Project Server 2013 permissions synchronization explained

Posted By Posted by: Peter Williams on August 23, 2016

Blog_Blue Bar Skinny

This blog attempts to explain the synchronization of SharePoint group membership/permissions for Project Server 2013. This ONLY applies when Project Server Permissions mode is enabled.

Project Server to Project Web App Site Permission Synchronization

Note: The statements made in this section are only applicable if the “Enable Project Web App Sync” option is turned on (PWA Settings >> Manage User Sync Permissions).

Depending on the Project Server security configuration, a user is made a member of ONLY ONE of five SharePoint security groups on the Project Web App site.

SharePoint groups are:

  1. Web Administrators (Project Web App Synchronized) which has equivalent permissions to the Full Control SharePoint permission level. This means all personal, site and list permissions are granted for the SharePoint site.
  2. Project Managers (Project Web App Synchronized) which has equivalent permissions to the Design SharePoint permission level. This means a member of the group can edit lists, document libraries, and pages on the SharePoint site.
  3. Team members (Project Web App Synchronized) which has equivalent permissions to the Contribute SharePoint permission level. This means a member of the group can view pages, edit lists items & documents on the SharePoint site.
  4. Readers (Project Web App Synchronized) which has equivalent permissions to the Read SharePoint permission level. This means a member of the group can view pages, lists items & documents on the SharePoint site.
  5. Manage Workflow and Project Detail Pages (Project Web App Synchronized) which has equivalent permissions to the Full Control SharePoint permission level on the Project Detail Pages library.

When a user’s permissions are changed, a Synchronization job will enter the Project Server queue (PWA Settings >> Manage Queue); the name of the queue job is “Synchronize Project Web App Permissions to Project Web App”. An example of changing a user’s permissions would be adding them to the default Project Server security group “Project Managers”, when previously they only belonged to the Project Server security group “Team Members”. Changing the membership of a Project Server security group can be achieved by either navigating to PWA Settings >> Manage Users or PWA Settings >> Manager Groups.

The purpose of the “Synchronize Project Web App Permissions to Project Web App” is alter the membership of SharePoint security groups. A project server security group/user is not the same as a SharePoint security group/user. Access to SharePoint sites, lists, documents, etc is determined by the permissions granted to a SharePoint user account, either directly or by way of the accounts’ SharePoint group membership.

What factors determine the membership of these four SharePoint groups found on the PWA site (Cog Wheel >> Site Settings >> Site Permissions).

SharePoint Group Requirements
Web Administrator
(Project Web App Synchronized)
User has Manage SharePoint Foundation global permission assigned. By default, this is assigned to a member of the Project Server Administrators group.
Project Manager
(Project Web App Synchronized)
User has Manage Lists in Project Web App global permission assigned. By default, this is assigned to a member of the Project Server Executives, Portfolio Managers or Project Managers’ group.
Team member
(Project Web App Synchronized)
User has Contribute to Project Web App global permission assigned. By default, this is assigned to a member of the Project Server Team Leads, Resource Manager or Team Members group.
Readers
(Project Web App Synchronized)
User has Log On global permission assigned.
Workflow and Project Detail Pages Administrators (Project Web App Synchronized) User has Manage Workflow and Project Details Pages global  permission assigned.

Example:

  • Navigate to PWA Settings >> Manage Groups >> Click on New Group button >> Enter “Test” for name, Add a user to the group and tick the “Log On” checkbox in the Global Permissions (General) section >> Save. Ensure this user is not a member of any other group or given permissions directly.
  • Now navigate to Cog Wheel >> Site Settings >> Site Permissions >> Click on Readers (Project Web App Synchronized) group. You should the user selected above listed as a member of this group.
    Img_1
  • Edit the “Test” Project Server security group. Tick the “Contribute to Project Web App” global permissions and save. The user should no longer be a member of the Reader (Project Web App Synchronized) group but instead a member of the Team Members (Project Web App Synchronized) group.
  • Edit the “Test” Project Server security group. Tick the “Manage Lists in Project Web App” global permissions and save. The user should no longer be a member of the Team Members (Project Web App Synchronized) group but instead a member of the Project Managers (Project Web App Synchronized) group.
  • Edit the “Test” Project Server security group. Tick the “Manage SharePoint Foundation” global permissions (under Admin section) and save. The user should no longer be a member of the Project Managers (Project Web App Synchronized) group but instead a member of the Web Administrators (Project Web App Synchronized) group.

But wait there is still more!!!

Project Server to Project Site Permission Synchronization

Note: The statements made in this section are only applicable if the “Enable Project Site Sync” option is turned on (PWA Settings >> Manage User Sync Permissions).

All project sites by default will have the following three and possibly four SharePoint Groups granted permissions.

  • Web Administrators (Project Web App Synchronized). NOTE: this is the exact same group discussed in the above section.
  • Xxxxxx Team members (Project Web App Synchronized) where xxxxx is the original name given to the associated Project.
  • Xxxxxx Project managers (Project Web App Synchronized) where xxxxx is the original name given to the associated Project.
  • Xxxxxx Visitors (Project Web App Synchronized) where xxxxx is the original name given to the associated Project. This may not be listed. It is only created when needed.

There will also be three other SharePoint groups that should not be used when configuring security. The following groups are used when SharePoint Permissions mode is enabled (i.e. not Project Server Permissions). Since SharePoint Permissions mode is the default mode for Project Server, the following groups exists by default.

  • Xxxxxx Members where xxxxxx is the original name given to the associated Project
  • Xxxxxx Owners where xxxxxx is the original name given to the associated Project
  • Xxxxxx Visitors where xxxxxx is the original name given to the associated Project

When the follow actions occur, Project Server synchronizes/updates the memberships of these four groups on the project site. You should notice the project queue job “Synchronize Project Web App Permissions to Project Site”.

  • a project is published, or
  • a project site is synchronized (via PWA Settings >> Connect SharePoint Sites >> Synchronize), or
  • a user’s permissions are altered (via PWA Settings >> Manage Groups or Manage Users)

What factors determine the membership of these Project-Server-Created SharePoint security groups on a project site? Refer to table below but please note that this only applies to a project site and not the PWA home site. A user can only be a member of one of the SharePoint groups below.

SharePoint Group Requirements
Web Administrator (Project Web App Synchronized) User has Manage SharePoint Foundation global permission assigned. By default, this is assigned to a member of the Project Server Administrators group.
Xxxxxx Project Managers (Project Web App Synchronized) User has published the project or has the Save Project to Project Server category permission assigned. This is typically assigned to a member of the Project Server Project Managers group.
Img_2
Xxxxxx Team Members (Project Web App Synchronized) User has an assignment(s) on project in Project Server.
Xxxxxx Visitors (Microsoft Project Server)
  1. View Project Site category permission is assigned. This is typically assigned to a member of the Project Server Team Members group.
  2. Or the user is part of project team but not assigned a task.

Img_3

Watch this space for more informative blogs.


Blog Posted In 

2 thoughts on “Project Server 2013 permissions synchronization explained”

  1. Thank you!!! This is the most comprehensive treatment of this issue I have found anywhere, and the only article which not only shows the synchronization mapping from the default PWA groups to SP, but also the exact permission setting in PWA which triggers the sync. I have scoured the web, read several books, questioned IT departments and other consultants. If I may ask, how did you get to the bottom of this?
    Very helpful! Thank you.

  2. Hi Jesse,

    Glad you found the post useful!

    It was due to being asked by several clients for an explanation of permission synchronization, and since I’m a consultant, I felt I had no choice but to spend many hours figuring it out on my own.

Comments are closed.