Security Access Rights

When you install VSS, the default security system is enabled. You can, however, customize security in your installation to allow only specific users to have access to certain projects and certain commands.

Default Security

Default security in a VSS installation is simple. The administrator has only two levels of access rights to choose from when adding new users to the VSS installation:

Read-only rights: The user can see everything in VSS but can change nothing.
Read/write rights: The user can see and change anything in the VSS database.

Each time you add a user to your installation, you determine the level of access rights for the new user. The Add User dialog box contains a check box labeled Read only. When you select this check box, the new user can read files but cannot change them. When you leave the box clear, the new user has read/write access to all commands and all projects.

If these levels of access rights are adequate for your installation, you need do nothing further to enhance security. With this level of security, security-related commands available from the Tools menu are disabled. For more options, see "Project Security User Access Rights" later in this topic.

Setting Security for VSS Administrator

All VSS security is governed from inside VSS Administrator. Any user who can run that program can effectively do anything within VSS, so access to the Administrator program should be protected. You have two ways to guard access:

Assign a password to the Admin user by using the Change Password command.
Important If you forget the password assigned to the administrator, you cannot run VSS Administrator to change it. Write the password in a very safe place. If the administrator's password is lost, contact Microsoft Technical Support for assistance.
Protect VSS Administrator by controlling access to the folder that it runs from at the operating system level.

Project Security User Access Rights

Project security in VSS is based on user access rights. Each project is accessible only to those users who have the appropriate rights. Each command can be used only by those users who have the rights associated with that command.

There are four user access rights, described in the following table.

Note Each right includes all the rights that precede it. For example, the Check Out right includes the Read right.

Rights	Description
Read (R)	View, but not change, files by using such commands as View and Get.
Check Out (C)	Modify files by using such commands as Check Out, Check In, and Undo Check Out. These rights are often assigned to QA engineers and to technical writers.
Add (A)	Modify the file list by using such commands as Add, Delete, Label, and Rename. Some companies give all programmers this right while other companies reserve this right for project managers.
Destroy (D)	Perform destructive operations on files by using such commands as Destroy, Purge, and Rollback. In organizations where security is prized, this right is granted only to project managers or the administrator. You must have Destroy rights to deploy a Web site.

When you activate project security, you enable the security-related commands on the Tools menu: Rights by Project, Rights Assignments for User, and Copy User Rights.

Each VSS command has certain access rights associated with it. For example, the Label command requires Add rights. For more information, you can check the Microsoft Knowledge Base article Q138479.

For information on how to set security access rights, refer to: