PM Security Issue

[Matt Kennedy]

Problem:
As soon as Project Manager A adds Project Manager B to his project team
using "Build Team From Enterprise" Project Manager B seems to automatically
get Read/Write access to Project Manager A's plan. In turn if Project Manager
A removes Project Manager B from his team Project Manager B cannot even see
Project Manager A's plan when doing File>Open.

Specifics:
- Both Project Managers are ONLY members of the Project Managers Group. I
verified they are not part of any other group.
- Neither Project Manager has any individual permissions assigned to their
user accounts. They only get what they inherit from the Project Managers
Group.
- The Project Manager Group global permissions are set to very near if not
at product defaults.
- The only Categories the Project Managers Group has access to are My
Projects which is assigned the default Project Managers security template and
My Organization with only 4 permissions (assign resource, build team on
project, see enterprise resource data, and view risks, issues, and documents).
- Using Project Server 2003.

Additional Testing:
In fact I can even take away the My Organizations category from the Project
Managers group and if they are added to any plan as a team member they get
read/write access.

Last but not least if I simple remove the Project Manager Group and add the
Team Member Group to this user (oh and the read enterprise global permission
so they can connect to project server with Project Pro) I do not have this
problem.

Makes no sense to me. If simply adding a project manager to a project plans
team automatically gives them read/write access to that plan that seems like
a pretty big security issue.

 

[Dale Howard [MVP]]

Matt --

Your problem is caused by the security permissions in the My Projects
category. By default, the following permission settings are selected in the
Projects section of the My Projects category:

-- Allow users in this category to view all projects they manage
-- Allow users in this category to view all projects in which they are a
team member

-- Allow users in this category to view all projects assigned to resources
that they manage



Because of the second permission, Project Server allows Project Manager B to
open and save the project in which he/she is a team member. You may wish to
deselect this option if this situation presents a security problem in your
environment. Hope this helps.

 

[Matt Kennedy]

Dale,

Thank you very much for the reply and help! When I read the name and
description for that permission it states that it is a permission to "view"
and says nothing about the ability to save or update. I read it literally. My
confusion.

Maybe you can help just a bit further... What we really need is for a
Project Manager to be able to create a project and build a team which might
include a mix of team members that incidently be members of either the
Project Manager or Team Member security groups. Further we need to ensure
only the owner/creator of the project (the Project Manager that created the
plan and built the team) to have write privs and all team members (including
any that might be members of the Project Manager Group security level) to
have only read-only privs to that plan!

Thoughts?

Thanks again!

-Matt

 

[Dale Howard [MVP]]

Matt --

Your misunderstanding is very common about the security connection between
Categories and Groups. Here's one way to think of it:

1. Categories control what you can see
2. Groups control what you can do with what you can see

When you go to the Modify Group page for the Project Managers group, you can
see a Categories section. If you select the My Projects category in the
list on the right, you will see that the Permissions grid in that section
activates, showing the permissions for the objects in that category. You
will see that the Open Project and Save Project permissions are both set to
Allow. See how the Group and Category work together to control what you can
do and what you can see, and ultimately, what you can do with what you can
see?

In your situation, it sounds like you want to be able to do the following:

1. Project managers can open their own projects Read/Write
2. Project managers who are team members can open those projects Read-Only

If this is the case, then you should follow my initial instructions to
deselect the "Allow users in this category to view all projects in which
they are a team member" option for the My Projects category. Then you could
create a new Category called "My Projects as Team Member" and select that
specific permission for the Category. Then add that Category to the Project
Managers group, select the new Category from the list on the right and then
set the "Open Project" permission to Allow (leave the Save Project
permission for that Category with neither the Allow or Deny permission
selected). I believe this will take care of the permissions for your
project managers.

Beyond this, you should also edit the My Tasks category to include the
Project Center and Project views that you want team members to view. I
believe this should take care of meeting your reporting needs for team
members. Hope this helps.

 

[Mauricio@BVFG]

Dale,

I have the biggest confusion you can imagine when trying to define views and
setting Groups and Categories. I'm following your Administering and
Enterprise PMO book which in page 182 reads "Groups control what you can
do.... Categories control what you can do it to project server" - should it
say "how you can do it" ?

My real question goes to: is there a graphic model that help understands
this complex combination?

 

[Dale Howard [MVP]]

Mauricio --

Think about this:

1. Groups control what you can do. The Project Managers group has a
permission called Open Project. When I am a member of this Group, this
gives me permission to open projects in Microsoft Project Professional.
However, which specific projects can I open???

2. Categories control what you can do it to. The My Projects category
controls access to projects, resources, and views. The default permissions
in this category give me access to any project for which I am the manager,
in which I am a team member, and in which my resources are team members.
Therefore, any project that meets one of the three permissions above is
considered one of "my projects."

3. When the My Projects category is included in the Project Managers group,
the Group controls what I can do (open a project) and the Category controls
what I can do it to (namely, open a project that is one of "my projects").

To the best of my knowledge, there is graphical presentation of these
concepts, but perhas this is something we can include in the second edition
of our Project Server 2003 book for administrators. Thanks for asking.