Tuesday, February 21, 2012

Project Server 2010 Global Permissions Explained

The following list of Project Server 2010 Global Permissions has been extracted from the Project Server 2010 Administrators Guide. I have included an additional column titled ‘Piet’s Comment’ to provide some additional information on each permission listed as I often get clients who require a further explanation on some of these permission items. Let me know if you would like to extend this via the comments area and I will update the blog accordingly.

Permission
Microsoft Description
Piet’s Comment
Dependencies
Previous name, if renamed from Office Project Server 2007
New for Project Server 2010
About Microsoft Project Server
Allows a user to access the About Project Server page through Project Web App Server Settings.
This page shows the number of active Project Server users consuming a CAL license along with the number of users consuming a project professional license. These settings are purely based on the permissions configured in the PWA.
Accept Timesheets
Allows a user to accept but not approve a timesheet. An example would be where an administrative assistant would view the timesheets to make sure that there were no inaccuracies in them. When it is accepted then a manager with Approve Timesheets permission will approve the timesheets.

Users have access to the Approval Center if they have either the Accept Timesheets or the View Approvals permission.
Build Team On New Project
Allows a user to add resources to a project that has not been saved to Project Server. Grant this permission to project managers who want to use the Build Team feature in Microsoft Project Professional to staff their projects before they save (and publish) them to Project Server.
Not to be confused with the ‘Build Team On Project’ category permission.
User has to be granted the Assign Resources and View Enterprise Resource Data category permissions in order to see resources that are part of the Enterprise Resource Pool in the Build Team feature in Microsoft Project Professional.
Can be Delegate
Specifies whether a user can be a delegate.
When you set up a delegate through manage delegates the list of people seen in the drop down will depend on who has this permission allowed.
X
Change Password
Allows a user to change their Forms user account password from Project Web App. Forms-based authentication is provided through a membership provider and individual membership providers may prevent the changing of passwords. Please verify this with your membership provider if you intend to use this permission.
Only used for forms authentication. Allowing this permission for ‘normal’ windows authentication will not allow them to change their password. I have however seen some SharePoint web parts around which can allow this functionality. A bit of Bing or Google Kun-Fu will point you in the right direction.
Change Workflow
Allows a user to change a project's Enterprise Project type. (Change Project Type).
This will remove the button that allows a user to change the project type for any project they have access to. This button can be viewed from the project workflow status page of a project. Not to be confused with the ‘Change or Restart Workflows’ link under PWA>Server Settings. If you only have one enterprise project type defined then this button will not appear regardless.
X
Clean up Project Server database
Allows a user to access the Delete Enterprise Objects page available through the Server Settings page in Project Web App. Grant this permission to users who have to delete timesheets, status reports responses, projects, resources, users, and user delegates from Project Server.
This is where we allow someone to delete enterprise objects. Accessed via PWA>Server Settings>Delete Enterprise Objects. Make sure you have a good understanding of the different types of objects you can delete and the impact of what will happen when you perform a delete. Sounds like something to cover in another blog in the future.
Close Task to Updates
Allows a user to close tasks to Time Reporting. It gives access to the Close Tasks to Update Project Web App page.
Commonly used when Project Resources want to communicate time back to the Project Manager via Task Updates or Timesheets. Use this permission to allow the user or PM in this scenario to close specified tasks so the task disappears from the users view and prevents them from entering any actuals against the task from that point forward.
Contribute to Project Web App
Allows users to edit items within lists in Project Web App project sites.
The wording from Microsoft is confusing here. This pretty much means users will have edit access to the PWA level or root site. In a nutshell, they will be able to contribute list and libraries declared at the top level PWA site. Nothing to do with Project Site permissions.
Contribute to Project Web App
Edit Status Report Requests
Allows a user to access the Request a status report link on the Project Web App Status Reports center and to view team reports. Grant this permission to any member of your organization who has to create status report requests and view team reports, usually project managers, resource managers, team leads, and members of your organization’s PMO.

