Add users or groups to an access level
TFS 2017 | TFS 2015 | TFS 2013
Users must be added to a group with the appropriate permissions, to connect and use the functions and features that Azure DevOps Server provides. To use select web portal features, they must also belong to the access level that enables access to that feature. For an overview of each access level, see About access levels.
This article applies to managing access levels for project collections defined on an on-premises Azure DevOps. To manage access levels for the Azure DevOps Services (the cloud service), see Add users to your organization or project. For Azure DevOps feature availability, see the Azure DevOps Feature Matrix.
Make sure that you select the correct version of this article for Azure DevOps Services or Azure DevOps Server, renamed from Team Foundation Server (TFS). The version selector is located above the table of contents.
For a simplified overview of the permissions that are assigned to the most common groups—Readers, Contributors, and Project Administrators—and the Stakeholder access group, see Permissions and access.
Even if you set a user or group's access level, you must add them to a project for them to connect to a project and access features available through a supported client or the web portal.
Make sure to set each user's access level based on what you've purchased for that user. Basic access includes all Stakeholder features - Basic + Test Plans, Advanced and Visual Studio Enterprise subscriber access levels include all Basic features. In the images provided below, the circled features indicate the features made available from the previous access level.
- You must be a member of the Administrators group. If you aren't a member, get added now.
- If you're managing access for a large group of users, it's a best practice to first create either a Windows group, a group in Active Directory, or Azure DevOps security group, and then add individuals to those groups.
Open access levels
You manage access levels for the collections defined on the application tier. The default access level you set applies to all projects defined for all collections. Users or groups that you add to teams, projects, or collections are granted the access level that you set as the default. To change the access level for a specific group or user, add them specifically to a non-default access level.
From a user context, open Server Settings by choosing the gear icon. The tabs and pages available differ depending on which settings level you access.
From the web portal home page for a project (for example,
http://MyServer:8080/tfs/DefaultCollection/MyProject/), open Server settings.
Add a user or group to an access level
Changes you make to the access level settings take affect immediately. You can add or change the access level for a user or group through this interface.
From Access levels, select the access level you want to manage. For example, here we choose Stakeholder, and then Add to add a group to Stakeholder access.
If you don't see Access levels, you aren't a TFS administrator and don't have permission. Here's how to get permissions.
Enter the name of the user or group into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the matches that meet your choice.
Choose Save changes.
Change the access level for a user or group
To change the access level for a user or group, first remove them from their existing access level, and then add them to the access level you want them to have.
Choose the user or group and then select Remove.
Add the user or group to the other access level following the steps provided in the previous section.
Change the default access level
Change the default access level to match the access you have licenses for. If you change the default access level to Stakeholder, all users not explicitly added to the Basic or an advanced level are limited to the features provided through Stakeholder access.
You set an access level from its page. Choose Set as default access level as shown.
Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the Azure DevOps service accounts to the Basic or an advanced access level group.
Guide to features and access levels
For details on the features available to each access level, see About access levels.