Tuesday, November 12, 2013

Access Denied: XXX needs the following permission(s) to perform this action: View collection-level information

Due to some mis-understanding, my windows account in server that hosts TFS 2010 was deleted, thru 'Computer Management->System Tools->Local Users & Groups'. Then I found I got problem to log-in.


After I added my account back, I encountered this error message when connect to VS2010:

Access Denied: 'XXX\gan' needs the following permission(s) to perform this action: View collection-level information.


At the TFS server, I launched the "Team Foundation Server Administration Console", I found my windows account is still there. I know my account is not associated with TFS properly anymore.


From MSDN: Team Foundation Server Permissions, it got something to do with 'Project-Level Permissions':

Permission Name
Name at Command Line
Description
Create test runs
PUBLISH_TEST_RESULTS
Users who have this permission can add and remove test results and add or modify test runs for the team project.
Delete team project
DELETE
Users who have this permission can delete the project for which they have this permission from Team Foundation Server.
Delete test runs
DELETE_TEST_RESULTS
Users who have this permission can delete a scheduled test for this team project.
Edit project-level information
GENERIC_WRITE
Users who have this permission can edit project-level permissions for users and groups on Team Foundation Server.
Manage test configurations
MANAGE_TEST_CONFIGURATIONS
Users who have this permission can create and delete test configurations for this team project.
Manage test environments
MANAGE_TEST_ENVIRONMENTS
Users who have this permission can create and delete test environments for this team project.
View project-level information
GENERIC_READ
Users who have this permission can view project-level group membership and the permissions of those project users.
View test runs
VIEW_TEST_RESULTS
Users who have this permission can view test plans in this node.


Browsing from 'Source Control Explorer', I really got no idea whether is my account still there. Can you tell??



No choice, I have to remove and re-add. After adding my windows account in the "Team Foundation Server Administration Console->Administration Console Users-Add", no error logged but my windows account is not there.


I opened the log, and found there's an error.
[Info   @01:36:05.790] -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
[Info   @01:36:05.790] Running Readiness Checks ...

[Info   @01:36:05.790] -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

[Info   @01:36:05.791] 

[Info   @01:36:05.791] -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

[Info   @01:36:05.791] Activity.Verify

[Info   @01:36:05.792] -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

[Info   @01:36:05.797] Verify: AccountsChecks(VCONTAINER): Starting Verification

[Info   @01:36:05.797] A generic container node that does not contribute to results

[Info   @01:36:05.797] "Verify: AccountsChecks(VCONTAINER): Exiting Verification with state Ignore and result Ignore"

[Info   @01:36:05.798] Verify: AccountsChecks\Verify Accounts Feature(VCHANGEFEATURE): Starting Verification
[Info   @01:36:05.798] Verifies a condition
[Info   @01:36:05.798] "Verify: AccountsChecks\Verify Accounts Feature(VCHANGEFEATURE): Exiting Verification with state Completed and result Success"

[Info   @01:36:05.798] Verify: AccountsChecks\Verify Accounts Account(VACCOUNTVALID): Starting Verification

[Info   @01:36:05.798] Verifies the account is a valid account

[Info   @01:36:05.799] "Verify: AccountsChecks\Verify Accounts Account(VACCOUNTVALID): Exiting Verification with state Completed and result Success"

[Info   @01:36:05.799] Verify: AccountsChecks\SqlLogin(VSQLLOGIN): Starting Verification

[Info   @01:36:05.799] Verifies the given account does not already have a SQL login that is denied access or with the wrong SID

[Info   @01:36:05.801] Verifying SQL login of account XXX\gan does not exist on XXX\SqlExpress, or if it exists, it does not have a different SID and it is not denied access to the server.

[Error  @01:36:05.805] The login for the given account has the wrong SID.

[Error  @01:36:05.805] !Verify Error!: TF255441: An orphaned SQL Server login is associated with the following account: XXX\gan. The login has an incorrect security identifier (SID). The server selected to host the databases for Team Foundation Server is: XXX SqlExpress. You must delete the login from the SQL Server instance on that server.

[Info   @01:36:05.805] "Verify: AccountsChecks\SqlLogin(VSQLLOGIN): Exiting Verification with state Completed and result Error"

[Info   @01:36:05.805] Verify: AccountsChecks\DBExists(VDBEXISTS): Starting Verification

[Info   @01:36:05.805] Sql Database Existance Verification

[Info   @01:36:05.809] "Verify: AccountsChecks\DBExists(VDBEXISTS): Exiting Verification with state Completed and result Success"

[Info   @01:36:05.809] !Verify Result!: 4 Completed, 0 Skipped: 3 Success, 1 Errors, 0 Warning
Looks like TFS only cater an account when it does not exist, but it cannot re-create the account due to security issue.

So, I have to go to MSSQL-Express and remove my windows account.


You can check the DB used in 'Data Tier Summary' at "Team Foundation Server Administration Console" (more info at 'Team Foundation Server Databases'):


After adding my windows account again in the "Team Foundation Server Administration Console->Administration Console Users-Add", everything is ok!
[Info   @01:51:33.399] -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
[Info   @01:51:33.399] Adding account to collection databases ...

[Info   @01:51:33.399] -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

[Info   @01:51:33.400] Getting collections...
[Info   @01:51:33.401] Changing collection: DefaultCollection
[Info   @01:51:33.403] ConnectionString: Data Source=XXX\SqlExpress;Initial Catalog=Tfs_DefaultCollection;Integrated Security=True

[Info   @01:51:33.405] ModifyExecRole: Add:XXX\gan

[Info   @01:51:34.498] result: Success

[Info   @01:51:34.499] Added XXX\gan to Tfs_DefaultCollection (XXX\SqlExpress)

[Info   @01:51:34.499] Changing collection: YYY

[Info   @01:51:34.502] ConnectionString: Data Source=XXX\SqlExpress;Initial Catalog=Tfs_YYY;Integrated Security=True

[Info   @01:51:34.503] ModifyExecRole: Add:XXX\gan

[Info   @01:51:35.381] result: Success

[Info   @01:51:35.381] Added XXX\gan to Tfs_YYY (XXX\SqlExpress)

[Info   @01:51:35.388] ADDCOLLACCOUNT Completed.

[Info   @01:51:35.389] Starting Node: ADDSYSTEMDBACCOUNT

[Info   @01:51:35.389] Add account to system dbs

Done. (You might need to re-map your work-space after this)