Edit Status Report Responses
Allows a user to access the Submit a status report link on the Status Reports center in Project Web App. Grant this permission to any user of Project Web App who must be able to submit status reports.

Log on
Allows a user to connect to Project Server from Microsoft Project Professional or to log on to Project Web App. Grant this permission to any user who is authorized to connect to Project Server from Microsoft Project Professional or log on to Project Web App.
You must have this permission to logon and view the PWA home page.

Log on to Project Server from Project Professional
Allows a user to load the Enterprise Global Template when he or she connects Microsoft Project Professional to Project Server. Grant this permission to all users in your organization who will be using Microsoft Project Professional to connect to Project Server.
You must have this permission to connect/logon to Project Server via MS Project Professional 2010.
Manage Active Directory Settings
Allows users to modify any Active Directory Synchronization settings within the Project Web App Administration. If the user is denied this permission then they cannot modify settings for any of the following:
·         Enterprise Resource Pool synchronization settings.
·         Project Web App Security Groups synchronization settings.
·         Choose an Active Directory Group to synchronize against a specific Security Group within the Add/Modify Group page.

Manage Check-Ins
Allows a user to access the Forced Check-in Enterprise Objects page in Project Web App. This page lets users force check-in projects, resources, custom fields, calendars, lookup tables and resource plans.
Note that any project owner can also manage their own project checkins by clicking on the ‘Check in My Project’ button from the Project Centre or the Project Workflow Status page. This is the page you see when you click on a project name from the project centre.
Manage Cube Building Service
Allows a user to the set and modify the settings for OLAP cube creation.
Also the spot to add/remove enterprise custom fields to the OLAP cube build process.
Manage Drivers
Allows a user to access the drivers.aspx page to create drivers for Portfolio Analysis.



X
Manage Enterprise Calendars
Allows a user to create, modify and delete Enterprise Calendars within Project Web App.
Note this feature can only be performed via a connection to MS Project Professional as the web browser does not contain a GUI to edit
Manage Enterprise Custom Fields
Allows a user to modify the definitions of Enterprise Custom Fields and lookup table from Project Web App.

Manage Exchange Integration
Allows administrators to enable the synchronization of project tasks with Exchange Server.

X
Manage Gantt Chart and Grouping Formats
Allows a user to access the Gantt chart and grouping formats customization options in the Project Server Administration page for Project Web App views.

Manage Lists in Project Web App
Allows a user to create, modify, and delete lists within the Project Web App project site. This permission is used when synchronizing a user against the Project Web App project site.
The wording from Microsoft is confusing here as it implies access to a project site. However the permission means users will have ‘designer’ access to the PWA level or root site. In a nutshell, they will be able to add and alter the definition of list and libraries declared at the top level PWA site. Nothing to do with Project Site permissions.
Manage Notification and Reminders
Allows a user to manage the Notification and Reminders settings.
This shows or hides the ‘Manage Alerts and Reminders’ link from PWA>Personal Settings area.
X
Manage My Delegates
Allows users to see the "Manage Delegates" link and to set a delegate on the "Add/Modify Delegation" page.
This shows or hides the ‘Manage Delegates’ link from PWA>Personal Settings area.
X
Manage My Resource Delegates
Allows users to set a user who requires a substitute on the Add/Modify Delegation page.

X
Manage Personal Notifications
Allows a user to access the Manage My Alerts and Reminders page in Project Web App. Grant this permission to any user that you want to be able to sign up for e-mail notifications and reminders related to tasks and status reports.
This shows or hides the ‘Manage My Alerts and Reminders’ link from PWA>Personal Settings area.
Manage Portfolio Analyses
Allows a user to create, read, update, and delete Portfolio analyses.

X
Manage Prioritizations
Allows a user to create, read, update, and delete driver prioritizations.

