Rights to administrate holidays

[Thea]

Hi,
in my company the clerk should be able to add holidays to the ressource's
calender in the enterprise ressource pool. I would like to give the minimal
rights for this, but I can't figure out the suitable combination.
The clerk needs to be able to open MS Project, open the the enterprise
ressource pool, check out the ressources of it's department and change the
calender.

Thanks
THea

 

[mark.everett]

Thea -

I had this requirement before and I handled it with a custom Group:
Here are the settings.

If this is two hard to read, email me at markdoteverettATgmaildotcom
and I will send you a part of the spreadsheet and the training
materials I wrote for the ERP Admin. Keep in mind that the requirement
I addressed gave them more to do than just open and save the enterprise
resource pool.

Mark Everett | PMP
www.quantumpm.com
Groups
PWA-Admin>Manage users and groups>Groups
Note:
Feature
ERP Admin
Section:
User Info:

Note:
Section:
Category Info: My Organization





Note:
Permissions: MO
Adjust Actuals No
Approve Timesheets for Resources No
Assign Resource No
Build Team On Project No
Create New Task or Assignment No
Edit Enterprise Resource Data No
Open Project No
Save Project No
See Enterprise Resource Data Yes
See Projects in Project Center Yes
See Projects in Project Views Yes
See Resource Assignments in Assignment Views Yes
View Risks, Issues, and Documents No
Section:

About Microsoft Office Project Server 2003 No
Assign Resource to Project Team No
Assign To-Do List Tasks Yes
Backup Global No
Build Team on New Project No
Change Password Yes
Change Work Days No
Check in My Projects Yes
Clean up Project Server database No
Connect to Project Server using Project 2002 No
Create Accounts from Microsoft Office Project No
Create Accounts when Delegating Tasks No
Create Accounts when Requesting Status Reports No
Create Administrative Projects No
Create and Manage To-Do List Yes
Customize Project Web Access No
Delegate Task No
Go Offline from Project Web Access Yes
Hide Task from Timesheet No
Integration with External Timesheet System Yes
Log On Yes
Manage Enterprise Features No
Manage Rules No
Manage Security No
Manage Server Configuration No
Manage Status Report Request Yes
Manage Task Changes No
Manage Users and Groups No
Manage Views No
Manage Windows SharePoint Services No
New Project No
New Project Task No
New Resource No
New Task Assignment No
Open Project Template No
Publish To-Do List to All Users Yes
Publish/Update/Status No
Read Enterprise Global No
Save Baseline No
Save Enterprise Global No
Save Project Template No
Set Personal Notifications Yes
Set Resource Notifications Yes
Submit Status Report Yes
Timesheet Approval No
View Adjust Actuals No
View Assignments View Yes
View Documents Deny
View Home Deny
View Issues Yes
View Models Yes
View Portfolio Analyzer Yes
View Project Center Yes
View Project View Yes
View Resource Allocation Yes
View Resource Center Yes
View Risks Deny
View Status Report List Yes
View Timesheet No



Table Key
Set to Allow Access
Access Not Specified - "Not Allowed"
Access specifically Denied

 

[Thea]

Thanks,
I'll try this settings and then drop the as many as I don't need.
There came just another question to my mind concerning rights.
I usually assign to a person a group, and to a group I assign categories. In
all three areas I can set permissions or deny them. What happens if a
permission is not set in a category but in a groupe that has this category?
Has this groupe the permission or not?
Thanks!
Thea

 

[mark.everett]

Thea -

I set up the categories first, then the groups and make sure each group
is assigned to one or more categories. I always use Security Templates
and I never customize the settings for a user.

"What happens if a permission is not set in a category but in a groupe
that has this category?
Has this groupe the permission or not?"

I will let Microsoft Explain it:

Overview

You can allow or deny permissions to individuals or groups of Microsoft
Project Web Access users. You create security templates that define
sets of permissions, and then assign permissions to users and groups
based on the templates. You use categories to define which specific
projects and resources the various users and groups are allowed to
view. You can also set permissions for Project Web Access features to
make them available or unavailable to the organization as a whole.

Project Web Access permissions work similarly to permissions in
Microsoft Windows 2000 and Microsoft Windows NT. Users and groups are
the security principals. Categories and organizations are the security
objects. Use permissions to allow or deny security principals access to
security objects.

