Dismiss Notice

Register now to be one of the first members of this SharePoint Community! Click here it just takes seconds!

Dismiss Notice
Welcome Guest from Country Flag

Use TFS API to add or update ACEs in the ACL for the provided token

Discussion in 'Official Microsoft News' started by TfsSetup - Moderator, Apr 15, 2017.

Thread Status:
Not open for further replies.
  1. TfsSetup - Moderator

    TfsSetup - Moderator Guest

    Blog Posts:
    I worked on an interesting issue recently,

    Issue: TFS Service account lost admin rights on a collection.

    One of the Symptom: Facing access denied issue while trying to upload TFS process template by logging in to machine using TFS service account.

    The User account is part of Team project collection administrators group and Manage process template permission set to Allow, which are required permissions to modify a process template.

    We ended up using the below TFS API to regain the permissions of TFS service account on Team project collection.

    Use API to add or update ACEs in the ACL for the provided token:

    Steps to use the API:

    1. Install Advanced Client API from chrome web store

    2. Create oAuth token for user account which is part of TFS admin group : https://www.visualstudio.com/en-us/docs/integrate/get-started/auth/overview

    3. Convert token to Base64 string: Code to convert is in above article

    4. Open Advanced Rest Client tool (Use below screenshot as reference)

    Select POST and give following URL http://tfsserver:8080/tfs/DefaultCollection/_apis/accesscontrolentries/5a6cd233-6615-414d-9393-48dbb252bd23/?api-version=1.0

    Use Basic Omw1Z294dHpqb3hkN3l6NmZxcDN4YzRmNjVmNWpqM3dpMmtwcWRpd3MyYTZyNXZ3Ynlsc3E= (Replace this with Base64 string created from above step)

    “token”: “$”,
    “merge”: false,
    “accessControlEntries”: [
    “descriptor”: “Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1”,
    “allow”: 1,
    “deny”: 0,
    “extendedinfo”: {}

    5. Replace the SID S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1 in above payload to the actual SID of the project collection administrator. You can get this SID by running this query on the collection db.

    FROM dbo.Constants
    WHERE PartitionId = 1
    AND DisplayPart LIKE ‘%DefaultCollection%Project Collection Administrators%’


    Successful execution of API resolved the issue.

    Incase if you want to use the same API with TFS 2015 which doesn’t have oAuth token, you can use the Advanced Client API browser plug in. make sure that you connected to TFS on the same browser and API will use the same credentials.


    Content: Venkatappala Raju Chakravaram
    Review: Romit Gulati

    Continue reading...
Thread Status:
Not open for further replies.

Share This Page

LiveZilla Live Chat Software