X
Manage Project Server Backup
Allows a user to schedule the backup or immediately back up several entities on Project Server, including the following:
·         Projects
·         The Enterprise Resource Pool
·         Calendars
·         Custom fields
·         The Enterprise Global template
·         Views
·         System settings
·         Categories
·         Group settings.
Shows the following links under PWA>Server Settings>Database Administration:
·         Daily Schedule Backup
·         Administrative Backup
Manage Project Server Restore
Allows a user to immediately restore several entities on Project Server, including the following:
·         Projects
·         The Enterprise Resource Pool
·         Calendars
·         Custom fields
·         The Enterprise Global template
·         Views
·         System settings
·         Categories
·         Group settings

Note    Similar to Server Backup except that the permission does not let you schedule a recovery.
Shows the following link under PWA>Server Settings>Database Administration:
·         Administrative Restore
Manage Project Web App Views
Allows a user to access the Manage Views page in the Server Settings page in Project Web App. Users with permission to access this page are able to add, modify, or delete Project, Project Center, Resource Center, Assignment, or Portfolio Analyzer views, and they are able to modify Timesheet views. Grant this permission to project managers, resource managers, and members of your organization’s PMO so they can create project data views for users to access in Project Web App and Microsoft Project Professional. It is important to remember that if your organization is allowing project managers to create custom fields at the project level, then each project may require its own unique view. The number of projects in this kind of environment may be too many for the IT administrator team; offloading this work to the people in your organization that work at the project level on a day-to-day basis is one way to distribute the workload of managing views.

Manage Queue
Allows the user to read or set queue configuration settings and retry, cancel, and unblock jobs in the queue.
In addition to this users often don’t realize they have the ability to view their own queued job items via PWA>Personal Settings>My Queued Jobs. Something worth mentioning during a training session.
Manage Resource Notifications
Allows a user to access the Alert me about my resources on tasks and status reports link on the Project Web App home page. Grant this permission to any resource manager or project manager you want to be able to sign up for e-mail notifications and reminders related to their resource’s tasks and status reports.
This shows or hides the ‘Manage My Resources Alerts and Reminders’ link from PWA>Personal Settings area.
Manage Rules
Allows a user to access the Rules page from the Approval Center in Project Web App and set rules on how update transactions will be automatically processed. Grant this permission to project managers, resource managers, or members of your organization’s PMO so they can define how they will automatically receive and accept changes to transactions by their resources.

Manage security
Allows a user to access the Manage security page in Project Web App to define security categories, security templates, and user authentication settings. Grant this permission to Project Server administrators or a very small and closely managed group of people. This page lets users change Project Server security settings, create security categories and security templates. Changes to settings on this page, once you have begun using Project Server in your organization, should be carefully managed and (ideally) infrequent.

Manage Server Events
Allows a user to register event handlers for specific Project Server server-side events. The Manager Server Events page requires the event handler to be registered by the server as defined in the Project Server SDK.
Pretty much an area used by a developer who needs to wire up some custom code to a Project Server event.
X
Manage Server Configuration
Allows a user to access the Project Web App Permissions page in Project Web App. Users with permission to access the Project Web App Permissions page can enable or disable enterprise features, manage organizational permissions, and create custom menus (both top-level and side-pane) in Project Web App. Grant this permission to Project Server administrators or a very small and closely managed group of people.

Manage SharePoint Foundation
Allows a user to create and delete project sites, whether or not sites are created on project publish, permission synchronization settings, and site path updates. Grant this permission to members of your organization who are administrators for Project Web App or administrators for the servers that are running SharePoint Server 2010.
Granting this permission gives the user the SharePoint equivalent to ‘full access’ to a project site. For example the user will be able to manage permissions for the site.
Users with this permission should be granted administrative privileges to all of the servers that are running Project Server 2010 and SharePoint Server 2010
Manage Windows SharePoint Services
X
Manage Site Services
Allows users or groups the ability to manage Queue Settings, Active Directory Synchronization, and Event handlers.

X
Manage Time Reporting and Financial Periods
Allows a user to create and modify Timesheet and Fiscal period definitions.

