locked
Workspace Permission Question RRS feed

  • Question

  • Experts, I have the following scenario

    when a Project manager creates and publishes a schedule and a workspace, then add team members who also have the Project Manager security group or save rights, wouldnt they also get the Project Managers (Microsoft Office Project Server) access to the workspace. They are getting the Readers (Microsoft Office Project Server) permission instead. maybe I'm mis-understanding this but I thought anybody who either publishes the schedule or has save rights can edit the project workspaces. what am I missing?

    Thursday, September 2, 2010 9:39 PM

Answers

  • Hello Hadie,

    Here is my findings:

    When a Project manager creates and publishes a schedule and a workspace, then add team members who also have the Project Manager security group or save rights, wouldnt they also get the Project Managers (Microsoft Office Project Server) access to the workspace.  

    - Your statement is correct, provided you need to assign a task to that project manager II. Just adding that PM in Build team will give only Readers permission.

    If you assign a task to a project manager on other project manager's project plan, he will get PM permission even though he is just a team member on this plan. (By design)

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Even after assigning a task if they are getting Readers (Microsoft Office Project Server) permission instead Project Managers. - It means you have modified your Project Groups & Categories permissions.

    Project workspace permissions are driven by project server. So create a default PWA instance and compare with your permission settings.


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
    Saturday, September 4, 2010 1:09 AM
  • First Scenario: Expected

    Second Scenario:  Since "WSS Workspace Membership synchronization" job was not executed after the publish, PM2 added as PM due to Top level site permission. Follow the steps below and check the staus.

    Go to Server Settings --> Project Workspaces -->Click on the specific plan (left) --> Click Synchronize

     --> Observe the behaviour ( Project manager will become Readers back)

    So in short if you don't assign task PM will be added as Readers.


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
    • Marked as answer by hadie Tuesday, September 7, 2010 5:10 AM
    Monday, September 6, 2010 5:23 PM
  • Hi Hadi,

    You are right about the categories - if the category has "all current and future..." then the PM2 will have the Save Project permisisons for any project - so will get the PM permissions on all sites.  The membership sync will get triggered by any publish and also any group or category changes.  You should be able to see the jobs in the queue - so if you add the "Success" to the job completion states then you can see when this has been run.  You can also turn off this automatic synchronizing if it is not doing what you need and manually control all permisisons - see http://blogs.msdn.com/b/brismith/archive/2009/04/17/project-server-2007-wss-sync-issues-error-access-denied.aspx for some details.  This is normally undertaken when the number of users involved is large and the sync is causing performance or access issues.

    Best regards,

    Brian.


    Blog | Facebook | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.
    Project Server TechCenter | Project Developer Center | Project Server Help | Project Product Page
    • Marked as answer by hadie Tuesday, September 7, 2010 3:44 PM
    Tuesday, September 7, 2010 2:53 PM
  • Hi Hadi,

    If PM2 is part of My Projects, and Project1 is either implicitly or explicitly set to that category then they will get Project Manager permissions even if they are not assigned to a task in the project (just added to the team).  I was incorrect with the queue job that updates the permissions, and in my testing the update happened with just a save after adding a new resource and in the queue I see a Project Update Team job (this is Project Server 2010)

    I retested with 2007 and see the same behavior, but the permissions do not appear to get updated until you explicitly do a Synchronize on the Project Workspaces page (Server Settings), or you change a resource in such a way that their permissions would change (make a team member a project manager).  The queue jobs you will then see are WSS Workspace Membership Synchronization or User Synchronization for Project Web Access App Root Site and Project WSS Workspaces.

    I hope this helps Hadi.

    Best regards,

    Brian.


    Blog | Facebook | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.
    Project Server TechCenter | Project Developer Center | Project Server Help | Project Product Page
    • Marked as answer by hadie Thursday, September 9, 2010 2:59 PM
    Wednesday, September 8, 2010 7:20 PM

All replies

  • Hi Hadie,

    This article might help you better in understanding Project Workspace Permission Adjust the Default Project Web Access Permission Levels at Project Server Blog . Also will be a good idea to view this article Determine permission levels and groups to use (Windows SharePoint Services ) at TechNet

    Hope this helps!

