PS2007 - site settings available to PMs?

[crook]

Hi!

I have set up Project Server 2007 using the default, stand-alone
options for testing and evaluation purposes. I created a test user
(active directory authentication), and added that test user to the
default PM group. During my evaluation, I noticed that the test user
has access to the PWA Sharepoint Site Settings page. The test user
does not see everything, but does see the following: Site theme, Top
link bar, Quick launch, Site content types, Site columns, Web Parts,
Site libraries and lists.

Using the test user account, I was able to change the Site Theme for
everyone in PWA. Other options seemed even more dangerous. For
example, the "Site libraries and lists" option allows the test user to
customize the Proposal proxy list, even though the description
specifically says, "Please do not modify this list or its contents."

Allowing non-administrators access to global settings seems unsound to
me. Has anyone else seen this? Have I overlooked something? How may
I prevent non-administrators from gaining access to the global Site
Settings?

Thank you in advance!
Crook

 

[crook]

Hi Everyone,

I have found my own answer. Since I've received much help from this
list, I'd like to return the favor.

The default standalone installation of PS2007 appears to place project
managers into the WSS 3.0 "Designer" security group. This means that
by default, PMs have the ability to affect global changes to PWA. To
eliminate something I considered to be a security breach, I removed 5
permissions in all. Only three permissions controlled the security
breach, but I removed an additional 2 permissions for good measure.

The 3 permissions that allowed this security breach are:

Add and Customize Pages - Add, change, or delete HTML pages or Web
Part pages, and edit the Web site by using a Windows SharePoint
Services-compatible editor.


Apply Themes and Borders - Apply a theme or borders to the entire Web
site.

Manage Lists - Create and delete lists, add or remove columns in a
list, and add or remove public views of a list.

Removing these three permissions deleted the "Site Settings" tab from
the PM's home page.

In addition, I removed 2 more permissions just for good measure:

Override Check Out - Discard or check in a document that is checked
out to another user without saving the current changes.

Apply Style Sheets - Apply a style sheet (.css file) to the Web site.


These permissions may be accessed by the following navigation path,
from the Home Page:

Site Actions > Site Settings > Advanced Permissions > Settings >
Permission Levels > Project Managers (Microsoft Office Project
Server).

HTH,
Crook