Working with Permissions in Groups and Categories | Implementing Enterprise Portfolio Management with Microsoft Project Server 2002

All of the features listed in the last section are permissions that can be allowed, not allowed, or denied at the group level. An individual user inherits permissions from groups to which he or she is assigned. Once again, the rules of precedence apply when a user belongs to more than one group. A feature denied in one group disables that feature for the user across the board, regardless of permission settings in another group and so on. You control your Project Server application security environment by adding, deleting, or modifying groups and categories.

The presentation of permissions in the group management interface is divided in two, with 8 of the enterprise 57 permissions presented in the Categories section and the rest presented in a section titled “Global Permissions.” Figure 10-2 shows a portion of the Add/Modify Group interface and the line between permissions groupings. To reach this screen, select “Manage users and groups” from the Admin menu, and then select Groups Add or Modify.

click to expand
Figure 10-2. Permissions set at a group level

Two important characteristics distinguish the subset of eight permissions from the broader group. First, these specific permissions are very high level. They refer to broad-stroke functions within Project Server. All of these permissions have subordinate permissions in the second, larger set of permissions. In other words, denying permissions in the subset of eight permissions overrides some permissions that may be granted in the second, larger group. For example, the See Projects in Project Views permission, when denied, overrides the permission to View Project View in the subordinate group. Second, the high-level eight permissions are also available to set in Categories. Therefore, these can also be overridden between a group and category.

Besides setting permissions, you can manage user membership to a group and group-to-category associations through the Add/Modify Group interface, as shown in Figure 10-3. Because you set permissions primarily through group membership, the Modify Group dialog box is the place to determine who may take what specific actions in Project Server. What data users can take the action on, however, is primarily accomplished through category management. Finally, you can set a digital dashboard link for a group through group maintenance.

click to expand
Figure 10-3. You add users to groups and manage category associations through the Add/Modify Group interface.

The Project Server installation process creates seven predefined groups. You can create as many as you want. These default groups are as follows:

Administrators: By default, administrators have blanket access to everything in Project Server that isn’t disallowed by global settings.
Executives: Intended for upper-level management, this group doesn’t have the ability to open, save, or edit projects or resources. However, this group generally has view access to everything.
Portfolio Managers: This group has a superset of permissions typically granted to project managers, with some system maintenance functions enabled that are usually reserved for administrators, such as managing views and enterprise features.
Project Managers: Project managers have liberal permissions to project management functions but don’t have administrative-type access or the ability to use Analyzer output.
Resource Managers: This group has permissions tailored to maintaining resource information and managing resources but not project plans.
Team Leads: The Team Leads group is primarily used to give team members permissions that are in addition to those granted through Team Members group membership. These are largely in the form of privileges to use Project Center and assignment views.
• Team Members: This group provides the permissions necessary for resources to become active participants in project work assigned and tracked through Project Server.

Each of these groups has its own collection of permissions and category associations. The combination of category and group membership determines what data a user has access to and how the user may access the data. Tables 10-1 and 10-2 list the permissions in the order in which they appear in the “Manage users and groups” interface and contain the default values for each group.

Table 10-1: Default High-Level Permissions States for Groups
PERMISSION	ADMIN	EXEC	PORT MGR	PROJ MGR	RES MGR	T LEAD	T MEM
Edit Enterprise Resource Data	A	NA	A	NA	NA	NA	NA
Open Project	A	NA	A	A	NA	NA	NA
Save Project	A	NA	A	A	NA	NA	NA
See Enterprise Resource Data	A	A	A	A	A	NA	NA
See Projects in Project Center	A	A	A	A	A	A	A
See Projects in Project Views	A	A	A	A	NA	A	A
See Resource Assignments in Assignment Views	A	A	A	A	A	A	A
View Documents and Issues	A	A	A	A	A	A	NA