    Uttkarsh

    Blog| uttkarshkalia.wordpress.com

    Thursday, September 2, 2010 11:36 PM
  • Thanks i will read those but I am trying to find out if the last stp template I loaded has something to do with this. I had about 5 versions of the workspace template and all permissions were working great up until a month ago things started to look strange. for example, when a PM published a workspace his team members (who also have save access to the project schedules) are only granted the Reader role. However, when I (admin) go in to the schedule delete those resources (or team members) and then add them back in and publish they get the Full access to the workspaces. what's going on here?
    Friday, September 3, 2010 2:12 AM
  • Hi Hadi,

    I am sure you must have a dev or test environment for your Project Server instance and deployed the latest STP template. If I were you I will create similar scenario and monitor the user permissions. If results are positive, then I am sure something has gone bad in my STP template regarding user and permissions.

    Have a run and share back your experience.

    Cheers!

    Uttkarsh

    Blog| uttkarshkalia.wordpress.com

     

    Friday, September 3, 2010 2:44 AM
  • Uttkarsh,

    I did some testing in the Test and Production enviornments. I found the problem so hopefully there is a solution. take a look at these scenarios

    1. PM creates schedule, add team members from enterprise, then save and publish. result is team members get the Readers permission to the workspace

    2. PM create schedule, save and publish, then add team members from enterprise. result is team members et the Project Manager (the correct) permission to the workspace

    how do we explain that?

    Friday, September 3, 2010 4:39 AM
  • Hadie,

    So your test justify that your STP Template is accurate in terms of User Permissions.  You got the results as expected :) which is good sign.

    Now my friend you need redeploy the same STP template back on the Prod Server and before you do that delete the existing one running on Prod.

    I am not very sure why exiting Prod Workspace template is behaving radically in your prod environment.

    Well I guess its time to get into the bottom of this.. Try to redeploy the same template.stp file which is running on the test environment and lets see what are result to receive.

    Forgot to mention, Pls create a new project and assign the resources (Team members and Project Managers) and run the  test.

     

    Hope this time it works!

    Cheers!

    Uttkarsh

    Blog| uttkarshkalia.wordpress.com

    Friday, September 3, 2010 5:38 AM
  • Uttkarsh, I am using the same template in Producution and Test but I only have the problem in Production. So it appears that the stp template is working fine which makes sense because I did not think that stp templates carry any permission settings. it all comes from the parent site when we publish

    this is confusing. any other ideas as why this is happening?

    Hadi

    Friday, September 3, 2010 6:05 PM
  • Uttkarsh, I change my mind. I'm having the same issue with Test as well. I actually went back and used the original Template that came with the software and getting the same issue. so i know it's not the template that is causing this
    Friday, September 3, 2010 6:30 PM
  • Hi Hadie,

    What you are seeing is the expected behavior.  Just because a resource is in the Project Manager group does not mean they will be in that SharePoint group for all projects.  If they are just a resource added to the project then they will just get Team Member permissions on the site.  If they opened the project and assigned some tasks, and became a 'status manager' then they would get the extra permissions.  Also if they had "save project" permissions for that project becuase of the categories they belong to they would also get Project Manager permissions.  As per the description of permissions on the Project Site (Workspace) Provisioning Settings page:

    Project managers who have published a project or who have Save Project permissions on a project are added to the Project Managers (Microsoft Project Server) site group. Team members with assignments in a project are added to the Team members (Microsoft Project Server) site group. Other Project Server users who have View Project Site permission on a project are added to the Readers (Microsoft Project Server) site group.

    If however they are in the administrators group they would always get Web Administrators permissions.  As you surmised, the template does not have any control over these permissions.

    If you are using 2010 then the new Project Permissions feature allows you to give "View Site" permissions.  Normally this would confer just the Reader permissions, but in my testing for resources who are already Team Members becuase they are on the team - this eelvates to the Project Managers permissions (if they are in the Project Managers group).  Not sure I fully understand why this changes the permissions as it does - but it does...

    Best regards,

    Brian.


