Home > Sample chapters > Microsoft Office > Project

Administering Your Enterprise Project Management Solution in Microsoft Project 2010

Configuring Project Server Security

As the project server administrator, you configure enterprise project management options on the Server Settings page in Project Web App. Links to all pages are listed on the Quick Launch located in left pane of the Project Web App window. On the Quick Launch, under Settings, click Server Settings. The Server Settings page appears, as shown in Figure 23-1. Only users with administrative permissions can open the Server Settings page.

Figure 23-1

Figure 23-1 Set up enterprise project management options on the Server Settings page in Project Web App.

To allow people throughout the organization to use the Microsoft Project 2010 enterprise project management features they need, you first need to identify them as users of your project server. At the same time, you also specify user permissions that enable each user to carry out his or her responsibilities according to the user’s role.

Understanding Groups, Categories, and Permissions

Project Server security is based on users, groups, and categories. Groups contain a set of users who have the same permissions—they need to access the same data in the same way (for example, all project managers, all portfolio managers, all executives in your organization). Categories provide access to different items, such as projects and resources, based on defined parameters.

The security model for Project Server is inherited from SharePoint Server. This allows you, as project server administrator, to manage user and group access to objects such as projects, tasks, resources, the strategy section, reporting, and so on. You can manage security efficiently by employing user groups, to which you can assign the same security level.

Project Server comes with a robust set of built-in user groups and categories, each of which is associated with a set of permissions related to various aspects of enterprise project management.

You can look at permissions as having authority to perform a specific action in Project Server—for example, to add a project or add a task.

There are two types of permissions:

  • Global permissions These permissions give users and groups the ability to perform actions in Project Web App. Global permissions are assigned on a user or group basis.

  • Category permissions These permissions allow users or groups to perform actions at a category level. Category permissions are groupings of global permissions (for example, task permissions, resource permissions, and so on).

The default groups in Project Server are typically sufficient for managing security permissions for the different roles in your organization. It is recommended that you do not change the default security settings. If you need to configure special security exceptions, you can create new security objects.

The built-in user groups, also known as roles, are as follows:

  • Administrators Users who have all global permissions as well as category permissions.

  • Executives Users who have access to view project and Project Server data. These users need to be able to access project and portfolio information.

  • Portfolio Managers Users who can create projects and teams. They can also perform portfolio analysis in the Strategy section.

  • Project Managers Users who have project-related permissions and certain resource permissions. These users maintain project information such as schedule, costs, and so on, and they can receive progress updates.

  • Resource Managers Members of this group have resource-related global and category-level permissions. They can manage and assign resources.

  • Team Leads Users who have limited access for task creation and status reports.

  • Team Members Users who can update task progress and suggest task changes. Typically all Project Web App users have this basic but limited permission set.

Each of the user groups can be associated with a security template that includes the set of permissions most likely to be needed by everyone in that group.

In addition to setting the permissions for a new user, you also set the categories of information that can be associated with a user group, to which users are then assigned.

Although you can create your own categories, the built-in categories are:

  • My Direct Reports Gives users permission to approve timesheets and status updates.

  • My Organization Contains all project-level and resource-level permissions. This category is intended to give users visibility into all data and tools available in Project Web App.

  • My Projects Allows users access to project-related data.

  • My Resources Allows resource-level permissions, filtered on users.

  • My Tasks Allows users to see projects to which they are assigned. This category is associated with the Team Members group.

It is not recommended that you change the built-in categories. Instead, add new categories that you can configure and use.

To further understand the differences between groups and categories, think of groups as collections of users and think of categories as collections of data. User groups can be granted access to categories. For example, you can grant the Project Managers group access to My Projects.

Creating a User Account

To create a user account in Project Web App and set the user’s permissions, follow these steps:

  1. On the Quick Launch, under Settings, click Server Settings.

  2. Under Security, click Manage Users.

    The Manage Users page appears, as shown in Figure 23-2.

    Figure 23-2

    Figure 23-2 Open the Manage Users page to add a new user account.

  3. In the toolbar above the table, click New User.

    httpatomoreillycomsourcemspimages1431703.jpg

    The New User page appears, as shown in Figure 23-3.

