Interaction Between SharePoint 2010 Security Groups and Project Server Security Groups

Posted By Posted by: Peter Williams on April 26, 2013

When first introduced to Project Server (which was the 2010 version), I read a lot on the security model and found that every time I thought I had a handle on how it all works, I would encounter a problem related to security and realized that I was obviously still lacking in understanding. This was especially so when I was viewing the membership of the SharePoint security groups created by Project Server on project sites.

The focus of this blog is on how SharePoint security groups created by Project Server interact with Project Server security groups.

During my research I found the Microsoft document Guide for IT Pros for Project Server 2010 very useful; especially the section on page 114 with the heading Project Server and SharePoint Server Security. I suggest spending sometime mulling over the content of these two pages.

The rest of this blog is my summation of that document along with some clarify comments.

Dependant on the Project Server security configuration, a user is made a member of one of four SharePoint security groups on a project site. These SharePoint groups are:-

  1. The Web Administrator Group (Microsoft Project Server) which has equivalent permissions to the Full Control SharePoint permission level. This means all personal, site and list permissions are granted for the SharePoint site.
  2. The Project Managers Group (Microsoft Project Server) which has equivalent permissions to the Design SharePoint permission level. This means a member of the group can edit lists, document libraries, and pages on the SharePoint site.
  3. The Team members group (Microsoft Project Server) which has equivalent permissions to the Contribute SharePoint permission level. This means a member of the group can view pages, edit lists items & documents on the SharePoint site.
  4. The Readers Group (Microsoft Project Server) which has equivalent permissions to the Read SharePoint permission level. This means a member of the group can view pages, lists items & documents on the SharePoint site.

When a project is published, or a project site is synchronized (via Project Sites >> Synchronize), Project Server synchronizes/updates the memberships of these four groups on the project site.

It is worth noting that a user will most likely only belong to ONE of the project site SharePoint security groups noted above. E.g. an administrator maybe the Project Manger as well, but he/she will only be found as a member of the Web Administrators group. This particular point confused me at first, as I was expecting to see a user as a member to more than one security group as appropriate, as is similar to other security models.

What factors determine the membership of these Project-Server-Created SharePoint security groups on a project site? Refer to table below but please note that this only applies to a project site and not the PWA home site.

SharePoint Group Requirements
Web Administrator Group (Microsoft Project Server) User has Manage SharePoint Foundation global permission assigned. This is typically assigned to a member of the Project Server Administrators group.
Project Manager Group (Microsoft Project Server) User has published the project or has the Save Project to Project Server category permission assigned. This is typically assigned to a member of the Project Server Project Managers group.
Team member group (Microsoft Project Server) User has an assignment(s) on project in Project Server.
Readers Group (Microsoft Project Server) 1) View Project Site category permission is assigned. This is typically assigned to a member of the Project Server Team Members group. 2) Or the user is part of project team but not assigned a task.

 

The following project server permissions also impact on the user’s ability to access a project site (but not the group membership discussed above).

  1. Log On (global permission) – won’t be able to log on without this permission.
  2. View Project Site (category permission) – determines whether access to the project site is granted.
  3. Create Object Links (category permission) – determines if a user is able to associate a project site item such as a risk, issue or document to a task. This functionality is found when editing a project schedule in PWA. Refer to screenshot below.
screenshot of Schedule Tools, Options ribbon

 

As mentioned earlier, you will notice these four SharePoint groups are found on the PWA site (Site Action >> Site Permissions). What factors determine the membership of these Project-Server-Created SharePoint security groups on the PWA site?

SharePoint Group Requirements
Web Administrator Group (Microsoft Project Server) User has Manage SharePoint Foundation global permission assigned. This is typically assigned to a member of the Project Server Administrators group.
Project Manager Group (Microsoft Project Server) User has Manage Lists in Project Web App global permission assigned. This is typically assigned to a member of the Project Server Executives, Portfolio Managers or Project   Managers’ group.
Team member group (Microsoft Project Server) User has Contribute to Project Web App global permission assigned. This is typically assigned to a member of the Project Server Team Leads, Resource Manager or Team Members group.
Readers Group (Microsoft Project Server) User has Log On global permission assigned.

 

Lastly, let’s look at an example of what the results would be, of assigning a user who is a member of the Project Server Project Managers group, the Manage SharePoint Foundation global permission. The following would occur:-

  • The user would become a member of the Web Administrators Group (Microsoft Project Server) group.
  • The Project Sites link and the Project Site Provisioning Settings link on the Server Settings page in PWA would display.
  • Allows the user to access the Project Site Provisioning Settings page in PWA to specify how the system provisions project site workspaces.
  • Allows the user to access the Project Sites page in PWA to manage each project workspace individually.
  • Allows a user to create or delete a project site, or to specify the permissions and all settings on the current SharePoint Site.

Blog Posted In Blog Posted In: Project Server, Reporting
Blog Posted In Comments Off on Interaction Between SharePoint 2010 Security Groups and Project Server Security Groups