Jean-Pierre Fouché has a nice tip for TFS security.
http://dotnet.org.za/jpfouche/archive/2006/02/27/50544.aspx
"A concern a lot of us have with Team System security is that it is spread across three layers : SQL Reporting Services, Windows Sharepoint services and Team Foundation Server. General practice indicates that you should create three separate lists of Users/Roles to manage access to Team System - a tedious process.
You can simplify your administration by rather creating a single list of users and groups in Windows. The Windows groups can then be added as members of SQL RS, WSS and TFS roles."