Categories
Newsgroups
Most Popular Posts
Favorite Links
Books you need

Recent Entries
Project Server Jobs

« PreviousNext »

Adjust the Default Project Web Access Permission Levels

3 April 2008

At many of my clients, I encounter situations where the default Permission Levels created by Project Server for Project Web Access sites cause problems. Typically, everything is going along just fine when suddenly one day PWA has a different theme or the “My Tasks” or “My Timesheets” page is blank and/or throws an error. While on occasion the error is legitimate, usually it is due to an inexperienced user editing the Shared version of the page. If you haven’t encountered this issue yourself, at this point you may be wondering how this is possible… The simple answer is that for many organizations, the default Permission Levels grant too much power to non-Administrative users.

When you provision a new Project Web Access site, Project Server creates four Permission Levels (described in this technet article):

By default, the Project Managers (Microsoft Office Project Server) permission level has all permissions with the following exceptions:

The default Team Members (Microsoft Office Project Server) permission level has all permissions with the following exceptions:

As you can see, these permissions are fairly liberal. They allow Project Managers to alter PWA’s theme and edit PWA pages and lists, among other things. For many organizations, this is much too lax.

As you may already know, these Permission Levels are not exclusive to the PWA Root site; they are also created in any Project Workspace provisioned by the server. This is how Project Server synchronizes permissions between a Project and its Workspace. For Project Workspaces, users in these Permission Levels are synced on Workspace Creation and Project Publish if the server is configured to do so. However, the Permission Levels in Project Workspaces are not inherited (by default) from the Parent Web Site (in this case, PWA). Therefore, changes we make to the PWA Root site will not affect any downstream Workspaces.

However, these roles are deleted and recreated in the Project Workspaces by the Project Workspace Membership Sync process; this is also done in the PWA site by the PWA Root Sync. This means that any changes you make to these permission levels in PWA or any Project Workspaces will be erased when the membership of that site is synchronized.

Before we get started, I want to remind you that the typical disclaimer applies. Please use caution when implementing these instructions in a production environment.

If you choose to do so, you are doing so at entirely your own risk.

I very strongly recommend that you test in your development and staging environments before applying to production, and as usual, I bear no responsibility for any issues, data loss, financial costs, or downtime you may incur from following this HowTo.

div>

To resolve the issue, we are simply going to set the permissions of the Project Managers (Microsoft Office Project Server) and Team Members (Microsoft Office Project Server) permission levels within the PWA Root site to be equal to that of the Readers (Microsoft Office Project Server) permission level. To do this:

  1. Log in to PWA as an Administrator
  2. Expand the Site Actions menu by clicking on it
  3. Click Site Settings
  4. On the Site Settings page, under Users and Permissions, click Advanced Permissions
  5. On the Permissions: Project Web Access page, expand the Settings menu by clicking on it
  6. Click Permission Levels

You should now see the Permission Levels page. You should see ten Permission Levels listed — the four we described earlier, and the standard SharePoint ones (Full Control, Design, Contribute, Read, Limited Access, and View Only).

Click on the Project Managers (Microsoft Office Project Server) permission level, and uncheck the following:

Click Submit, which will return you to the Permission Levels page. Now, click on the Team Members (Microsoft Office Project Server) permission level, and uncheck the following:

Removing these permissions prevents non-admins from altering the look, structure, or content of pages within PWA. We also prevent them from altering lists, discussion boards, and document libraries in PWA. All of the organizations I have worked with do not perform collaboration (e.g. lists, document libraries, discussion boards) within PWA. However, if yours does, simply omit the relevant permissions from your changes.

Note that changes to these List permissions do not affect the ability to link Tasks to Workspace Items (documents, issues, deliverables, or risks); this behavior is controlled by the Create Object Links Category permission.

We also disabled Personal Views. While they are a fantastic feature, I personally disable them within PWA because there is too much potential for confusion. I strongly believe in User Interface consistency within PWA, and Personal Views pretty much defeat this. Plus, switching back and forth between Shared and Personal views can be confusing to inexperienced users.

So, now we’ve revoked these permissions for non-admins in the PWA Root site. However, remember that these changes are not permanent and will be overwritten next time the PWA Root Sync runs. Next, we will discuss how to get Project Server to make these changes on our behalf…

Discuss this post on the EPMFAQ Forums

© Stephen Sanderlin for EPMFAQ, 2008. | Permalink

Add to del.icio.us | Want more on this topic? Browse the archive of posts filed under Administration, Configuration, From The Field, HowTo, Implementation and Deployment, PWA, Project Server 2007, Usability, WSS 3.0.


Related Posts

Copyright ©2007-2008 Stephen C. Sanderlin, Stephen T. O’Connor, and others as listed. Some rights reserved.
All other trademarks and copyrights are the property of their respective owners.
All content in this feed is covered by the Creative Commons Attribution-Share Alike 3.0 United States License.
(digitalfingerprint: 98f116c448a33659cf8172e78f33f0e6 (66.150.96.109) )

Originally by Stephen Sanderlin from EPMFAQ on April 3, 2008, 12:08pm

Popularity: 49% [?]

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted in Uncategorized | Trackback | del.icio.us |

Other posts like this one:

  • Project Server 2007 Version Reference
  • Elements of SharePoint 2007 Security
  • Randomly Checked Out Projects
  • Project Management Immaturity Model
  • Workspace synchronization cannot be disabled.

    • Top Of Page

      5 Responses to “Adjust the Default Project Web Access Permission Levels”

    1. Kim Says:
      August 14th, 2009 at 11:02 am

      Did you ever write the second part of this post? I can’t find it and that is really the info that I need! Please let me know.

    2. Ivan Lemus Says:
      September 30th, 2009 at 7:35 am

      How can I determine all the workspaces that a user has access to?
      Thanks for all your help.
      Ivanl@asg.com

    3. D Tippet Says:
      February 8th, 2010 at 12:43 pm

      Would the same logic for altering security permissions for the project manager role if “Manage Permissions” were added to the role.

      I have a need to allow PM’s to have full control of their workspaces upon creation. I have walked through the changes as noted in the blog above within a test instance but can’t get the “Manage Permissions” to appear in workspace for a PM.

      Does the custom timer job to permanently change the Project Manager role need to be created and implemented before the change is visible in the workspace?

      Thanks,

      DT

    4. Sergio Says:
      June 13th, 2010 at 4:45 pm

      Hello, I need to see from the MPS (product), Tools, Using recourses, the hours we have every resource to local and other available. only view local now.

      Thanks

    5. DJ Says:
      September 10th, 2010 at 9:16 am

      Part 2 of this topic is located here:

      http://projectserverblogs.com/?p=1182

    Leave a Reply



    Copyright © 2008 Project Server Blogs

    Credits: Web Hosting Bluebook | Matteo Turchetto | Andreas Viklund