TF30063: You are not authorized to access...

Ever try to delete a team project and get the above message? Are you in the Team Foundation Administrators group and scratching your head? I thought TFS admins could do everything! So I finally decided to get a clear understanding of the root cause of this problem.

The resolution is simple: add your account to the site collection administrators for the SharePoint project portal (described here). You can also do this as a Farm Administrator under the Application Management section in Central Administration. Hopefully, as a TFS admin, you've been added to the Farm Administrators group in SharePoint. The nice thing about the Farm Admins group is that it supports AD groups. The site collection administrators, however, does not. From Central Administration, you can specify a primary and secondary site collection administrator. Within the settings for the project portal site, you specify additional users, but you cannot specify groups.

Why can't Farm Administrators admin site collections by default? That's just the way it is. TechNet has a great article describing how SharePoint security works. The key content is as follows:
"Members of the Farm Administrators group have no administrative access to individual sites or their content by default. However, they can take control of a specific site collection to view any content. For example, if a site collection administrator leaves the organization and a new administrator must be added, farm administrators can add themselves as site collection administrators, which action is recorded in the audit logs."
So there it is. In short, the MSDN entry on TFSDeleteProject should include a prerequisite step to make sure you have site collection administrator permissions before running the command.


1 comment: