If a user has access to multiple security groups, does TFS take the highest level group, or the lowest level group for access rights?
For example, if user John, belongs to the Read Group (can only read the source control but not edit) and then is added to the Developer Group (can read and edit source control) which group does TFS recognize?
Since he belongs to both groups can he still only Read since that is the lowest level or can he now edit since he is also part of the Developer Group and that is the highest level?
Permissions
It combines the permissions from all the users groups.
If the user is denied access to anything they still can't access it even if they are given access to it elsewhere.
If the user is given access to something in any group they will have access to it (unless of course something else denies them).
If there's no explicit allow or deny in any of the users groups, they will be denied access.
Access Levels
Access levels are done separately from group permissions - access can be set to limited, standard or full in the tfs 2012 admin area.
For TFS 2010 the only group that acted a bit weirdly was the work item only group, which afaik acted as a explicit deny on everything but editing your own work items. This functionality is replaced with access levels in tfs 2012.