The end to all of your TF14098: Access Denied, or how to figure out wrong permissions (TFS2013)

But I do have permissions!

I’ve come across a pestering access issue on TFS2013 (On-Premises), where I couldn’t delete some branches because I had no access to path/*. After reviewing my permissions a thousand times on the accusing path, I almost gave up and used tf destroy to incinerate them. (PROTIP: don’t do that unless you ABSOLUTELY have to). Most of the times, this problem is caused by a permission set in some subfolder or file inside of the folder you’re willing to delete. The thing is: VS doesn’t tell you exactly what files have the treacherous permission set that drives you to insanity.

Go to the database or go home

Most of the times you want to be far away from the TFS database, but allow yourself to do a quick query to find out the offending problem:

SELECT c.DisplayPart, tsace.* FROM dbo.tbl_SecurityAccessControlEntry tsace
INNER JOIN dbo.Constants c ON tsace.TeamFoundationId = c.TeamFoundationId
WHERE tsace.SecurityToken LIKE '%aaa%' AND DenyPermission<>0

Replace the “aaa” with the term you want.

Check the DisplayPart, the SecurityToken and the DenyPermission columns, and manually change the security settings for them on Visual Studio (or on the web-access, for that matter). Done and done.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s