permission for the /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Page Urls item and its descendants
Switch to the Master database and unprotect the /sitecore/system/Aliases item by using the Unprotect Item checkbox in the Configuration tab.
Allow Read, Write, Create permissions for the /sitecore/system/Aliases item and Read, Write, Create, Delete permissions for its descendants.
Protect the /sitecore/system/Aliases item back.
Add user to the sitecore\Sitecore Client Aliases role.
Found here: http://wiki.evident.nl/Sitecore%20alias%20role.ashx
The easiest way to enable the presentation tab is to use a sitecore standard role.
I'm not totaly sure but i asume it was sitecore\Sitecore Client Designing.
And as far as i know you have to use those standard roles to enable access to certain chunks.
Try using the Access Viewer for the user which doesn't see the Alias Tab. You can manually switch to the core database and then click on the different tabs with the specified user / role to see what causes this behavior. Most of the times you will find out that some role / restriction was set to a higher level item dat denies read rights.