thanks, from what I've learned if an user is allowed access to a setting
through a group, and denied access to the same setting through some other
group then the user won't get access to that group...
At work I'm about to configure access to PWA for 5 executives. One of the
executives (lets call him A) should only have access to a specific project.
What about this approach:
- Create a new group and make all these executives members of this group
- Create a category that control access to this specific project and
assigned executive A to that category
- Add some global permissions
Could this allow executive A to browse the other projects too? I don't want
him to do that....
Is it a good approach here to have a group containing all the executives, or
should I create 2 groups instead. One group for the 4 executives and the
other group for executive A??
Jeff
Designing the appropriate security architecture depends on the
details. But a quick guess anyway:
Yes, create 2 groups. If by Executive, you mean report consumers who
won't be assigned to tasks, start with the default Executive group.
Either create a copy of that or use that to assign the 4 executives
to. Modify as needed.
For Executive A:
Create a copy of the above group for Exec A. Let's call this "Group
A."
Look at the categories used by group A. Some of them will include all
projects in the system. Create a copy of those categories (might be
only one) and change the new copy from all projects to only include
the specific project you want Exec A to see.
Now go back to Group A's permissions and note the permissions on the
categories. Replace the categories with your newly created categories
that only include one project. Assign the appropriate permissions to
that category for the group. Add Exec A to the group.
One of the goals of a Project Server security architecture is that the
only thing you should assign users to directly is groups. Categories
and global permissions are assigned to groups as well. Avoid assigning
categories or global permissions to users. Imagine getting the request
to "Give Carol the same permissions as Bob." To do this, all you
should need to do is add Carol to whatever groups Bob is in. That's
the goal, at least.
James Fraser