Manage Timesheet and Financial Periods
X
Manage Time Tracking
Allows a user to be forwarded timesheets for review. After reviewing the timesheet, the user will be required the following permissions:

·         Accept Timesheet
·         Approve Timesheet

Manage Users and Groups
Allows a user to access the Manage Users and Groups page in the Server Settings page in Project Web App. Users with this permission will be able to add, modify, or delete Project Server users and manage Project Server security groups. Grant this permission to members of your organization who are Project Server administrators. Only a small group of people should have permission to access this set of pages.

Manage Workflow and Project Detail Pages
Allows a user to manage and view workflow and Project Detail Pages (PDPs).
I believe this also allows the ability to access the PWA>Server Settings>Change or Restart Workflow area.
X
New Project
Allows a user to add a new project to Project Server using Microsoft Project Professional, Project Web App, or the Project Server Interface (PSI). New functionality in Project Server 2010 for this permission: If you do not also have the Open Project permission, after you create a project, you are taken back to the Project Center.

New Resource
Allows a project manager to add new resources to the Enterprise Resource Pool using Microsoft Project Professional, the Project Web App Resource Center, or the Project Server Interface (PSI). Grant this permission to any member of your organization who has to create new enterprise resources in Project Server.

Note   If your organization is using the Active Directory synchronization feature, you may want to consider denying this permission to all non-IT administrators in your organization.
Not to be confused with the AD synchronization process which automates the creation of named resources in Project Server.
New Task Assignment
Allows users to access the Create a New Task and Add Yourself to a Task links from the Insert Row button found on the Tasks page of Project Web App. Grant this permission to any member of your organization who has to create new assignments on existing tasks in projects that have been published to Project Server. Users with this permission will also be able to use the Create a New Task link to create new tasks in Project Web App for any project to which the user has access. The list of available projects for a user to create new tasks is determined by the Create New Tasks or Assignment category permission. A user who has the New Task Assignment permission must also have access to the projects to which they want to assign themselves to a task.
As the description explains this is allowing a project resource the ability to add a new task to a project whereby the user is already part of the project team (visible on the ‘resource sheet’ view). Same functionality also applies to the timesheet views.
Open Project Template
Allows a user to open an Enterprise Project Template from Project Server using Microsoft Project Professional. Grant this permission to all users in your organization who will be using Microsoft Project Professional to create and manage projects that are based on Enterprise Project Templates.
Project Server Templates can be opened from Project Professional via File>New>Project Server Templates.
User must be granted the New Project global permission in order to save the project to the Project Server database as an actual project.
Reassign Task
Allows a user to delegate an assigned task to another (existing) user. Grant this permission to members of your organization who need the ability to delegate task assignments to other resources. For example, a large project may be run by a single project manager, but actually implemented by several teams, each with their own team lead. A project manager could assign the team leads in the project plan, and then the team leads could in turn delegate each task to individual members of their teams. This example creates an additional layer of task management within the larger organization, but it can also simplify resource allocation within projects themselves and make it easier for a project manager to manage large projects. Or, if you have a resource that is about to leave on a three-week vacation, and this resource had this permission, they would be able to assign their tasks directly to other resources instead of having the project manager check out the project and reassign resources.

Save Enterprise Global
Allows a user to check out, modify, and save the Enterprise Global Template to the Project Server database from Microsoft Project Professional. This permission should only be granted to a small group of people in your organization; either project managers, members of your organization’s PMO, or Project Server administrators.
Changes to the enterprise global must be performed via an active connect to Project Server through MS Project Professional.
Save Project Template
Allows a user to create and save a project as an Enterprise Project Template from Microsoft Project Professional to the Project Server database. Grant this permission to members of your organization who are tasked with creating Enterprise Project Templates. When a user saves a project to Project Server for the first time, the option to select Template (as opposed to Project) from the Type drop-down list in the Save to Project Server dialog box is enabled.

User needs to be granted the Assign Resources and View Enterprise Resource Data category permissions in addition to this permission if they are also responsible for adding Generic resources to the Enterprise Project Template.
Save Unprotected Baseline
Allows a user to save a non-protected baseline or clear a non-protected baseline associated with an enterprise project published to the Project Server database. Baselines are saved by using the Set Baseline functionality accessed from the Microsoft Project Professional ribbon on the Project tab in the Schedule group. Click the Set Baseline button and then select Save Baseline or Clear Baseline. Unprotected Baselines are in the range of Baseline 6-10 inclusive.

