Limit Access to Projects with Category

[wildo]

Does anyone know of a simple way to limit access to "secret" projects (such
as an acquisition) to only selected people, while they and others can still
see "normal" projects? I can create a new group based on Executive and a new
category that has only this project - but these executives should also be
able to see all the other projects, through the default Executive group and
My Organization category. But using My Organization in its default settings
would allow ANY Executive to also see the "secret" project (I think), unless
the Current and Future Projects were changed in My Organization - and then I
would need to add every new project to My Organization manually, creating a
maintenance nightmare. I'm trying to avoid RBS, particularly since people on
these special teams are selected from all over the company temporarily and
it's not an entity in the org chart (and I have have many other reasons to
avoid RBS). Seems like there should be a simple way using groups and
categories. Any ideas?

 

[Paul Conroy]

Create a new Security group and category.

Add those staff who you want to access the secret projects to the new group.

Add the secret project exclusively to the new category and give the new
security group access to the category. Apply deny permissions to all other
security groups for the new category.

If staff in the new security group belong to other groups then they will
also be denied, so you will have to remove them from all other groups. You
may have to create a number of different security groups to manage different
roles for the secret projects.

ie secretPMs, secretTeamMembers

each with a different set of permission to the secret project.

The new security group(s) will also need to be given access to existing
categories in order maintain their current permissions.

 

[wildo]

Thanks for the response. Your description is how I've already set it up,
except I haven't used any specifc denies. Maybe I'm misunderstanding how it
should behave.

The problem that will remain, is that if I still use the default Executives
Group and the default My Organization, this secret project will still show to
anyone in the Executives Group - unless DENY fixes that?? Will using DENY in
the new group prevent the secret project from showing through the My
Organization Category?

It seems that the only way is to eliminate the My Organization category and
create a new category that specifies all non-secret projects with "Only the
projects indicated", or change My Organization to use "Only the projects
indicated" instead of "All current and future projects".

Either way, I'm forced to put manually every new project into a category. I
want it automatic (all current and future projects) for all except this
secret category.

Is my thinking correct, or is there another way?

 

[Paul Conroy]

Deny permissions take precedence over any allow permissions, so if a security
group is granted access to the secret projects via My Organisation, the deny
permission in the new category will override it.

The only projects you need to manually enter in a category should be the
"secret" project.

 

[wildo]

Got it. Thanks a lot!

Deny permissions take precedence over any allow permissions, so if a security
group is granted access to the secret projects via My Organisation, the deny
permission in the new category will override it.

The only projects you need to manually enter in a category should be the
"secret" project.