locked
Permissions for connected SharePoint sites RRS feed

  • Question

  • hello forum members,

    can someone please explain to me how do permissions work for connected SharePoint sites if Project Server set up to use Project permissons instead of SharePoint ?

    Another question I have is that our environment was once set to use SharePoint permissions , then changed to use Project server permission mode.  I checked on one user who could not login to Project Server and when i clicked on "Checked Permissions" on a ribbon - it showed that this person had full rights, but when i went to check on Project security group - he was missing there. It was very confusing.

    Does "Check Permissions" actually works when environment set up to use Project server mode permissions?


    tatiana

    Friday, August 1, 2014 11:08 PM

Answers

  • On top of the very good Paul's explanation, here is what happens behind the scene:

    case 1: you assign a resource to a project task, you save and publish project:

    • A hard coded job will parse assignment table and will put : 
    •    Project manager (MS office project synched) role to the project owner
    •    Team member (MS office project synched) role to resources with assignments

    In addition, 2 additional jobs will give suitable permissions to the resources part of security groups of PWA:

    • 1 gives access to PWA site (to access my tasks, time sheets...)
    • the other one gives proper access to the resources who have dynamic rights(ie: if they are part of a PWA group that has a category, for instance, giving read to anyone who has Same RBS as project owner

    Case2: you add a resource in PWA as part of a security group

    • 1 job for PWA top site + 1 job for each project of server will give suitable rights to the new resource.

    Case3: you change the permissions of an existing security group (more exactly to the category set to the group )

    • 1 job for PWA site + 1 job by project will populate on each project site the new permissions. Mind to do that out of peak hours or you'll have a big slow down.

    Case4: you add manually permissions directly in the project site. In this case one should never add people in an synched group or rights will Be overwritten during the next project publish.

    note there are known bugs for large data set when many synch jobs stay in the queue: we can have jobs conflict and a general permissions loss.  On top of that, a sync job including people whose active directory accounts are bad (having left the company for instance) can block permissions syncs.... We demonstrated this fact to Microsoft and we are working on that with them...

    hope this helps 

    Jeff 

    Sunday, August 3, 2014 9:24 AM
  • Hello,

    Hello, by default Project Server will control the permissions and sync users with the correct access to the Project Sites. This can be turned off on the "Manage User Sync Settings" by unchecking the "Enable Project Site Sync". The permission levels below are:

      • Web Administrators (Project Web App Synchronized) - Users who have Manage Microsoft SharePoint Foundation permission in Microsoft Project Web App. Uses this permission level - Web Administrators (Microsoft Project Web App)
      • Team Members (Project Web App Synchronized) - Users who have assignments in this project in Microsoft Project Web App. Uses this permissions level - Team members (Microsoft Project Web App)
      • Project Managers (Project Web App Synchronized) - Users who have published this project or who have Save Project permission in Microsoft Project Web App.  Uses this permission level - Project Managers (Microsoft Project Web App)

      Check permissions does work when in Project Server mode but the users will need to be added to a Project Server security group that at least allows "Log on". The users are synchronised to SharePoint groups at the PWA level when added to the Project Server security groups. The user that appeared with full rights was fine in SharePoint mode but Project Server permissions didn't know about this user hence the access denied.

    • Hope that helps
    • Paul


    Paul Mather | Twitter | http://pwmather.wordpress.com | CPS

    Saturday, August 2, 2014 12:45 AM

All replies

  • Hello,

    Hello, by default Project Server will control the permissions and sync users with the correct access to the Project Sites. This can be turned off on the "Manage User Sync Settings" by unchecking the "Enable Project Site Sync". The permission levels below are:

      • Web Administrators (Project Web App Synchronized) - Users who have Manage Microsoft SharePoint Foundation permission in Microsoft Project Web App. Uses this permission level - Web Administrators (Microsoft Project Web App)
      • Team Members (Project Web App Synchronized) - Users who have assignments in this project in Microsoft Project Web App. Uses this permissions level - Team members (Microsoft Project Web App)
      • Project Managers (Project Web App Synchronized) - Users who have published this project or who have Save Project permission in Microsoft Project Web App.  Uses this permission level - Project Managers (Microsoft Project Web App)

      Check permissions does work when in Project Server mode but the users will need to be added to a Project Server security group that at least allows "Log on". The users are synchronised to SharePoint groups at the PWA level when added to the Project Server security groups. The user that appeared with full rights was fine in SharePoint mode but Project Server permissions didn't know about this user hence the access denied.

    • Hope that helps
    • Paul


    Paul Mather | Twitter | http://pwmather.wordpress.com | CPS

    Saturday, August 2, 2014 12:45 AM
  • On top of the very good Paul's explanation, here is what happens behind the scene:

    case 1: you assign a resource to a project task, you save and publish project:

    • A hard coded job will parse assignment table and will put : 
    •    Project manager (MS office project synched) role to the project owner
    •    Team member (MS office project synched) role to resources with assignments

    In addition, 2 additional jobs will give suitable permissions to the resources part of security groups of PWA:

    • 1 gives access to PWA site (to access my tasks, time sheets...)
    • the other one gives proper access to the resources who have dynamic rights(ie: if they are part of a PWA group that has a category, for instance, giving read to anyone who has Same RBS as project owner

    Case2: you add a resource in PWA as part of a security group

    • 1 job for PWA top site + 1 job for each project of server will give suitable rights to the new resource.

    Case3: you change the permissions of an existing security group (more exactly to the category set to the group )

    • 1 job for PWA site + 1 job by project will populate on each project site the new permissions. Mind to do that out of peak hours or you'll have a big slow down.

    Case4: you add manually permissions directly in the project site. In this case one should never add people in an synched group or rights will Be overwritten during the next project publish.

    note there are known bugs for large data set when many synch jobs stay in the queue: we can have jobs conflict and a general permissions loss.  On top of that, a sync job including people whose active directory accounts are bad (having left the company for instance) can block permissions syncs.... We demonstrated this fact to Microsoft and we are working on that with them...

    hope this helps 

    Jeff 

    Sunday, August 3, 2014 9:24 AM