    Blog | Facebook | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.
    Project Server TechCenter | Project Developer Center | Project Server Help | Project Product Page
    Friday, September 3, 2010 10:00 PM
  • Hello Hadie,

    Here is my findings:

    When a Project manager creates and publishes a schedule and a workspace, then add team members who also have the Project Manager security group or save rights, wouldnt they also get the Project Managers (Microsoft Office Project Server) access to the workspace.  

    - Your statement is correct, provided you need to assign a task to that project manager II. Just adding that PM in Build team will give only Readers permission.

    If you assign a task to a project manager on other project manager's project plan, he will get PM permission even though he is just a team member on this plan. (By design)

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Even after assigning a task if they are getting Readers (Microsoft Office Project Server) permission instead Project Managers. - It means you have modified your Project Groups & Categories permissions.

    Project workspace permissions are driven by project server. So create a default PWA instance and compare with your permission settings.


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
    Saturday, September 4, 2010 1:09 AM
  • Sriram and Brian,

    Thank you for taking the time to answer my questions. There is one simple question that I still do not see answer for.

    Just a reminder that the Project Managers also belong to the My Projects category. Here is what I'm seeing happening but cannot find an answer for it

    First Scenario:  PM1 creates a schedule  and saves it to the Server (no publishing yet). then, he adds PM2 as a team member (no assignments), then publishes the schedule and creates a workspace. in this case, PM1 gets the Project Managers role on the workspace but PM2 gets the Readers role

    Second Scenario: PM1 creates a schedule, saves to the Server, then publishes and creates a workspace. then he goes back to the schedule (after publishing) and addes PM2 to the team (no assignments made), then publishes the schedule again. in this case, both PM1 and PM2 gets the Project Managers role in the workspace

    so in short if PM2 gets added to the team before the publish and workspace creation, he gets the Readers. However, if PM2 gets added after the publish and workspcae creation, then he gets the Project Manager role. why is that?

    Saturday, September 4, 2010 4:14 PM
  • First Scenario: Expected

    Second Scenario:  Since "WSS Workspace Membership synchronization" job was not executed after the publish, PM2 added as PM due to Top level site permission. Follow the steps below and check the staus.

    Go to Server Settings --> Project Workspaces -->Click on the specific plan (left) --> Click Synchronize

     --> Observe the behaviour ( Project manager will become Readers back)

    So in short if you don't assign task PM will be added as Readers.


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
    • Marked as answer by hadie Tuesday, September 7, 2010 5:10 AM
    Monday, September 6, 2010 5:23 PM
  • Sriram,

    I noticed that behavior myself so now I understand why.

    One last question (hopefully): To me this look to be a pure Category problem because let's say we create a new Category and allow Users that belong to it to see all current and future projects in the database. If PM2 now belongs to that category instead of the My Projects one then when PM1 assigns PM2 to the project then PM2 automatically gets the Project Manager role in the workspace. why is that?

    If I go to Server Settings --> Project Workspace Provisioning Settings it says that Project managers who publish the projects (in my case PM1) or have save permission on the project (i was thinking this is PM2) would have the Project Manager role in the workspace. that seems to be true if the category PM2 belongs to is not the My Projects one but one that has the "All current and future projects in Project Server database " turned on.

    Thanks again

    Monday, September 6, 2010 9:46 PM
  • forgot to ask another question: what triggers the WSS Workspace Membership synchronization after the first publish? the reason i ask is because we have some workspaces where PM2 was added after the first publish and got the Project Manager role. no changes until now. if nobody goes to Project Workspaces and hit the Synchornize button, would it do it by itself?

    thank you

    Hadi

    Tuesday, September 7, 2010 5:13 AM
  • Hi Hadi,

    You are right about the categories - if the category has "all current and future..." then the PM2 will have the Save Project permisisons for any project - so will get the PM permissions on all sites.  The membership sync will get triggered by any publish and also any group or category changes.  You should be able to see the jobs in the queue - so if you add the "Success" to the job completion states then you can see when this has been run.  You can also turn off this automatic synchronizing if it is not doing what you need and manually control all permisisons - see http://blogs.msdn.com/b/brismith/archive/2009/04/17/project-server-2007-wss-sync-issues-error-access-denied.aspx for some details.  This is normally undertaken when the number of users involved is large and the sync is causing performance or access issues.

