Permissions for Labeling

A colleague of mine ran across an interesting scenario today. They have a large Team Project with multiple code bases in it. They control permissions in Source Control so only certain groups can work on certain code lines. An example is something like this:

$/TeamProject/CodeLine1
$/TeamProject/CodeLine2

They wanted to ensure that only "CodeLine1 Contributors" could label CodeLine1. And vice versa. To do this, they gave "CodeLine1 Contributors" LABEL permission to $/TeamProject/CodeLine1. And vice versa. But when a member of "CodeLine1 Contributors" tried to label "CodeLine1" they got the error TF14098: Access Denied: User %USER% needs Label permission(s) for $/TeamProject.

My assumption is that when you label a folder in the structure, the label is actually applied to the folder's parents as well. I'm pretty sure there is good reason for that. I'm guessing it has something to do with the fact that when you label something you want to take a point-in-time baseline of the artifacts. Since the parents are part of the artifact structure, it applies the label to the parent as well. This is just a hypothesis, but I think it makes sense.

Anyway, to fix this "CodeLine1 Contributors" and "CodeLine2 Contributors" need label access to $/TeamProject. At that point then I think you can DENY "CodeLine1 Contributors" on CodeLine2 and DENY "CodeLine2 Contributors" on CodeLine1. Obviously if you have a ton of code lines in one Team Project this can take a few minutes to get setup. The good thing is, I think you only have to do it once.

Please feel free to refute my assumptions if you find them incorrect.