When talking about EPM system security, you must consider several components of the overall EPM system related to the security.
Project Server 2003 can authenticate users who have a Windows user account, a Project Server user account, or both. It can be said that Windows authentication generally provides for better overall security than just Project Server authentication or mixed authentication methods.
By default, authentication for Project Server is set to Mixed, which means that both Windows and Project Server authentication methods are allowed. Users who need to access information stored on servers running WSS, Microsoft SQL Server 2000, or Analysis Service will still require Windows authentication.
You can consider the following general security guidelines when determining whether to choose Windows authentication only, Project Server authentication only, or Mixed authentication:
Implementing Secure Sockets Layer (SSL)
You can configure SSL security features on your web server to encrypt network transmissions between PWA clients and your Project Server 2003. The SSL encryption helps to ensure the integrity of your data transmission and to verify the identity of your PWA users.
Consider implementing SSL for your extranet users who access your Project Server 2003 from outside your corporate intranet. SSL may not be needed for your corporate intranet users.
For more technical details about implementation of SSL, review information available at the following Microsoft website: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/iisdg_sec_puzm.asp.
For more details on extranet scenarios, also review the Microsoft Project Server 2003 Configuration Planning Guide, Chapter 4, "Identifying Environmental Factors," available from http://www.microsoft.com/technet/prodtechnol/office/proj2003/reskit/servcfpl.mspx.
When you implement SSL as part of your EPM solution for your extranet users, you create a performance impact (10% to 15%) on the CPU of your Project Server computer. The Project Server machine CPU has to handle encrypting and decrypting of all communication traffic between your extranet users and Project Server machine. To alleviate this performance impact, you may consider using a special hardware accelerator card to offload intensive cryptographic operations from the host CPU to a dedicated processor on the card itself.
Project Server 2003 Security Model
The Project Server 2003 security is modeled on Microsoft Windows Active Directory security concepts, which is based on granting users and user groups access to objects and principals. There are similarities, but there are also differences in the way user groups are defined and used in Microsoft Windows Active Directory and Project Server 2003.
Security features in Project Server are designed to control and manage access to enterprise projects, resources, models, and reports and views stored in the Project Server database, as well as features available in Project Professional and PWA.
Project Server 2003 security architecture makes it easier to manage many EPM solution users and projects by allowing permissions to be assigned to groups of users and unique project and resource data categories, reducing the user and security permissions administrative load.
What a user can ultimately see in terms of enterprise data content and what he can do in terms of performing actions or manipulating that enterprise project and resource data are determined by the relationship between the user, the Project Server permissions at the organizational level, the individual permissions the user has or the groups to which he belongs, the data categories to which he is assigned, and the views of data defined within those data categories.
As you can imagine, based on the preceding short description of the Project Server security model, this security model can be complex.
Because the things a user needs to see and do usually depend on the role she plays within an organization, it makes sense to define groups, security permission templates, and data categories in terms of the job role she performs within the corporate environment.
Some users have implied roles; for example, users who publish project plans to Project Server are usually project managers. User groups should be defined in terms of the jobs or roles they carry outfor example, team members, project managers, executives, and those who have similar permissions assigned to them. These roles would then map to the different enterprise data categories, depending on the role's information and software features needs. For example, project team members usually need access only to their tasks, and, therefore, it makes sense to assign them to a My Tasks data category.
This approach to security is reflected in the default predefined user groups, security templates, and data categories created when Project Server is installed.
The following are elements of the Project Server security model:
The Project Server 2003 security model can be used effectively in many different ways. For example, it can
By now, you should have a good idea about what needs to be done to ensure a successful EPM solution implementation. You already went through an extensive planning phase, defined your EPM solution scope, identified your business processes, and developed your business requirements. You also should understand all the EPM solution architecture components, the way these components fit together, and the options you have when designing a comprehensive, reliable, and scalable EPM system.