Project Server Authentication and SharePoint Permissions

[M Colodzin]

I just ran across something that concerns me. I noticed by accident that one
of my users, who is set up wtih Project Server Authentication, can access all
of my SharePoint lists - including custom lists that do not include
permissions for that user. In other words, that user should not be able to
access that custom list.

I double checked and validated that:
1. There are no "standard" user permissions on that list. I removed the
"Reader, Contributor, Wed Designer, Web Administrators (MS Project Server),
Team Members (MS Project Server), etc.
2. The user is not included in the list of users with permissions to access
this list.

I also validated that users set up with Windows Authentication who are not
on this list of permitted users cannot access that same list.

Is there something in the Project Server Authentication that automatically
grants access to all SharePoint lists? If so, how can I disable that?

This is presenting me with an unexpected security hole.

Any input will help!

Thanks,

 

[Marc Soester [MVP]]

Michelle, can I assume that this is a 2003 environment?
Thanks
Marc

 

[M Colodzin]

Hi Marc,

Yes, this is a Project 2003 Server environment. Sorry for not mentioning
that in my original post.

 

[Gary L. Chefetz]

Michelle:

Does this user have domain admin rights or other permissions to administer
your systems at the server level? It doesn't make sense that Project Server
authentication could grant this access as it doesn't work for SharePoint, so
I think you need to look at what access the user has under their standard
windows credentials.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting: http://www.msprojectexperts.com
Project Server Training: http://www.projectservertraining.com
Project Server FAQS: http://www.projectserverexperts.com
Project Server Help Blog: http://www.projectserverhelp.com

 

[M Colodzin]

Hi Gary,

No, this user does not have any kind of administrator rights. Just to be
sure, I created a new user with basic rights which include viewing Proejct
Center, issues, risks and documents, etc., but without rights to the custom
list and that new user was also able to access the custom, secure list.

I went into the custom list and verified that these users (both the new one
and the one I used previously) are not on the list of authorized users.

--
Michelle Colodzin, PMP, PMI-SP

Michelle:

Does this user have domain admin rights or other permissions to administer
your systems at the server level? It doesn't make sense that Project Server
authentication could grant this access as it doesn't work for SharePoint, so
I think you need to look at what access the user has under their standard
windows credentials.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting: http://www.msprojectexperts.com
Project Server Training: http://www.projectservertraining.com
Project Server FAQS: http://www.projectserverexperts.com
Project Server Help Blog: http://www.projectserverhelp.com

 

[Gary L. Chefetz]

Michelle:

I'm stumped. Project Server authentication doesn't give access to
SharePoint. In fact, WSS 2.0 only works with Windows auth. The user is
getting this access through another mechanism.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting: http://www.msprojectexperts.com
Project Server Training: http://www.projectservertraining.com
Project Server FAQS: http://www.projectserverexperts.com
Project Server Help Blog: http://www.projectserverhelp.com

Hi Gary,

No, this user does not have any kind of administrator rights. Just to be
sure, I created a new user with basic rights which include viewing Proejct
Center, issues, risks and documents, etc., but without rights to the
custom
list and that new user was also able to access the custom, secure list.

I went into the custom list and verified that these users (both the new
one
and the one I used previously) are not on the list of authorized users.

 

[M Colodzin]

Thanks for your feedback. I can't imagine where the permission is coming
from, but I'll check with the IT department and see if they can figure it
out. For the time being, it will probably be OK since the only Project
Server authentication we're currently using is for some test accounts that I
control.

 

[Gary L. Chefetz]

Michelle:

Are you using the test accounts when logged in to your computer with your
own credentials. If so, that would explain the access. The system is simply
responding to your Windows credentials which are passed to the server when
you connect. Try logging in to your coputer with a domain account that has
limited access and see if that changes the server response.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting: http://www.msprojectexperts.com
Project Server Training: http://www.projectservertraining.com
Project Server FAQS: http://www.projectserverexperts.com
Project Server Help Blog: http://www.projectserverhelp.com

Thanks for your feedback. I can't imagine where the permission is coming
from, but I'll check with the IT department and see if they can figure it
out. For the time being, it will probably be OK since the only Project
Server authentication we're currently using is for some test accounts that
I
control.

 

[M Colodzin]

Hi Gary,

Yes, I'm logged in as myself. I should have realized that (duh...)

I'll talk to my IT folks and get them to set up a test windows user for
future testing.

Thanks for your help. I feel much better now!

 

[Gary L. Chefetz]

See how easy Microsoft has made authentication?<g> LOL


----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting: http://www.msprojectexperts.com
Project Server Training: http://www.projectservertraining.com
Project Server FAQS: http://www.projectserverexperts.com
Project Server Help Blog: http://www.projectserverhelp.com