I have a need to define a group that can read/create/modify/delete all workitems but is not allowed to read any source code under source control. When I look at the 8 types of permissions in TFS, it is not obvious what controls read/write of workitems. Here are a repeat of the permissions:

1. Administer a build
2. Delete test results
3. Delete this project
4. Edit build status
5. Edit project-level info
6. Publish test results
7. Start/resume a build
8. View project-level info
9. Write to build operational store

I kind answer my own question here:

It turns out the 8 permissions I listed before are overall "project level" permissions, they are not workitem permissions. To access the workitem permissions, I need to go a different part of the team explorer as summarized below:

Steps to define a new group to R/W workitems only:

1. Right click on project in team explorer, select "Group Membership", click "New" and define a new TFS group.

2. Right click on project in team explorer, select "Areas and Iternations", then select the "Area" tab, then click the "Security" button. Check the radio button "Team foundation Server group" and click "Add". Select the newly created group. Then in the permission pane, check the radio buttons "Edit work items in this node", "View this node", and "View work items in this node".