Project Server 2013 Permission Mode

Posted By Posted by: EPM Partners on July 11, 2013

In Project Server 2013 Microsoft has introduced a new permissions Mode. This mode has been introduced to try and help simplify the management approach of permissions. Many people who haven’t dealt with the project server’s permissions matrix before struggled to understand this design. Microsoft have provided an out of the box permissions mode that masks the project server security. This functionality mightn’t seem like much but it does allow a more lightweight approach.

The SharePoint Permission Mode generates SharePoint groups that relate to the default security groups found in the Project Permission Mode. These default security groups include the following:

• Administrator
• Portfolio Managers
• Portfolio Viewers
• Project Managers
• Resource Managers
• Team Leads
• Team Members

Users that generated SharePoint groups will possess the same global and category permissions that are given to them in the Project Permission Mode in Project Server 2013.  Below is a table that compares the relevant permissions:

Comparison of Features for Security Modes in Project Server

Feature

SharePoint
Permission Mode

Project Server
Permission Mode

Unified security management through SharePoint Server

×

Permissions inheritance for PWA and Project Sites

×

Direct authorization against Active Directory security groups

×

Claims-based authorization

×

×

Manage authorization by role-based groups

×

×

Extensible and customizable

×

×

User delegation

×

Ability to secure work resources

×

Impersonation

×

Security filtering using the Resource Breakdown Structure

×

Custom Security Categories

×

 

Out of the box Project server 2013 will create all sites with this new SharePoint permissions mode. In the SharePoint Permission Mode, you cannot edit the default permissions assigned to any of these SharePoint groups. Also, you cannot create additional custom groups, categories, Resource Breakdown Structure (RBS) nodes, or edit the default permissions assigned to any of these objects.

If you need more management of your user permissions in Project Server 2013, you can change the mode to the Project Permission Mode (the same model as Project Server 2010). If you are utilising the SharePoint permissions mode you will not see the Security tab in server settings:

Security Tab

In an on-premises installation, the mode can be changed for a given instance of Project Web App by using the Set-SPProjectPermissionMode Windows PowerShell cmdlet.  Please reference http://technet.microsoft.com/en-us/library/jj219486.aspx for more information. If you are using Project Online, you can change the permissions mode by navigating to the SharePoint admin centre for your tenant and expand the Project web App menu. However switching between modes will delete all security related settings and you may have to manually configure your security permissions structure.

Whilst I was utilising the SharePoint permissions mode I found an interesting behaviour, I found that once adding the user to the relevant security group the user didn’t have access straight away. I could see the relevant user in the security group in the PWA site, however the user still saw “Let us know why you need access to this site” page.  This was a perplexing issue as it seemed like all the relevant permissions were there.

In some environments it may take some time for these settings to sync through. The reason for this is the information entered then needs to be synched across, this functionality is actually done via a timer service behind the scenes.

I did find however that you could force this synchronisation via running the following PowerShell command:

Sync-SPProjectPermissions [-Url] <Uri> [[-Type] <Full | Incremental | AdminGroup | AllGroups>] [-AssignmentCollection <SPAssignmentCollection>]

Please reference http://technet.microsoft.com/en-us/library/jj219466.aspx for further information.

Once running this command the relevant user who as provided access previously cannot log on to the relevant PWA site.


Blog Posted In Blog Posted In: How to, Project Server
Blog Posted In 

Leave a Reply

Your email address will not be published.