Don’t Get Burned By Your Security Templates

image

Problem

If you’ve ever tried to use the built-in security templates in Project Web App, you may have accidentally messed up your security model without realizing it. This problem applies to Project Server 2003-2013 versions.

Security templates are designed as a way to quickly apply or reapply permissions for predefined roles, when creating new groups and categories. However, the out of box implementation can lead to issues if you don’t realize the impact of applying them.

Background

Groups and Categories have what is known as a many to many relationship.  A group can be associated to multiple categories and a category can be associated to multiple groups. The default security model relationships are shown below where blue boxes represent the Groups and orange boxes represent the Categories.

image

We’ll use Resource Manager as an example of the security template issue. Resource Manager has four relationships out of box by design:

  • My Organization so that they can see all resources and build team on any project
  • My Projects so that they can view any project of which they are part of the project team or own
  • My Resources so they can only see their resources below them in the RBS so that the Resource Manager can add them to a Resource Plan
  • My Direct Report which is reserved for you to customize functionality for the resources directly below the Resource Manager in the RBS The heavy lifting in the security model is at the intersection points between Group and Category. The intersection is where you set the what allowed Project and Resource actions (Group) can be taken on the data returned by the Category. If you’ve seen a “troubled” security model, it’s usually because this nuance was lost on whoever was maintaining the model.

Scenario

NOTE: PLEASE DON’T DO THIS PROCEDURE WITHOUT READING THE ENTIRE ARTICLE FIRST

Felix is a Project Server administrator who accidentally changed some category permissions in production on the Resource Manager – My Projects intersection. “No problem”, thinks Felix, “I’ll just reapply the Resource Manager security template and all will be good.”

    Felix then does the following actions.

He goes to PWA Settings under the Gear.

image

He clicks on Manage Groups under the Security section.

image

He clicks on the Resource Managers group to edit.

image

He scrolls down to Categories to access the Category permissions for the group for My Projects.

He selects My Projects in the Category list to show the permissions. At the bottom of the category permissions section, he selects the Resource Manager template and clicks Apply.

image

All good right? Not exactly.

The Issue

Remember, Resource Manager Group has four category relationships.

image

However, if you go into Manage Security Templates, there’s only one entry for Resource Manager.

image

So, which relationship does this security template represent? Was it the right one for Felix to apply? You don’t know without further research.

Suggested Fix For This Situation

If you choose to use Security Templates, I highly recommend doing the following prep work. This recommendation is based on the real world experience of managing two Fortune 250 company implementations and having cleaned up numerous security models for other companies. An hour or two of prep now will prevent tears later on.

Create a new template for group permissions and one for each intersection for the category permissions using this procedure. http://technet.microsoft.com/en-us/library/cc197679.aspx If you’ve heavily customized your security model, you will need to create a diagram similar to the one I have above first.

The resulting template list for Resource Manager will be as follows.

  • Resource Manager – Group Permissions Only
  • Resource Manager – My Organization
  • Resource Manager – My Projects
  • Resource Manager – My Resources
  • Resource Manager – My Direct Reports
    Now, when Felix applies a security template, he knows exactly which one he is applying to the security relationship.

Resources

You can find the default Project Server 2013 group and category permissions at these links for constructing your templates.

Missed Project Conference?

image.png

Good news! All session recordings are now available online!  View them at http://channel9.msdn.com/Events/Project/2014/ Technorati Tags: Project Conference 2014,Project Server 2013,Project Online,Project Lite … [Continue reading]

Take Control of Your PWA Home Page with 4 Clicks

image.png

Have you ever looked at the Project Web App home page and felt it was simply too plain for Jane? I understand the need for design simplicity but sometimes the PWA home page simply feels like underutilized real estate. The Need Your manager wants … [Continue reading]

Project 2013 SP1 is now available!

Please use the following links to download the Service Pack 1 bits. Also, ensure you patch SharePoint and Project Server together. Project 32-bit     http://www.microsoft.com/en-us/download/details.aspx?id=42013 Project 64-bit     … [Continue reading]

New Project Portfolio Management (PPM) Guide Available

Microsoft has released the 2013 version of the Project Portfolio Management (PPM) guide for Project Server 2013 and Project Online. You can download it here. http://www.microsoft.com/en-us/download/details.aspx?id=41549   … [Continue reading]

Querying Multi-Value Custom Fields

thumbsup.jpg

Scenario You have a report where the need is to show multiple values for a given custom field. For example, you have a multi-value Project custom field for Impacted Business Organizations. You want to see your values as a comma delimited list so … [Continue reading]

Database Diagrams–Project Server Reporting Database

image.png

These high level entity relationship diagrams were first published in the deck for my Project Conference Hands On Lab deck. I’ve had a number of requests for this information so here it is. These diagrams are based on the 2010 RDB but the 2013 RDB … [Continue reading]

Retrieve Fiscal Year Dates Dynamically

MP9004423751.jpg

At some point, you will be asked for information by Fiscal Year. The Fiscal calendar was set up in Project Server so it should be accessible for reporting, right? A fair number of companies have fiscal calendars which don’t exactly line up with the … [Continue reading]

The Social Nature of Project Management

clip_image002.jpg

A successful configuration of Project Server is one that supports the conversations within the organization. Users have to go beyond use of the system and have concerns over the validity of the data entered. The Project instance captures the … [Continue reading]

Project Server Security–Part 1

image.png

Security configuration is a confusing topic for many new and old to Project Server. This series provides a in-depth look at the security model and provides decision points and suggested best practices where applicable. We’ll also work through some … [Continue reading]

%d bloggers like this: