Project Server Permissions Problem

D

David F-H

We are running Project Server 2007 / SP1 and SQL Server 2005. I am the
administrator but am having difficulty configuring the permissions. The
situation is that I have managers in separate groups that are able to open
each others projects in read/write mode from Project Professional, but my
understanding from the way I've configured their permissions is that this
should not be allowed.

Taking one example, Daryl only belongs to the Resource Manager Group and has
his global permissions under the Admin and Project sections set to all blanks
(nothing is checked on).

In the Resource Manager Group -
- My Direct Reports and My Organization both have all permissions under
Project set to all blanks
- My Projects and My Resources both only have View Project Details in
Project Center, View Project Summary in Project Center checked on, with all
else set to blank under Project.
- My Personal Projects have all Project permissions allowed except for
Delete Project.
- The global permissions for the project section are all blank.

For the Categories -
- My Personal Projects have the following criteria set :
The user is the Project Owner or the Status Manager on assignments in the project
The Project Owner is a descendant of the user via RBS

However, Daryl is able to open, change and save projects that belong to a
project owner from a separate team (ie. has a different hierarchical path in
the RBS to himself), for which he is not assigned to in any capacity. Can
someone please explain what I've done wrongly?

Thanks.
 
D

David F-H

Thanks Paul,
I have now installed and run the tool to try to find out why a user is able
to open a project that he is not connected to - I ran as follows:
User - entered user name.
Permission - entered "Open Project"
Project - entered project name. note that the user is not a resource on the
project, is not a status manager for any tasks and is not the project owner
nor a superior of the project owner via RBS.

It returned the following info one one single line:
Right: Allow
User/Group Name: Resource Managers
Object Present: False
Category Name: My Personal Projects
Applicable Rules : All current and future projects in Project Server
database;The User is the Project Owner or the User is the Status Manager on
assignments within that Project;The Project Owner is a descendant of the User
via RBS;

So, according to these rules I would not expect this user to have open
rights to this project? Is there something else I should be checking?

Thanks
 
P

Paul Conroy

The category rule "All current and future Projects" is the key here.

It would appear that the resource is a member of the RM's groups which has
permissions to all projects as granted by the the My Personal Projects
category. These category permissions have been changed from the default.

I'd recommened removing the category permission "All current and future
projects".
 
D

David F-H

OK, I thought that this worked in conjunction with the other criteria - ie.
- The User is the Project Owner or the User is the Status Manager on
assignments within that Project;
- The Project Owner is a descendant of the User via RBS

but apparently not?

The only way to turn this off then is to click on the other radio button,
namely "Only the projects indicated: ". But you can't name a hard list of
projects for a generic category, so I assume that you don't add any projects
to right hand list box, and then the criteria below this (as mentioned above
in this post) is applied to all projects - is this correct ??
 
P

Paul Conroy

All projects means exactly that.

When you select only the projects indicated this includes those explicitly
detailed in the right hand dialogue PLUS those derived from the dynamic
category permissions.

So you are correct in stating that generic category such as My Projects
should not have a list of projects defined.

Security becomes easier to manage when you've defined your RBS.
 
G

Gary L. Chefetz [MVP]

David:

Are you fully understanding the difference between "global permissions" and
"category permissions?" If not, you might benefit from our Implementing and
Administering book.

Meanwhile, open the Group Resources Managers, and select each category added
to the group and watch what happens to the category permissions section.

--

Gary L. Chefetz, MVP
MSProjectExperts
For Project Server Consulting: http://www.msprojectexperts.com
For Project Server FAQS: http://www.projectserverexperts.com
 
D

David F-H

Thanks for that Paul - I think that explains it. I thought that the dynamic
criteria were applied when you chose All projects. I will test with the user
tomorrow.
 
D

David F-H

Hello Gary, I believe I understand that difference (between global and
category permissions), but had misinterpreted the way the dynamic criteria
(eg. Project Owner is descendant of user via RBS, etc) was applied when the
"All current & future projects" is clicked on (ie. they do not apply). The
UI would be clearer if they drew a frame around the "Only the projects
indicated" radio button and the dynamic criteria, to indicate that they only
apply when this is clicked.

FYI - I had already ordered your "Implementing and Administering Project
Server 2007" book a week ago - expecting delivery on the 24th Jan :) :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top