When restricting the users or groups that can transition states of a work item type, there’s a little something you should pay attention to.
Lets say you want to restrict who can create a given type of work item to users of a custom “NewTesters” TFS Group. The docs says you should do something as follows:
<TRANSITION from="Resolved" to="Complete" for="[project]AllTesters" not="[project]NewTesters">
</TRANSITION>
On the “for” attribute some people may think that “[project]” is a place holder for the project’s name, but it is meant as a literal.
If your Team Project is named TheGreatestProjectEver, you should use "[project]AllTesters" literally as stated in documentation and not " TheGreatestProjectEver AllTesters"
Using "TheGreatestProjectEver AllTesters" will return:
“Warning: TF26171: (User/group {0} is not found.
TF26204: The account you entered is not recognized. Contact your Team Foundation Server administrator to add your account.”
DOMAINuser and DOMAINgroup also work, however, not in a straightforward manner. I can get only one of our AD groups to work, and can’t spot any sort of reason for it. If I add users as LISTITEM elements in a random order the list is sorted alphabetically, I want to test duplicates in multiple groups but can’t get any other group to work.