Skip to main content

HOWTO: TFS: Can I Prohibit Merging?

Recently a client inquired if it were possible within the Team Foundation Server (TFS) Source Control authorization capabilities to prohibit merging. Having a long week, I brainlessly looked at the authorization options within Source Control Explorer (right-mouse Properties >> Security tab):

image

Nothing there. Then I knocked my forehead and realized one would configure this authorization as part of the branching mechanism. Duh. Merging is a client-side activity. If you can access the TFS server, you can merge. However, committing changes to server source repository requires Check In authorization.

My personal preference is to empower and entrust developers with a fair amount of responsibility. Thus, I like to enable merging into the integration branch for developers. However, this client wanted to restrict developers from merging and reserve this responsibility for accounts belonging to a TFS group (created by default) named "Project Administrators". These are folks playing, for example, the team lead role. Our developers have been added to another TFS group (also created by default) named "Contributors".

Let's assume we're leveraging a simple: Development >> Main >> Production branching mechanism within source control. The Development branch is somewhat wild-wild-west in that you want to impose few impediments to check-ins. Frequency of check-ins usually leads to higher quality (because you're undergoing unit testing and integration more often). So, I have authorization configured to allow Contributors to Read, Check In, etc.:

image

In contrast, the Main branch serves as an integration branch. It should be less wild-wild-west but still flexible. The golden rule here is that no code should be directly checked into Main. It should [almost...a few exceptions] always obtain updates through a merge from the Development branch.

Following my typical paradigm, I would enable Check In for the Contributors within Main. However, for this client, we will revoke that permission for Contributors reserving it for Project Administrators (Note: you'll likely need to uncheck "Inherit security settings"). We'll explicitly deny Check In and Lock while Allow'ing Read:

image

Project Administrators retain full rights:

image

So let's take this one step further into the Production branch. Once the team completes integration testing in the Main branch, we start to call on the Release Manager role. S/he owns the Production branch and should treat it as highly restrictive. In theory, merging from Main into Production should be a formality (ok, in reality, we know this isn't the case but go with me here). With this in mind, let's create a third TFS project group named "Release Managers".

image

We'll keep full rights for the TFS server administrators group but restrict Project Administrators to Read rights and prevent Contributors from even seeing this code (just for fun). (Note: You'll need to explicitly add the Release Managers group we created by clicking the Add button.)

Release Managers:

image

Project Administrators:

image

Contributors:

image

Happy merging!

Labels

Labels:

Comments

Tim said…
Jeff, I know you ended up explaining the situation, but the title definitely got my attention. Why would anybody want to prohibit merging? Prevent overwriting, sure, but merging? Feels wrong.

I do like your release branch set-up. Giving me a few ideas there. (Though I'll implement it in Subversion, since we're using that currently.)
Saturday, September 06, 2008 10:01:00 PM
Jeff Hunsaker said…
@tim Agree. This isn't atypical though with clients migrating from a tool lacking true branching support (i.e. SourceSafe). Going from VSS to TFS/SVN/ClearCase is like going from VB6 to C#: it's a complete paradigm shift...and you have to leave all that baggage behind before you can move ahead.
Jeff...
Sunday, September 07, 2008 10:56:00 AM
Post a Comment

Popular posts from this blog

Starting a New Blog with my Cousin

On 9/15/2006, my cousin (he's really a 2nd cousin many times removed...I'm not convinced we're actually related ;-) John Ingrisano and I will launch a new blog targeted to the small business owner. He'll provide most of the content and I will provide the technical and marketing expertise. Ok, ok, starting a blog isn't rocket science but we're aiming to [eventually] derive some sort of profit from this venture, so I plan on doing this right. The two blogs I currently maintain live on the free Blogger.com and LiveJournal.com. I'll be covering the adventure here on Effective Thoughts--providing insight as to what worked and what didn't. To start off, our first activities are: Choose a name and a theme Find a host Help John learn the ins and outs of blogging Implement the site: look/feel, about/bio, 1st content, announcements, etc. Understand marketing best practices To this end, here is some research I compiled: Finding a host http://en...
6 comments
Read more

Switching the Parents to Ubuntu...?

I spent a half hour or so recently on the phone walking my Mom through a technical issue. Tentatively, I diagnosed her issue as a hard drive failure. She brought it over on her last visit and sure enough, the Dell XPS 450 from circa 1999 sounds like a bad coin-operated laundry at full capacity. I was aghast to discover she's running Windows 98. Ugh. Also, her recovery disk is just that--for recovery. I don't believe I'll be able to re-install Win98 on a new hard drive. That, coupled with the end of Microsoft (and Dell) support for Win98, got me thinking about Linux. (and she's not intense about her computing needs...and she doesn't want to spend much money...) I've been reading good things about switching one's parents to Ubuntu. Any thoughts out there?
4 comments
Read more