User needs to be granted the Save Project category permission.
Self-Assign Team Tasks
Resources can be members of a Team Assignment Pool. With this permission, it is possible for users to assign tasks, which have been assigned to their Team Assignment Pool, to themselves through the Team Tasks page in Project Web App.

Status Broker Permission
Allows API updates to occur for a user from places like Microsoft Exchange Server.

X
View Approvals
Allows a user to view the Approval Center.

Users have access to the Approval Center if they have either the Accept Timesheets or the View Approvals permission.
View Business Intelligence Link
Allows a user to see the Business Intelligence link in Quick Launch. However, it has no impact on Report Center Security.
Literally shows or hides the BI centre link from the quick-launch menu. Use the SharePoint security model to lock this site down.
X
View OLAP Data
Allows a user to read from the output for the OLAP cube. This permission is only checked when the OLAP cube is built.
Also provides the user with the ability to make a direct connection to the Project Server OLAP cube database from an application such as MS Excel.
View Project Center
Allows users to access the Project Center from Project Web App or Microsoft Project Professional.

User needs to be granted the View Project Summary in Project Center category permission.
View Project View
Allows a user to access project views in Project Web App. Grant this permission to users who need to drill down into project details using the Project Center in Project Web App or Microsoft Project Professional.

View Project Schedule Views
Allows a user to see the link in the Quick Launch. However, it has no impact on Report Center Security.

X
View Project Timesheet Line Approvals
Allows a user to approve timesheets on a line-by-line basis.

X
View Resource Availability
Allows a user to access the View Resource Availability page to view resource allocation data in Project Web App. Grant this permission to users in your organization who need to view resource availability in Project Web App.

View Resource Center
Allows users to access the Resource Center from Project Web App or Microsoft Project Professional and view resource allocation data. Grant this permission to users who need to view the Resource Center in Project Web App by clicking the Resources link in the top-level navigation, or in Microsoft Project Professional by selecting Resource Center on the Collaborate menu.

User needs to be granted the View Enterprise Resource Data category permission.
View Resource Plan
Allows a user to access the Resource Plan page within Project Web App.
Allows the ability to create project specific resource plans. What is the purpose of this screen? Well project server basically provides you with three options on how it will calculate resource capacity for the individual project. Either using the resource plan (a high level resource related estimate), the project schedule assignments or a combination of the two whereby the users specifies using the project schedule up until a certain date and then use the resource plan from that point forward.
X
View Resource Timesheet
Allows users to view the timesheets, regardless of their state or ownership, for resources identified in the category selection criteria.

Users must be granted the Accept Timesheet global permission to use this permission.
View Task Center
This permission when denied prevents users from seeing the Task Center link on the Project Web App Quick Launch menu.

Note   This permission does not lock down access to the Task Center page.  It is still possible for users to navigate to this page.

View Team Builder
Allows a user to use Build Team in Project Web App and Microsoft Project Professional, as well as determine the list of available resources. Grant this permission to resource managers to allow them to use Build Team in Project Web App to add resources to projects that have been saved to the Project Server database. Project Managers can also use this permission to allow them to use Build Team in Microsoft Project Professional to add resources to projects.
·          
·         User needs to be granted the Assign Resources category permission in addition to the View Team Builder global permission. The Assign Resources category permission determines the list of resources available in Build Team in both Microsoft Project Professional and Project Web App.
·         User needs to be granted the Build Team on Project category permission. The Build Team on Project permission determines with which projects Build Team can be used. This applies to using Build Team in both Microsoft Project Professional and Project Web App.
View Timesheets
When this permission is denied it prevents users from seeing the Timesheet Center link on the Project Web App Quick Launch menu
Note   This permission does not lock down access to the Timesheet page. It is still possible for users to navigate to this page

View Timesheet Center
X

No comments:

Post a Comment