NetworkSystem Security

Network/System Security

When talking about EPM system security, you must consider several components of the overall EPM system related to the security.

User Authentication

Project Server 2003 can authenticate users who have a Windows user account, a Project Server user account, or both. It can be said that Windows authentication generally provides for better overall security than just Project Server authentication or mixed authentication methods.

By default, authentication for Project Server is set to Mixed, which means that both Windows and Project Server authentication methods are allowed. Users who need to access information stored on servers running WSS, Microsoft SQL Server 2000, or Analysis Service will still require Windows authentication.

You can consider the following general security guidelines when determining whether to choose Windows authentication only, Project Server authentication only, or Mixed authentication:

  • If all users accessing Project Server already have (or can have) a Windows domain account, you should configure Project Server to accept only Windows authentication. Windows authentication is the most secure, and EPM solution users will not be prompted for their usernames and passwords after the initial network logon.

  • If some users need to access Project Server from the Internet but do not have a Windows account, use Mixed authentication and consider setting up unique sets of roles, permissions, and categories to separate internal access users from external access users.

  • Determine whether project managers will be allowed to create resources in Project Server as they publish projects and assignments to the Project Server database. If project managers are allowed to create their own resources, although this is not recommended, they should use Windows authentication for all resources that have a Windows user account.

  • If your organization is using WSS, you should support Windows authentication for users who need to access the documents, risks, and issues features. Use of WSS-based features requires Windows accounts.

Implementing Secure Sockets Layer (SSL)

You can configure SSL security features on your web server to encrypt network transmissions between PWA clients and your Project Server 2003. The SSL encryption helps to ensure the integrity of your data transmission and to verify the identity of your PWA users.

Consider implementing SSL for your extranet users who access your Project Server 2003 from outside your corporate intranet. SSL may not be needed for your corporate intranet users.


For more technical details about implementation of SSL, review information available at the following Microsoft website:

For more details on extranet scenarios, also review the Microsoft Project Server 2003 Configuration Planning Guide, Chapter 4, "Identifying Environmental Factors," available from

When you implement SSL as part of your EPM solution for your extranet users, you create a performance impact (10% to 15%) on the CPU of your Project Server computer. The Project Server machine CPU has to handle encrypting and decrypting of all communication traffic between your extranet users and Project Server machine. To alleviate this performance impact, you may consider using a special hardware accelerator card to offload intensive cryptographic operations from the host CPU to a dedicated processor on the card itself.

Project Server 2003 Security Model

The Project Server 2003 security is modeled on Microsoft Windows Active Directory security concepts, which is based on granting users and user groups access to objects and principals. There are similarities, but there are also differences in the way user groups are defined and used in Microsoft Windows Active Directory and Project Server 2003.

Security features in Project Server are designed to control and manage access to enterprise projects, resources, models, and reports and views stored in the Project Server database, as well as features available in Project Professional and PWA.

Project Server 2003 security architecture makes it easier to manage many EPM solution users and projects by allowing permissions to be assigned to groups of users and unique project and resource data categories, reducing the user and security permissions administrative load.

What a user can ultimately see in terms of enterprise data content and what he can do in terms of performing actions or manipulating that enterprise project and resource data are determined by the relationship between the user, the Project Server permissions at the organizational level, the individual permissions the user has or the groups to which he belongs, the data categories to which he is assigned, and the views of data defined within those data categories.

As you can imagine, based on the preceding short description of the Project Server security model, this security model can be complex.

Because the things a user needs to see and do usually depend on the role she plays within an organization, it makes sense to define groups, security permission templates, and data categories in terms of the job role she performs within the corporate environment.

Some users have implied roles; for example, users who publish project plans to Project Server are usually project managers. User groups should be defined in terms of the jobs or roles they carry outfor example, team members, project managers, executives, and those who have similar permissions assigned to them. These roles would then map to the different enterprise data categories, depending on the role's information and software features needs. For example, project team members usually need access only to their tasks, and, therefore, it makes sense to assign them to a My Tasks data category.


This approach to security is reflected in the default predefined user groups, security templates, and data categories created when Project Server is installed.

The following are elements of the Project Server security model:

  • A group is a collection of users who have similar information and functionality needs. These users are usually aligned with the type of roles played within an organization.

    Users can belong to multiple groups depending on the type of work they perform in your organization. Groups are security principals.

  • Permissions are rules that determine the actions a user can perform while using Project Server. Global permissions provide rights over functionality within the instance of Project Server. Object permissions are associated with data categories. These permissions give users and groups rights to perform actions on objects associated with a data category. Permissions can be applied to a server (or organization), group, category, or an individual user. This means that the user's actual final permissions will consist of the combination of all permissions the server has, the groups the user belongs to, categories the user has access to, as well as permissions granted directly to the user.

  • Categories are the collections of projects, resources, assignments, views, and models to which users and groups in Project Server are granted access. Categories define the scope of the information accessed, providing multiple types of access to data for groups of users.

  • Views are sets of data fields that can be displayed for the collections of projects, assignments, and resources in a data category. Views also define the format of the displayfor example, the columns displayed, a grouping style, or a filter.

The Project Server 2003 security model can be used effectively in many different ways. For example, it can

  • Protect confidential data from other users

  • Secure data from malicious or accidental damage

  • Provide data depending on the information needs and functionality requirements of the user or user group

  • Enforce project management processes discipline within the organization

PAGE 143.

By now, you should have a good idea about what needs to be done to ensure a successful EPM solution implementation. You already went through an extensive planning phase, defined your EPM solution scope, identified your business processes, and developed your business requirements. You also should understand all the EPM solution architecture components, the way these components fit together, and the options you have when designing a comprehensive, reliable, and scalable EPM system.

    QuantumPM - Microsoft Office Project Server 2003 Unleashed
    Microsoft Office Project Server 2003 Unleashed
    ISBN: 0672327430
    EAN: 2147483647
    Year: 2005
    Pages: 227
    Authors: QuantumPM LLC © 2008-2017.
    If you may any questions please contact us: