TFS: Is it possible to remove item permissions objects from version control?

Question

When using the TFS object model, item-level ACLs can be set with the VersionControlServer.SetPermissions method. This method takes an array of SecurityChange objects, which PermissionChange inherits. The PermissionChange class takes arrays of strings for Allow permissions, Deny permissions, and Removes (in order to reset a certain permission back to unset). These item-level permissions can then be viewed with the VersionControlServer.GetPermissions method.

When item-level permissions are set with the VersionControlServer.SetPermissions method, a new permissions object is created with the ServerItem set to the server path for that item. The permissions object has an Entries property that contains an entry for each user or group defined above the item in source control, even if all the permissions for that user or group are inherited. Furthermore, even when resetting the permissions previously set on the item, the permissions object remains on the server even though it contains no entries that aren't inherited.

In short, it seems that over time the size of these permissions objects is strictly increasing. The performance of these methods is beginning to suffer due to the large amount of information being returned (at the branch level, for example), and I don't know of a RemovePermissions method of any kind to clean these up. Does such a thing exist? How can I go about removing these permanently so that the items just transparently inherit their ACLs without these clutter objects defined on the server?

Answer 1

In 2010, TFS introduced a new security service which manages all permissions in the product. Each permision group is broken up into a security namespace. You can achieve what you want using the new service that exposes this functionality. I haven't tested this code below but it should get you close.

First, add these references:

using Microsoft.TeamFoundation.Client;
using Microsoft.TeamFoundation.Framework.Client;
using Microsoft.TeamFoundation.VersionControl.Common;

And then run this code:

// Somehow define which paths you want to delete security on.
string[] pathsToDeleteSecurityOn = new string[0];

TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(new Uri("http://your-server:8080/tfs/your-collection"));
ISecurityService securityService = tpc.GetService<ISecurityService>();

// Get the version control security namespace
SecurityNamespace vcSecurity = securityService.GetSecurityNamespace(SecurityConstants.RepositorySecurityNamespaceGuid);

// Delete the ACLs on each path
foreach (string path in pathsToDeleteSecurityOn)
{
    vcSecurity.RemoveAccessControlLists(path, false);
}

Let me know if you hit any issues.

Answer 2

Looks like what you want to do is not possible. The best way to be sure would be to contact Buck Hodges and ask him directly.

If it's possible you'll find your answer in the Microsoft.TeamFoundation.VersionControl.Server namespace (which is the server of the Version Control, not the client one).

I couldn't found such feature after looking at the doc.