    Best regards,

    Brian.


    Blog | Facebook | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.
    Project Server TechCenter | Project Developer Center | Project Server Help | Project Product Page
    • Marked as answer by hadie Tuesday, September 7, 2010 3:44 PM
    Tuesday, September 7, 2010 2:53 PM
  • Brian, as always thanks for your support to this forum

    so if PM2 is part of the My Projects category and has save project rights to Project1 that includes him as a team member, wouldn't he also have PM rights to that workspace? why does he have to be assigned to a task?

    thanks for the link...it's quite usefull although I dont have any AD sync going on in PWA. that sync tool might be handy though

    The other question I have is we have projects that get published all the time but nothing seems to happen to the permissions in the workspace site. and yes we do have auto sync ON under Project Workspaces Provisioning Settings. that's what got me in touble in the first place because during out pilot period, most of the pilot projects added their team members after the first publish and everything was working fine (and still is) in terms of the workspace permissions. now we have rolled this out to 200+ users and we're starting to see these issues come up

    thanks again

    Hadi

    Tuesday, September 7, 2010 3:50 PM
  • Brian or Sriram, I would really appreciate it if you could address my questions above as this will answer all of my question regarding this topic

    thanks!!

    Hadi

    Wednesday, September 8, 2010 4:31 PM
  • Hi Hadi,

    If PM2 is part of My Projects, and Project1 is either implicitly or explicitly set to that category then they will get Project Manager permissions even if they are not assigned to a task in the project (just added to the team).  I was incorrect with the queue job that updates the permissions, and in my testing the update happened with just a save after adding a new resource and in the queue I see a Project Update Team job (this is Project Server 2010)

    I retested with 2007 and see the same behavior, but the permissions do not appear to get updated until you explicitly do a Synchronize on the Project Workspaces page (Server Settings), or you change a resource in such a way that their permissions would change (make a team member a project manager).  The queue jobs you will then see are WSS Workspace Membership Synchronization or User Synchronization for Project Web Access App Root Site and Project WSS Workspaces.

    I hope this helps Hadi.

    Best regards,

    Brian.


    Blog | Facebook | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.
    Project Server TechCenter | Project Developer Center | Project Server Help | Project Product Page
    • Marked as answer by hadie Thursday, September 9, 2010 2:59 PM
    Wednesday, September 8, 2010 7:20 PM
  • Yes it does help a lot. I'm not getting the behavior explained in your first sentence above. how do you make a project implicitly or explicitly pary of a Category. So the project list in the My Projects Category in the Projects section right under "Only the projects indicated:"; do these projects need to be moved to the right box of that section?

    Thank you so much.

    Hadi

    Thursday, September 9, 2010 2:59 PM
  • Hi Hadi.  Implicitly would be "all current and future projects" and explicitly would be to add the project to the right hand box if "only selected project" is selected.  This is from memory so hopefully that makes sense.  If PM2 also opened the project and assigned someone they would get this same level of control.

    Best regards,

    Brian.


    Blog | Facebook | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.
    Project Server TechCenter | Project Developer Center | Project Server Help | Project Product Page
    Thursday, September 9, 2010 9:12 PM
  • Brian, Implicitly works but if I add the project to the right hand box the behavior seems to be the same. PM2 still gets the Reader role. The strange thing if I go to the Project Manager security group setting, and any type of change (i.e. initiate the "User Synchronization for Project Web Access App Root Site and Project WSS Workspaces" in the Queue. Then PM2 gets the Project Manager role and stays that way until I manually syncronize the WSS under Server Settings. I dont understand this behavior. It's not consistent
    Friday, September 10, 2010 9:18 PM
  • Hi Hadie,

    I agree with you that it seems to be not consistent. But this sometimes is the case (not only) with Project Server...... ;-)

    Regarding the "my projects" category:

    If you work with the default Project Server groups and categories, a Project Manager has save permissions to all projects in the "my projects" container. And this "my projects" container contains dynamically not only all projects the PM owns, but also all projects he is a team member of.

    Regards

    Christoph

    Monday, June 27, 2011 4:30 PM