How do I restrict Team Member from opening enterprise resource dat

[LisaD]

We are using PWA 2007.

I was checking permissions for a user I setup as a Team Member. When I went
into Resource Center, the Open button was available. So I clicked it, and it
opened the Enterprise Resource in project professsional. (this user would not
have project professional installed though)

I have set the Team Member template to deny "Edit Enterprise Resource Data",
and the My Tasks category is set to use the Team Member template. The user
is part of the Team Member group. I have not allowed the permission in the
user profile.

Did I miss something, or does the Open button always stay active?

Thanks
\lisa

 

[Jonathan Sofer]

Lisa,

The permission that controls the enabling or disabling of the "Open..."
button in the Resource Center is the global permission "Log on to Project
Server from Project Professional".

You still want to disable "Edit Enterprise Resource Data" so that the user
cannot edit the resource information via PWA (by using the "Edit Details"
button) or Project Professional.

It is interesting to note that you can disable the "Open..." button as I
mentioned in the first paragraph but the "Edit Details" button cannot be
disabled, the user is simply taken to a page that states they do not have
sufficient permissions to view the page.

It is also important to note that best practice calls for not using "Deny"
permission in security groups and especially the "Team Member" group. The
reason for this is that user permissions are layered depending on group
membership and traditionally all users in your system are part of the "Team
Members" group. If you have resource managers or even administrators that
are part of the "Team Member" group, they will not be able to edit resource
information because that "Deny" overwrites any allows they might have via
other group memberships.

It is best practice then to simply leave the permission blank for Team
Members which is what I call a soft deny. This way, if the user is only
part of the "Team Member" group, they will not be able to edit resource
information. But if you elevate their permission by adding them to the
"Resource Manager" group for example, they will then have the ability to
edit resource data via that group.

 

[LisaD]

Jonathan,
Thanks for the fix, it worked.

The wording of the permission is slightly confusing though. "Log on to
Project Server from Project Professional", because what it really did was
open project professional from project server/ PWA.

Originally I set did not have the "edit enterpriser resource data" to deny
(based on the best practices recommendation), but I thought that may have
been my problem, so I changed it. I have changed it back to soft deny.

Appreciate your help

\lisa

 

[Jonathan Sofer]

You are welcome Lisa.

 

[LisaD]

Jonathan,
I am back to the same question again, this time with a different user.

For our project managers, we want them to be able to view the projects Read
only and do what ifs, but not save the changes to the server. (We have a
scheduler that all updates go through).

So I tested whether one of my PM users could edit a project from PWA and
then save the changes, which it allowed.

I double checked that the user is only in the Project Managers group. She
does not have any user permissions assigned. Project Managers are part of
the following categories; My projects, My personal Projects, My Organization.
And she will have Project Professional on her computer.

So to see what would happen, I unchecked Category permission "Open Project",
and Global permission "Log on to Project Server from Project Professional".
As well, the Category permission "Accept task update requests" is unchecked.

When I logged back in (to PWA) as her, I was able to click the edit button
from Project Center. It opened the project plan in professional, and then
prompted to accept the task updates that were pending. It also allowed me to
make a change, save it and republish the project.

I have read every discussion posting, and about 10 different blogs on
permissions, and I am baffled. How come when the permissions are set to soft
deny, does it still allow the user to open and edit the project?

\lisa

 

[Jonathan Sofer]

Hi Lisa,

First you need to verify that the user does not have any permissions set at
the user level. This means when you log into the user account you should
not see any categories assigned to the user and you should see no checkboxes
marked in the global permission section either. It sounds like you already
did that but go back and check again just to make sure.

Second, for debugging purposes, make sure the user is only part of the PM
group and no other group, not even the Team Member group.

Third, you said that PM group is part of the following categories: My
projects, My personal Projects, My Organization. Each of these categories
has their own set of unique category permissions. As you highlight each
category on the right hand box in the PM group, you will see that
permissions settings are different for each category. This might be where
you missed some of the permissions changes. Each category can give
group/user access to different projects and resources based on the category
rules. I would specifically check "My Organization" as this usually gives
the group/user access to ALL projects and resources.

BTW, "Save project to project server" is the permission you would disable to
prevent a user from saving the project back to the server. "Open Project"
will allow them to open the project in Read-Only if they don't have the
"Save project..." permission. And regardless, they will need "Log on to
project professional" to use project pro to connect to the server.

Also, you said you are logging in as that user to test the account, this
means you must have her windows account and login credentials, right?

 

[LisaD]

Jonathan,
1. I verified again that the user permissions are all blank.
2. I verified that she is only part of PM group, not even Team Members.
However she is a resource in a project plan. Would that matter?
3. I double checked the categories for PM, and "Save to Project Server"
were unchecked on all three categories. I made sure "Open Project" was
enabled.

"Log on to project professional" had been enabled originally, then I had
unchecked it to see if that would disable the "edit" capability. I have
re-enabled it in the PM template.

We are not deployed yet with Project Server. I only have a handful of
resources loaded that are helping me test the functionality. I have been
using the "Sign-in as different user" option that appears under the Welcome
Lisa in PWA. In the MS training class I took that is what we did to toggle
between different users with different permissions. If I login as her, but
from my machine does it inherit my permissions?

I tried to get my user to test this on her machine, but she gets a server
error whenever she tries to open project professional, even without being
logged into PWA.

Ideas?
\lisa

 

[Jonathan Sofer]

Login in as the other user in most cases should work fine for permission
testing.

Strange that the user is receiving server errors when opening pro on her
machine. Can you verify her connection string is correct and what the exact
error is?