Getting started with Repository Management Delegation

VisualSVN Repository Configurator is a standalone tool that allows non-administrative users to manage permissions for repositories hosted on VisualSVN Server. Repository Configurator uses WMI (Windows Management Instrumentation) to communicate with a remote VisualSVN Server instance. The WMI technology provides the best level of security but requires additional configuration steps to be taken.

The following main steps are required to allow a user to manage permissions for a particular repository:

  1. Make the user a supervisor for the particular repository.
  2. Grant user permissions to access the server remotely using WMI:
    1. add user to the VisualSVN Repository Supervisors local group;
    2. add user to the Distributed COM Users local group.
  3. Check that WMI is allowed in the Windows Firewall.

As a prerequisite, users are required to install VisualSVN Repository Configurator on their computers. Download VisualSVN Repository Configurator at the dedicated download page. Also consider the KB67: Automated deployment of VisualSVN Repository Configurator using Group Policy article.

Make the user a supervisor for the particular repository

The main step is to allow a user to manage permissions for a particular repository hosted in VisualSVN Server. This step can be completed by VisualSVN Server administrator who has access to VisualSVN Server Manager console. In order to grant supervisor access to a particular repository, perform the following steps:

  1. Start VisualSVN Server Manager.
  2. Expand Repositories node.
  3. Right-click the required repository and execute All Tasks | Manage Delegation context menu command.
  4. Check the Enable repository management delegation checkbox to enable delegation for this repository.
  5. Click Add... to open Select Users and Groups dialog.
  6. Select the corresponding Active Directory group or user account and click the OK button.
  7. Click the Apply button.
Note
Repository Management Delegation supports Windows authentication only and does not work with Subversion authentication.

Grant permissions to access the server remotely using WMI

Windows Management Instrumentation (WMI) provides an additional security layer that validates each user before the user is allowed to access WMI. You should adjust WMI permissions before a non-administrative user could connect to a VisualSVN Server instance with VisualSVN Repository Configurator.

In order to grant all the required WMI permissions to manage repository permissions on a remote VisualSVN Server instance to a non-administrative user, you should add the user into the following local groups on the computer where VisualSVN Server is installed:

  • VisualSVN Repository Supervisors,
  • Distributed COM Users.
Tip
Insufficient user access rights are usually identified by receiving the "access denied. (0x80070005)" error message when trying to connect to remote VisualSVN Server instance using the VisualSVN Repository Configurator.

Check that WMI is allowed in the Windows Firewall

Connecting to WMI remotely requires that you first configure the Windows Firewall on the server to allow this. Windows Firewall configuration should be done locally on the server.

Tip
Windows Firewall allows you to select which computers are authorized to access WMI on the server machine. Combined with WMI permissions, it allows you to granularly control who and from which machine is able to manage permissions for repositories hosted on VisualSVN Server. For further details see the TechNet article Firewall Rule Properties Page: Computers Tab.
Note
Incorrect Windows Firewall settings are usually identified by receiving the "RPC server is unavailable. (0x800706BA)" error message when trying to connect to remote VisualSVN Server instance using the VisualSVN Repository Configurator.

Configuring Firewall for VisualSVN Server 5.0 and later

To allow Repository Configurator to access the server through the firewall, please enable the VisualSVN Repository Management Delegation inbound rules. Follow these steps:

  1. Open Windows Defender Firewall.
  2. Click Allow an app or feature through Windows Firewall.
  3. Find the VisualSVN Repository Management Delegation firewall rule group and select the Domain profile.
  4. Click OK.

Enabling the firewall rules allows repository supervisors to access VisualSVN Server using Repository Configurator.

Configuring Firewall for VisualSVN Server 4.3 and older

You can follow these steps to allow WMI connections in Windows Firewall:

  1. Open Control Panel and double-click System and Security.
  2. Click Windows Firewall.
  3. Click Allow a program or feature through Windows Firewall.
  4. Click the Change settings option.
  5. Select the Windows Management Instrumentation (WMI) checkbox.
  6. Click OK.

While Windows Firewall can be configured via the Control Panel, you may find it easier to use the the netsh utility at the command prompt. Appropriate command lines are as follows:

  • For Windows Server 2008 / 2008 R2 / 2012 (note that command line should be executed in the elevated command prompt):
    netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
  • For Windows Server 2003 / 2003 R2:
    netsh firewall set service RemoteAdmin enable

See also

KB65: Troubleshooting VisualSVN Repository Configurator connection failures
KB67: Automated deployment of VisualSVN Repository Configurator using Group Policy
Last Modified: