regarding default groups and security templates

J

James Fraser

Hey

I've read this document about security in Project 2007:http://technet2.microsoft.com/Office/en-us/library/27c51b32-e99c-4d1c...

From what I learned in that article there exists some default groups named
Administrators, Executives etc... but there also exists some default
security templates named Administrators, Executives etc...

Are the groups and security templates the same thing here or? it confuses me
a bit

Jeff

Templates are a predefined list of settings to apply to other
permissions. I like to think of them as just a set of check marks that
you are applying when you apply the template. Once applied, there is
no connection maintained back to the template, so if you then change
the template, you would need to go into group (or user) permissions
and apply them again.

And while you're learning security settings, it's important to note:
never ever use the "Deny" permission check boxes, at least not until
you know why you shouldn't be using it.


James Fraser
 
J

Jeff

thanks, from what I've learned if an user is allowed access to a setting
through a group, and denied access to the same setting through some other
group then the user won't get access to that group...

At work I'm about to configure access to PWA for 5 executives. One of the
executives (lets call him A) should only have access to a specific project.

What about this approach:
- Create a new group and make all these executives members of this group
- Create a category that control access to this specific project and
assigned executive A to that category
- Add some global permissions

Could this allow executive A to browse the other projects too? I don't want
him to do that....
Is it a good approach here to have a group containing all the executives, or
should I create 2 groups instead. One group for the 4 executives and the
other group for executive A??

Jeff
 
J

James Fraser

thanks, from what I've learned if an user is allowed access to a setting
through a group, and denied access to the same setting through some other
group then the user won't get access to that group...

At work I'm about to configure access to PWA for 5 executives. One of the
executives (lets call him A) should only have access to a specific project.

What about this approach:
- Create a new group and make all these executives members of this group
- Create a category that control access to this specific project and
assigned executive A to that category
- Add some global permissions

Could this allow executive A to browse the other projects too? I don't want
him to do that....
Is it a good approach here to have a group containing all the executives, or
should I create 2 groups instead. One group for the 4 executives and the
other group for executive A??

Jeff

Designing the appropriate security architecture depends on the
details. But a quick guess anyway:
Yes, create 2 groups. If by Executive, you mean report consumers who
won't be assigned to tasks, start with the default Executive group.
Either create a copy of that or use that to assign the 4 executives
to. Modify as needed.

For Executive A:
Create a copy of the above group for Exec A. Let's call this "Group
A."

Look at the categories used by group A. Some of them will include all
projects in the system. Create a copy of those categories (might be
only one) and change the new copy from all projects to only include
the specific project you want Exec A to see.

Now go back to Group A's permissions and note the permissions on the
categories. Replace the categories with your newly created categories
that only include one project. Assign the appropriate permissions to
that category for the group. Add Exec A to the group.


One of the goals of a Project Server security architecture is that the
only thing you should assign users to directly is groups. Categories
and global permissions are assigned to groups as well. Avoid assigning
categories or global permissions to users. Imagine getting the request
to "Give Carol the same permissions as Bob." To do this, all you
should need to do is add Carol to whatever groups Bob is in. That's
the goal, at least.


James Fraser
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top