Do More Than Manage
Gord Schmidt's Ideas for Doing More with Microsoft Project Server
Summary Task

Do Not Assign Categories or Permissions Directly to Users

Back in his August 19, 2004 posting, Brian Kennemer recommended limiting each Category to one specific purpose. This is great advice. The security configuration recommendation I would like to pass along would be to avoid assigning Categories and/or Permissions directly to Users.

The Project Server security model allows Categories and Permissions to be assigned to both Groups and Users. It is a good idea to avoid assigning things directly to Users. There are my three main reasons for this:

  1. Visibility
    Consider a company hiring Andy, a new Project Server Administrator. In order for Andy to get a good sense of the security configuration of Project Server, he should just refer to the perfect documentation left by the previous caretakers. But consider the alternative to this utopian reality, the undocumented system. In this case Andy is forced to review the configuration in PWA. Determining the security rights for a list of Groups is relatively straight forward. Trying to find and understand the reasoning behind exceptions defined at the individual User level is much more complex as there is no visibility; that is, no easy way to view a list of all of those exceptions
  2. Maintenance
    People have annoying habits. They can be promoted, switch roles and departments, leave organizations and join others. As people change, organizations must try and keep the resource pool and user list for Project Server up to date. Will a Project Server Administrator remember to disable rights and functionality as appropriate?  It is not obvious to the Administrator why User-assigned Permissions exist and therefore it is hard to maintain.
  3. Testing
    This item stems from visibility as well. When your organization decides to make changes to how Project Server is secured (perhaps you wish to add a new user Group), and you want to test the new configuration in your development environment, you will need to test each user that has a Category or Permission assigned directly.

To ease your security testing, try the View Effective Rights tool from Microsoft.  It can be downloaded from here.

View Effective Rights tool screenshot


Posted by Gord Schmidt on Monday, January 03, 2005 | Permalink | Configure | Resources