PWA 2007 Access Issues - Help with setting up VIEW and EDITpermissions

[econtella]

Hey Guys,

Need some help here as I am trying to setup the access for our PWA
2007 for our organization. What I want to do is basically setup the
following:

1) users can only VIEW the projects in the project centre and project
workspace that they are a resource on the project
2) Project Owner (Project Manager) is the only person to be able to
EDIT the project (their own projects). They should only see their own
projects that they either own or are a member of as above.

I thought this would be easy, but after playing around with the
settings for the past few days I am starting to give up.

I setup two new categories, one called 'Project Edit' and one called
'Project View'. I then setup two new groups, again one called Edit
and one called View. Limiting the views was easy, as that was done
within the categories portion, but trying to setup the access so that
you can only VIEW the projects you are a part of is harder than I
originally planned.

Can anyone help me sort this out, and what are the main things I
should look out for? If you need any additional info from my
situation, please reply to this message and I will post as much as I
can.

Thanks in advance,
Eugene

 

[Paul Conroy]

Firstly, you don't need custom categories/groups to achieve this requirement.

Try to think of the security model as

Users - Who they are
Security Groups - What they can do
Categories - Where there can do it

Generally, Users should belong to Security Groups which are in turn
associated to Categories. Things start to get complicated when you associate
users directly to Categories.

So in you scenario:-

Users in the PM Role, should be in the Project Manager Security Group and
Team Members should be in the Team Member Security Group. If they are member
of other groups such as Executives or Administrators then their resulting
permissions will be amalgamated, allowing them to see additional/all projects
and resources.

The PM Security Group should be associated to the My Projects and My
Personal Projects Category using the PM Security Template. This will give
PM's the permissions to see/edit their projects and those projects that they
are members on. If this group is associated to the My Organisation category
then they will likely see all projects.

The Team Members Group should be associated to the My Personal Project
Category using the Team Members Security Template.

Ensure the views you want the users to see are bound to the category to
which they are a member of.

ie. Project Centre - Project Summary View should be associated to the My
Projects Category.

HTH

Paul

 

[econtella]

Hey Paul,
This is great, I am going to follow this through right now and see how
it goes. I didn't have a clear understanding of what each category
type meant exactly so that would have caused some problem right off
the bat. One question I have though, when I am in a category edit
(ie: Team Members for example) under the Projects and Resources
sections, I have the bullet "All current and future projects in
Project Server database" and "All current and future resources in
Project Server database" selected as I want to include all projects
and all resources. Then just below, it states to "Apply the above
Project security permissions to all projects where:"

The User is the Project Owner or the User is the Status Manager on
assignments within that Project
The User is on that project's Project Team
The Project Owner is a descendant of the User via RBS
A resource on the project's Project Team is a descendant of the User
via RBS
The Project Owner has the same RBS value as the User

This is the same for both the Project and the Resource section, and I
have the first two selected for both. Would this be the correct
setup? I do not have the RBS function setup so those will not relate
within our organization.

Thanks again in advance,
Eugene

 

[Paul Conroy]

Having all project and all resources selected in the categories is very much
causing you issues.

All current and future projects is exactly what it says. This is typically
only used for My Organisation category.

Selected Projects are in addition to the dynamic rules below. So you can
explicitly insert a number of projects AND use dynamic rules such as
"Projects where the User is the Owner..." to create a collection of projects
for the category.

You need to implement the RBS if you want to use the dymanic resource
category rules (ie my direct reports), however this will not impact on the
ability to dynamically group projects. until you have the RBS setup, keep
the "all current and future resources" option selected.

 

[econtella]

Ok I have hit a snag! I have used the Project Managers and Team
Members groups as Paul has stated below. I setup the Project Managers
group to include the My Personal Projects and My Projects categories
and the Team Members group only includes the My Personal Projects
category. For some reason now, both project managers and team members
can't logon to the PWA as they are getting an Error: Access Denied
page? I have the "log on" option allowed for both groups so I am not
sure where the problem is? Any ideas?

 

[econtella]

Hey Paul,
Ok I resolved the issue with not being able to logged on, that was my
mistake as there never really was a problem there. So what I am
trying to setup is:

IF a user uploads a project to the PWA, they are then the project
owner. Only the project owner can edit/modify the project, but I want
everyone else who is a part of the project (a resource on the project)
to have VIEW access. BUT, I want that same person who was the project
owner on the one project to have VIEW access on other projects they
are a resource on but not a project owner. Does that make sense? I
cant limit this to only the few projects I have listed on the server
as I want these permissions to take place whenever anyone saves and
publishes a new project from this date forward. This is why I wanted
to keep the "All current and future projects" selected under both
project and resource.

Now, can I add both the project manager and team members category to
the users, or will the project manager access override the team
members access? I want the users to be a team member when they are
not the project owner and want them to be a project manager when they
are a project owner. Hope this makes sense.

 

[econtella]

I corrected the problem in regards to not being able to sign on, but I
am still having the permission issue. If I have users in the Project
Manager and Team Members group, would they have Project Managers
access fully as it would over-ride the Team Members?

What I am trying to do is:

1) If a user saves and publishes a project, they will then be the
project owner. I want them to have full access to their project, and
anyone else who is a resource on the project to have VIEW access.

2) That same user will then have VIEW access on other projects that
they are a resource on.

So essentially, users will be members of the Project Managers and Team
Members group for all projects as they can be the project owner of one
project and just a resource on another project.

Is this possible or am I asking for too much?

 

[Paul Conroy]

Assuming default group/category settings.

PMs should be a member of the Project Managers and Team Members Security
Group.

TMs should be a member of the Team Members Security Group only.

Permissions are accumlative.

PM's scy group should be associated with My Personal Projects category with
the Project Manager security Teamplate. This category should NOT have All
Current and Future Projects selected !

TM's scy group should be associated with My Projects category with the Team
Member security Template. Again, this category should NOT have All Current
and Future Projects selected !

HTH

Paul

 

[econtella]

Hey Paul,
OK, I followed your permissions below and it works.
I just took two users, put one in the PM group and put the other in
the TM's group and set the categories as you described below.
Everything is great.

Now, not sure if this would work or not (obviously doesnt as I just
tested it) but what if I add both users to both groups (PM's and
TM's). As I want the user to be a PM when they are the project owner
and want them to be a TM when they are simply just a resource on a
project but not the project owner.

Is that possible?