Table 10-2: Default Global Permissions States for Groups
PERMISSION	ADMIN	EXEC	PORT MGR	PROJ MGR	RES MGR	T LEAD	T MEM
Assign To-Do List Tasks	A	A	NA	A	A	A	A
Backup Global	A	NA	NA	NA	NA	NA	NA
Change Password	A	A	A	A	A	A	A
Change Work Days	A	NA	NA	NA	NA	NA	A
Clean up Microsoft Project Server database	A	NA	NA	NA	NA	NA	NA
Create Accounts from Microsoft Project	A	NA	NA	A	NA	NA	NA
Create Accounts when Delegating Tasks	A	NA	NA	A	NA	NA	NA
Create Accounts when Requesting Status Reports	A	NA	NA	A	NA	NA	NA
Create and Manage To-Do List	A	A	NA	A	A	A	A
Create Manager Accounts from Microsoft Project	A	NA	NA	A	NA	NA	NA
Customize Microsoft Project Web Access	A	NA	NA	NA	NA	NA	NA
Delegate Task	A	NA	NA	A	NA	NA	A
Go Offline	A	A	A	A	A	A	A
Hide Task from Timesheet	A	NA	NA	A	NA	NA	A
Log On	A	A	A	A	A	A	A
Manage Calendar Changes	A	NA	NA	A	NA	NA	NA
Manage enterprise features	A	NA	A	NA	NA	NA	NA
Manage licenses	A	NA	NA	NA	NA	NA	NA
Manage organization	A	NA	NA	NA	NA	NA	NA
Manage Rules	A	NA	NA	A	NA	NA	NA
Manage security	A	NA	NA	NA	NA	NA	NA
Manage SharePoint Team Services	A	NA	NA	NA	NA	NA	NA
Manage Status Report Request	A	A	NA	A	A	NA	NA
Manage Task Changes	A	NA	NA	A	NA	NA	NA
Manage users and groups	A	NA	NA	NA	NA	NA	NA
Manage views	A	NA	A	NA	NA	NA	NA
New Project	A	NA	A	A	NA	NA	NA
New Project Task	A	NA	NA	A	NA	NA	A
New Resource	A	NA	A	NA	A	NA	NA
Open Project Template	A	NA	A	A	NA	NA	NA
Publish To-Do List to All Users	A	A	NA	A	A	A	A
Publish/update/status	A	NA	A	A	NA	NA	N
Read Enterprise Global	A	NA	A	A	A	NA	NA
Read Summary Assignments	A	NA	A	A	A	NA	NA
Save Enterprise Global	A	NA	A	NA	NA	NA	NA
Save Project Template	A	NA	A	A	NA	NA	NA
Set Personal Notifications	A	A	A	A	A	A	A
Set Resource Notifications	A	A	A	A	A	A	NA
Submit Status Report	A	A	NA	A	A	NA	A
Transfer Calendar Entries	A	NA	NA	NA	NA	NA	A
View Assignments View	A	A	A	A	A	A	NA
View Documents	A	NA	A	A	A	A	A
View Home	A	A	A	A	A	A	A
View Issues	A	NA	A	A	A	A	A
View Models	A	A	A	NA	NA	NA	NA
View Portfolio Analyzer	A	A	A	NA	NA	NA	NA
View Project Center	A	A	A	A	A	NA	A
View Project View	A	A	A	A	A	NA	A
View Resource Allocation	A	A	A	NA	A	NA	NA
View Resource Center	A	A	A	NA	A	NA	NA
View Status Report List	A	A	NA	A	A	NA	A
View Timesheet	A	NA	NA	A	NA	NA	A

I use the following abbreviations in the two tables:

Admin = Administrator
Exec = Executive
Port Mgr = Portfolio Manager
Proj Mgr = Project Manager
Res Mgr = Resource Manager
T Lead = Team Lead
T Mem = Team Member
A = Allowed
D = Denied
NA = Not allowed

Project Server installs with four default categories: My Organization, My Projects, My Resources, and My Tasks. The permissions assigned to these categories and their default values are contained in Table 10-3.

Table 10-3: Default Permissions States for Categories
PERMISSION	MY ORGANIZATION	MY PROJECTS	MY RESOURCES	MY TASKS
Edit Enterprise Resource Data	A	NA	A	NA
Open Project	A	A	NA	NA
Save Project	A	A	NA	NA
See Enterprise Resource Data	A	A	A	NA
See Projects in Project Center	A	A	NA	A
See Projects in Project Views	A	A	NA	A
See Resource Assignments in Assignment Views	A	A	A	NA
View Documents and Issues	A	A	NA	A