04 Oct How to set up permissions so that Project Managers can Save their own projects, and open all others in Read Only mode
This question comes up again and again, and I can’t remember where I found this information from all those years ago (it applied to Project 2003), but I wrote it down and seem to use it for most clients. It’s easily adaptable for Project Server 2007 – one day I’ll write it properly and update it for 2007!
Project Server Security (P2003)
Overview
Project Server Security is complex. There are two types of permissions, five places to set them, and three conditions for each permission (allow/deny/soft deny). Appendix C & D of the Project Server Administrators Guide should be used for further reference.
Permissions
There are two types of permissions, data permissions (what data the user can see) and use permissions (what features the user can use). Each permission is not readily identified as to its type. Microsoft use the terms global for use permissions and category for data permissions. Additionally, they use the term Organisational Permissions, which are a set of permissions set for the whole organisation, and encompasses all of the use (global) permissions plus the 14 data (category) permissions.
The Roles of Security Templates, Groups & Categories
A security template is a predefined list of all the permissions (data & use). This list is ordered by permission area (admin, collaboration etc). Templates should ideally be named the same as groups.
A Group is a collection of users. A single user can belong to multiple groups. The use permissions are determined at the group level, and therefore group membership is the primary factor is determining the functionality that a user has within the system.
A Category is used to define the data permissions (hence Microsoft’s term, Category Permissions), i.e. what data can a user see, what actions can they perform on that data, and which views can they use to see the data. Categories are applied to groups, a single group can have multiple categories applied to it, and a category can be applied to multiple groups.
The permissions applied to each user is therefore a combination of the categories and the group membership.
Alloy/Deny
Three permissions are allowed for any permission. They are ALLOW, DENY, and soft deny. Soft deny (blank) is implicit if neither allow nor deny are selected. If a permission is set to deny in one place the system, then that becomes an absolute deny everywhere in the system, even if the permission has been set to allow elsewhere. If the permission is blank then the decision as to whether to allow or deny the permission is made elsewhere in the system.
Server Configuration Features
This is available in the PWA Admin tab, under server configuration, in the Select the Features That You Want to make Available to Users in Project Web Access section. Either set these use permissions to ALLOW or DENY. It is inappropriate to have blank here. The permissions lists here are the use permissions.
Templates
Use the templates to define a set of permissions for a particular role. The templates contain data and use permissions. Only change a use permission here to DENY if you want to deny a permission for a particular group, that has been globally allowed (via the Server Configuration Features) above. This is the 1st opportunity to set permissions, so these should be set here to allow/deny as appropriate.
Categories
Categories define data permissions, and are further enhanced by data restrictors. Categories are assigned to groups, and a group may have more than one categories assigned to it.
Groups
The use permissions are set by the group. Assign the use permissions by applying the relevant template.
Users
Users are placed in groups. Never assign permissions to a user, troubleshooting the security will become too complex.
Recommendations
Security should be established in the following order
- Set universal allow/deny in server configuration
- Define the roles within the organisation, and create a security template for each role
- Define groups and assign data permissions using the template
- Define the categories, and assign them to the groups
- Assign resources to groups
See figure1. below for a graphical view of this.
Initial setup for Acme PLC
The following was set up on the live system for Acme PLC and used as a basis for security. What I’ve done here is create categories called GROUP_NAME – See Everything. Within the category set up you need to select the button that says – See all future Projects/Resources in the Database.
Templates
Resource managers – see everything
Execs – see everything
Portfolio managers – mod all (no admin)
Project managers – see everything
Team members – see everything except money
Categories
Resource managers – see everything
Execs – see everything
Portfolio managers – mod all (no admin)
Project managers – see everything
Team members – see everything except money
Groups
Resource managers -> CATEGORY = Resource managers – see everything
Executives -> CATEGORY = Executives – see everything –
Portfolio managers -> CATEGORY = Portfolio managers – mod all (no admin)
Project managers -> CATEGORY = Project managers – see everything – *When you make this assignment for the category you need to enable the category permission to open all projects in the database, but not to save them*
-> CATEGORY = Project managers
Team members -> CATEGORY = Team members – see everything except money