We are trying to follow the branching strategy from the TFS Branching Guide and have reached the point where we have made a branch representing a release, which should now be made read-only.
In the Properties|Security tab for the branch, it presents six user groups each with 10 permissions other than Read. Do I have to go through and click Deny on 60 check boxes, or is there a better way to make this branch read-only?
Right-click the branch in the Source Control Explorer, and select the Lock... option
EDIT: This seems to get missed a lot when people are finding this so I'll make it more obvious.
Locks appear as a "pending change" for the person who locked the item. As long as the lock is in effect, it will appear as a pending change. When a commit is made of that pending change, the lock is released. While the lock is in effect, the locked branch is effectively read-only, since (to simplify) the locker is the only user who can make commits. The act of committing is what releases any locks on the branch.
h/t @AakashM for pointing that out in the comments
As a quick-n-dirty, you could Lock it for Check Out (although the locker would have to remember to keep the lock in their pending changes forever... which makes me think there's a better way)
To answer the 2nd part of the question -- removing or denying the Read permission effectively denies everything else.
As is mentioned above locking is not a very nice strategy. The correct way of handling this is setting permissions.
You can effectively make files readonly. Users trying to modify the files will get a message 'checkout denied'
https://msdn.microsoft.com/en-us/library/ms252587.aspx#project_level
In VS2013: Team Explorer -> Settings -> Security/Version Control
Deny Check In for domain\domain users
If you have inheritance set to 'On', the best way I've found is to:
- 'Deny' all permissions except 'Read' to the 'Reader' group, and
- Add all other groups (except Project Administrators) to the 'Reader' group.
Then, all groups within the Reader group will inherit the 'Deny' permissions and not be able to do anything but read.
来源:https://stackoverflow.com/questions/1038595/making-a-tfs-branch-read-only