    Figure 23-3

    Figure 23-3 On the New User page, specify the new user’s account name, group, permissions, and other information.

  4. In the Identification Information section, be sure that the check box labeled User Can Be Assigned As A Resource is selected if the user is to be part of your enterprise resource pool.

  5. Enter at least the user’s display name, which is typically the person’s first and last name. If you complete the E-mail Address box, type the address in the format of someone@microsoft.com.

  6. Under User Authentication, enter the user ID. You can also select the option to not synchronize with Active Directory.

  7. In the Assignment Attributes section, select or clear the Resource Can Be Leveled check box. Enter the calendar type, timesheet manager, assignment owner, availability and cost rates.

  8. You can also select the option to synchronize the resource’s tasks with Microsoft Exchange Server tasks. This allows users to update their tasks using Microsoft Outlook.

  9. Select the department to which the resource belongs.

  10. Select the security group, the user’s role, security categories, and which menu options the user is able to see—for example, My Direct Reports, My Tasks, and so on.

  11. Select the group fields. These fields apply if your organization groups resources for cost tracking. Type the codes in the group codes fields.

  12. In the Team Assignments section, specify whether this person is part of a team. Type the name of the team or select it from the list. The project manager will be able to assign resources to the team as well.

  13. In the System Identification section, specify an external ID. This information might be used to link the user account you are currently creating to information in the human resources department for reporting and data consolidation.

  14. When you are done entering all the information, click Save at the bottom or top of the page.

After you set up user accounts, team members and other Project Web App users need only to use their web browser to go to the URL for your project server location. They enter their user name (and password, if necessary), and their own view of Project Web App appears.

Deactivating a User

You can deactivate a user—for example, one who has left the company after working on several projects. When you deactivate a user, the information about that user’s assignments remain intact. When a user is deactivated, he or she can no longer send status updates, request status reports, and edit/delegate tasks.

When a user is deactivated, the project manager is prompted to reassign the user’s work.

To deactivate a user, follow these steps:

  1. On the Quick Launch, under Settings, click Server Settings.

  2. On the Server Settings page, under Security, click Manage Users.

  3. Select the check box next to the name of the user you want to deactivate.

    You can select several check boxes to deactivate multiple users at once.

  4. In the toolbar above the table, click Deactivate Users.

    httpatomoreillycomsourcemspimages1431707.png

    In the alert that appears, click OK. The selected user is deactivated and can no longer sign in to the server.

If you need to reactivate a deactivated user, in the Manage Users page, click the user’s name to open the Edit User page. In the Identification Information section in the Account Status box, click Active. Click the Save button.

Viewing or Changing Permissions for User Groups

You can review the sets of permissions assigned to a particular user group. You can also modify the set of permissions for a user group. To do this, follow these steps:

  1. On the Quick Launch, under Settings, click Server Settings.

  2. Under Security, click Manage Security Templates.

    Click the name of the template whose permissions you want to see—for example, Executives or Portfolio Manager. As discussed at the beginning of this chapter, each security group has an associated security template containing the group’s permissions.

  3. In the Add Or Edit Template page, scroll through the Category Permissions and the Global Permissions lists to see the permissions for the selected group.

    Make any changes by selecting or clearing the Allow or Deny check boxes next to permissions. By selecting the Allow check box, you grant the user group access to this functionality. By selecting the Deny check box, you restrict that user group from using that functionality.

  4. When you are finished, click the Save button.

Creating a Security Template

A security template is a collection of permissions that can be associated with a user group or a category. By using a security template, you can standardize security across your organization.

Project Server comes with seven built-in security templates, one for each of the seven built-in user groups, from Team Member to Administrator. You can also set up your own security templates with entirely different sets of permissions. You can then assign the new set of permissions to users, groups, and categories in a single step.

To create a new security template, follow these steps:

  1. On the Quick Launch, under Settings, click Server Settings.

  2. Under Security, click Manage Security Templates.

  3. In the toolbar above the table, click New Template.

    httpatomoreillycomsourcemspimages1431709.png

    The Add Or Edit Template page appears.

  4. In the Name section, type a name in the Template Name box. You can also type a description.

  5. If you want to base your new security template on an existing template, click the name of the template in the Copy Template box.

