Setting Permissions for Groups

[jem]

I initially set permissions for individual users, but then saw this was not
the best way to manage security.
I now have custom groups, and have everyone assigned to these groups, but
this does not seem to control the permissions. Is it because the groups
will not override the individual permission settings? If so, is there a way
to remove the individual settings?

Thank you.
jem

 

[Dale Howard [MVP]]

jem --

Individual permissions will generally override the Groups in which the user
is a member. The exception would be if you set a Group permission to Deny.
You goofed in setting individual permissions, my friend. You would be wise
to go back and edit each user account individually and remove all of the
permissions you set, including adding Categories for the user as well. Hope
this helps.

 

[Rowan Patterson]

Hi,
The View Effective Rights Tool
<http://go.microsoft.com/fwlink/?Linkid=20898> described in the
Administrators Guide is excellent for sorting out this sort of issue.
It tells you exactly which category>group>user gave which right to an
object.
Regards,
Rowan Patterson PMP
Brisbane Australia

 

[jem]

Good Morning,

Thanks for the responses. One final question: there seems to be no quick
way to edit the individual users and remove the permissions and categories.
There is no clear feature that I see. Is the only way to do this to go in
and uncheck everything? I had set everything by using the security
templates. I tried going in, removing the group and category for a person
and saving (which cleared the checks), then I went back in and added the
group and category back, this time without choosing a security template, but
it seemed to set the checks right back.

Thanks for your help.
jem

 

[Dale Howard [MVP]]

jem --

You made a blunder setting individual permission for everyone in your
organization. I'm sure that was a time consuming process. If you wish to
undo your blunder, you will need to manually change the settings for
everyone. This will also be a time consuming process as there is no quick,
fast, and painless way to do this. Sorry for the bad news.

 

[jem]

Thanks for the reply Dale. Lesson learned. The good news is maybe someone
else will see this message and not do as I did.

Thanks again.
jem

 

[Dale Howard [MVP]]

jem --

You are not the first person who made this mistake. I did some work at a
client site once where they had installed and configured Project Server
before hiring us to assist them. When I got there, their system was working
inconsistently and erratically. The default Group and Category permissions
seemed to work for some users and did not work for others. In
troubleshooting this problem, I discovered that the client had editing EVERY
user account in PWA. Apparently the heavy amount of changes they made to
every user account was causing Project Server to "flip out" trying to keep
track of every permission for every user.

Our company's official approach on managing Project Server security, and the
approach we recommend to all clients, is the KISS method. To keep things as
simple as possible, control all security at the Group and Category level,
and only edit an individual user account as a last resort. Hope this helps.

 

[Jan M.]

Hi jem,

I suggest that you create a new security template called "Reset" or
something like that. Uncheck everything and save the template. You still have
to modify each user individually, but this should make the process easier.

Hope this help

Jan M.

 

[Dale Howard [MVP]]

Jan M --

Brilliant idea! Thanks for the suggestion to save jem some time.

 

[jem]

Yes, thanks very much. That is a great idea!

One more question: I guess I am still unsure of how to set the permissions
once I clear out all of the individual permissions. I have read the
Administrative Guide and in one place I think I understand one way, then
later in the guide I understand a different way. So....

Question: If I have my Groups set with permissions based on security
templates, and I have users defined to Groups, then am I done? -Or - do I
still have to pull up each user and also set the Category and Global
Permissions using security templates? I thought if I set permissions at
the Group level, then the users in that group would inherit those
permissions. But in the section in the Admin Guide about adding or
modifying new users, it says go in and set the Category and Global
Permissions at the user level.... or that's how I'm interpreting it.

Thanks again.
jem

 

[Dale Howard [MVP]]

jem --

Simply add the users to Groups and you control security for everyone quickly
and easily. If you retained the original default Groups that ship with
Project Server 2003 (Project Managers, Team Members, Executives, etc.) you
could add your users to the appropriate Group and probably have things set
up the way that you wish. If you removed the default Groups and created
custom Groups, then add the users to the appropriate custom Groups. Hope
this helps.

By the way, I strongly believe you should consider purchasing our
administrator's book on Project Server 2003. If you had used it, you could
have avoided this mess entirely. Click on either URL in my signature block
for ordering information. Hope this helps.

 

[jem]

Dale,

Great. Thank you. This helps a lot. I will take you advise on your book
purchase as well.

jem