Users

Each individual user must be granted permission to view or access the
data in a particular area of Microsoft Project Web Access. You can
grant permissions at the user level or you can assign users to groups
(recommended) and grant permission at the group level. A single user
can be a member of any number of groups.

Groups

A group of users is simply a collection of individual users who are
assigned the same permissions. You can combine individual users who
have common security requirements into a single group to reduce the
number of security principals that you need to manage. Create custom
groups when you need to provide new ways to access data within your
organization. For example, if your company employs contractors, you may
want the contractors to have a different set of permissions than
regular team members.

Use security templates in combination with groups to make it easier to
set permissions. First create a new security template (ideally with the
same name as the group), and then grant all users in the group
permissions based on the new security template.

Templates

A security template is simply a predefined set of permissions. Use
security templates to simplify granting permissions to groups of users
who need access to the same data. You can associate any number of
individual users and groups with a single security template.


Categories

A category is a collection of projects and/or resources that a user or
group is granted permission to see. See Add a category in Microsoft
Project Web Access help for more information about creating categories.
Create custom categories when you need to provide new ways to access
project and resource data.

Organization

An organization is a collection of projects, users, and data that
exists in a single installation of Microsoft Project Server 2003.
Setting permissions at the organization level allows you to make
features available or unavailable to all users of Project Web Access or
Microsoft Project Server, depending on the permission. If you allow or
deny permissions at the organization level, all users within the
organization are affected regardless of the permissions set elsewhere.

Note Only one organization can exist for each Project Server.

When should you select Allow, Deny, or Don't Allow permissions?

Each permission can be allowed, denied, or not allowed in Project Web
Access:

· Allow must be selected in order for any user
or member of a group to be able to perform the actions associated with
the permission.

Note Default group permissions in Project Web Access are set to Allow
in most cases, depending on the default group. All permissions are set
to Allow at the organization level.

· Deny should be used carefully. If a user is
denied a specific permission anywhere in Project Web Access, that user
will be denied access everywhere in Project Web Access for that
permission, regardless of group, template, or category.

Note No permissions are set to Deny as a default.

· Don't Allow, while not strictly a
permission, is a state that exists when neither Allow nor Deny are
selected for the same permission in the same group. If a user belongs
to more than one group that has the same permission set to Allow (but
not Deny) in at least one of the groups, then the user will be allowed
to perform the actions associated with the permission for all groups.
In other words, if a user is allowed a permission in one group or
category, that user will be allowed that permission in all groups and
categories that user belongs to or is associated with.

Examples

In the following examples, a permission is set to Allow if column A is
set to 1 and a permission is set to Deny if column D is set to 1; if
both columns are set to 0 then the permission is neither allowed nor
denied (Don't Allow):

· A user belongs to three groups: Group 1 and
Group 2 and Resource. Both Group 1 and Group 2 are custom groups that
you have created, but you have set the permission Assign Tasks To Users
to Deny for the custom groups:

· Name A D
· -------- --- ---
· Group 1 0 1
· Group 2 0 1
· Resource 1 0
In this case the user is explicitly denied permission to assign tasks
to users in the custom groups; this overrides the Allow permission set
in the Res group. This user cannot assign tasks to users.

· A user belongs to two groups, Group 1, and
Group 2. These are both custom groups that you have created, but you
forgot to allow the Allow the View Timesheet permission:

· Name A D
· -------- --- ---
· Group 1 0 0
· Group 2 0 0
In this case, the user is neither allowed nor denied permission to view
his or her timesheet. Since the user has not been explicitly allowed to
view the timesheet, he or she doesn't have access to the timesheet.

· A user belongs to three groups, Resource,
Group 1, and Group 2. Both Group 1 and Group 2 are custom groups that
you have created, but you did not specify whether users belonging to
the custom groups should be able to log on:

· Name A D
· -------- --- ---
· Resource 1 0
· Group 1 0 0
· Group 2 0 0
In this case, your users will still be able to log on because you
didn't deny them permission to do so in any group and they are allowed
in one group.

One thing to consider when setting permissions is that Deny can be very
limiting because it can override allowed permissions in other areas.
You may find that using Deny as little as possible will make it easier
to manage large groups of users.

Hope this helps,

Mark