Enterprise Resource Pool and Security

All replies

• 

  

  0

  Sign in to vote

  Jessica ,

  When you update ERP, root site sync permissions jobs gets initiated which updates permission for Team Members group.

  In your scenario it depends on how you have defined your categories and groups association, which is causing security permissions being revoked after ERP update.

  Hope this helps.

   

  ---

  Hrishi Deshpande – Senior Consultant DeltaBahn
  Blog | < | LinkedIn
  
  Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you.This can be beneficial to other community members reading the thread.

  Tuesday, January 15, 2013 8:36 PM
• 

  

  0

  Sign in to vote

  OK- I was not aware of this issue but after doing some research on the root site sync permissions job, it seems like this is an error that may occur if you make large updates to the ERP. Is that correct? Are there any ways to minimize the impact?

  Our security model is not that complicated. We have categories and groups, when a new user is added to the ERP, when assign that user to a group.

  Thanks

  ---

  Jessica Hancock

  Tuesday, January 15, 2013 8:50 PM
• 

  

  1

  Sign in to vote

  That's true. If root site sync job is failed after updating any group or security permissions , users will loose their permissions. However if you insert a column  success from "Job competition states" while looking at Manage queue page, you may see  root site sync jobs processed successfully for few users.

  To fix the issue you need to re-initiate the sync job, by removing 1 resource from TEAM MEMBERS groups and adding it back. Monitor the job.

  To minimize the impact avoid performing security update during peak hours when the application is used extensively.

  ---

  Hrishi Deshpande – Senior Consultant DeltaBahn
  Blog | < | LinkedIn
  
  Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you.This can be beneficial to other community members reading the thread.

  Tuesday, January 15, 2013 9:02 PM
• 

  

  0

  Sign in to vote

  Hello - I have a follow up question regarding the failed root site sync jobs. I read a post that suggested I could "turn off" automatic user sync for PWA to prevent the root sync permissions job from kicking off. Is this a viable option? What are the potential drawbacks?

  Thanks,

  Jessica

  ---

  Jessica Hancock

  Tuesday, February 26, 2013 7:28 PM
• 

  

  0

  Sign in to vote

  Jessica,

  This options is feasible only in few scenarios e.g. You have a very large pool of users like more than 40-50K, or you need provide access to all domain users on PWA site.

  And this setting is not out of box feature.  Main drawback of this option is you need to manually sync users on Project sites as well as PWA root site. From administration point view this will be really complicated and frustrating in case of access or permission issue.

  Hope this helps.

  ---

  Hrishi Deshpande – Senior Consultant DeltaBahn
  Blog | < | LinkedIn
  
  Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you.This can be beneficial to other community members reading the thread.

  Tuesday, February 26, 2013 7:35 PM
• 

  

  0

  Sign in to vote

  OK, that doesn't seem like the right option for us. What about this Project Server Workspace sync tool I have seen? It looks like it addresses the exact issue I saw but I haven't seen any references to the tool. outside of Project Server 2007.

  I am just looking for a solution that will provide us with some reassurance that this won't happen every time we update the Enterprise Resource Pool, which is about once a month.

  Jessica

  ---

  Jessica Hancock

  Tuesday, February 26, 2013 8:27 PM
• 

  

  0

  Sign in to vote

  Jessica,

  Again using Project Server Workspace sync tool do you really want to manage all Project Sites security manually?

  Instead I would recommend to review your ERP update process.

  You wrote:

  The process I follow when updating the Enterprise Resource Pool is to select all resources in Project Server and click Open to display the resources in Project Professional. Then I take a csv file containing my updated list and open that file in Project Professional, using the resource name as a merge key. My update process does not contain any data related to security groups so I'm not sure how that information would have changed.

  a. What is the goal you are trying to achieve?

  b. What information is merged from CSV file into ERP?

  ---

  Hrishi Deshpande – Senior Consultant DeltaBahn
  Blog | < | LinkedIn
  
  Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you.This can be beneficial to other community members reading the thread.

  Tuesday, February 26, 2013 8:32 PM
• 

  

  0

  Sign in to vote

  a. What is the goal you are trying to achieve? - I want to make sure all new resources who have joined the organization in the last month are added to the ERP. I also want to make sure the data for existing users is correct.

  b. What information is merged from CSV file into ERP? - The csv file includes resource name, a labor category, employee ID, department ID, AD account, resource calendar, and email address. Beside adding new resources, the field that probably changes most often is the users calendar.

  Is the answer here to just update the ERP during non-business hours?

  ---

  Jessica Hancock

  Tuesday, February 26, 2013 8:42 PM
• 

  

  0

  Sign in to vote

  Both these situations can be taken care by Project Server itself.

  Scenarios 1
  The user exists in Active Directory and is a member of the Active Directory group that is mapped to the Enterprise Resource Pool. The user does not exist in Project Server.

  Action Taken
  A new corresponding Project Server user and enterprise resource is created in Project Server and added to the Team Members Project Server security group.

  Scenario 2
  The user exists in Active Directory and is a member of the Active Directory group that is mapped to the Enterprise Resource Pool. The user exists in Project Server as an enterprise resource and a user. The user's information has been updated in Active Directory.

  Action Taken
  The corresponding Project Server enterprise resource and user information is updated (if applicable).

  For More Information Review

  http://technet.microsoft.com/en-us/library/gg982985(v=office.14).aspx

  Out of box, only certain fields from AD are updated with PWA, for additional fields you may need to use custom code. Here is the code for 2007 which can be easily tweaked for 2010

  http://ps2007adressync.codeplex.com/releases/view/10880

  ---

  Hrishi Deshpande – Senior Consultant DeltaBahn
  Blog | < | LinkedIn
  
  Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you.This can be beneficial to other community members reading the thread.

  Tuesday, February 26, 2013 9:17 PM
• 

  

  0

  Sign in to vote

  We are not currently using the AD sync feature in Project Server. We are importing a .csv file that contains data from our HR system, mainly because we want those additional fields that are not stored in the AD. I will pass along this information but I'm not sure the organization will be willing to make the switch.

  Thanks!

  ---

  Jessica Hancock

  Thursday, February 28, 2013 4:13 PM