  6. In the Category Permissions section, select or clear the Allow or Deny check boxes next to the permissions listed.

  7. In the Global Permissions section, select or clear the Allow or Deny check boxes next to the permissions listed.

  8. When you have finished, click the Save button.

Creating a Group

Each group, or role, defined in Project Web App is identified by a set of permissions. You can specify which users belong to which group, the categories of information they have access to, and the permissions for what they can do with that information. If your organization uses different roles from those identified as groups in Project Web App (for example, Project Managers and Team Leaders), you can create your own. To do this, follow these steps:

  1. On the Quick Launch, under Settings, click Server Settings.

  2. Under Security, click Manage Groups.

    The Manage Groups page appears, as shown in Figure 23-4.

    Figure 23-4

    Figure 23-4 Use the Manage Groups page to review, modify, add, or delete groups (roles).

  3. In the toolbar above the table, click New Group.

    httpatomoreillycomsourcemspimages1431715.jpg

    The Add Or Edit Group page appears.

  4. In the Group Information section, enter the group name and description in the first two boxes.

  5. In the Users section, click the users you want to add to the group, and then click the Add button.

    You can also add users after you finish defining the group.

  6. In the Categories section, click any categories (for example, My Tasks or My Resources) that members of this group should have access to, and then click the Add button.

  7. In the Selected Categories box, select each category in turn. Then, in the Permissions box that appears, set the permissions for the selected category. Repeat this process for each category in the Selected Categories box.

    If you want to use a security template to set permissions for a category, scroll to the bottom of the page, click in the Set Permissions With Template box, and then select the template. Click Apply. Make any adjustments to the permissions as necessary for the selected category.

  8. Click the plus sign next to the Global Permissions label to expand the list. Specify the global permissions that you want to apply to your new group.

    If you prefer to use a security template to set global permissions for a category, scroll to the bottom of the page, click in the Set Permissions With Template box, and then select the template. Click Apply. Make any necessary adjustments to the permissions for the selected category.

  9. When you have finished defining the new group, click the Save button.

To edit an existing group, on the Server Settings page, under Security, click Manage Groups. In the table, click the name of the group you want to change. In the Add Or Edit Group page, you can edit the group by modifying which users are in the group, changing the categories associated with the group, or changing permissions for the group.

Customizing Categories

Categories are clusters of information, such as My Tasks, My Projects, or My Resources. Some user groups should have access to all categories, whereas other groups need access to only two or three categories.

If the built-in categories don’t quite fit the way your organization works with projects, you can customize them or create entirely new ones. To create a new category, follow these steps:

  1. On the Quick Launch, under Settings, click Server Settings.

  2. Under Security, click Manage Categories.

    The Manage Categories page appears.

  3. In the toolbar above the table, click New Category to open the Add Or Edit Category page.

    httpatomoreillycomsourcemspimages1431719.png
  4. In the Name And Description section, enter a name and description for your new category.

  5. In the Users And Groups section, select the users and groups you want to add to the category, and then click the Add button.

  6. Select the first user or group in the Users And Groups With Permissions box.

    In the Permissions box that appears, specify the permissions for users in this category, and then repeat this process for each user and group you added to the category. To move from one user group to the next, simply select the name of the user group in the Users And Groups With Permissions box.

  7. In the Projects section, specify which projects the users in this category should be able to access: all projects in your project server database or just selected projects. Select or clear the project-related check boxes to further define the category.

  8. Click the plus sign next to Resources to expand the Resources section.

    Specify which resources the users in this category should be able to view: all current and future resources in your project server database or just selected resources. (See Figure 23-5.) Select or clear the resource-related check boxes to further define the category.

    Figure 23-5

    Figure 23-5 Specify the resources whose information can be accessed by users in this category.

  9. In the Views - Add To Category section, select the check box for the views that the users in this category should be able to use.

    To select all views in a group of views, such as Project or Resource Center, select the check box next to that name, and all the views within that group are selected.

  10. When you have finished, click the Save button.

    Your new category is added to the table in the Manage Categories page.

To modify an existing category, click the category name in the Manage Categories page—for example, My Direct Reports or My Tasks. Review the information on the Add Or Edit Category page, and make the changes you want. When you have finished, click the Save button.