To be robust for multiple organizational situations, Project Server user security is complex. Security settings can be affected by multiple conditions, and managing those conditions requires much time and documentation. The security model allows for many-to-many relationships in the association of Groups, Categories, and Users. Follow these steps to reduce administrative management and the possibility of hidden conditions causing troubleshooting frustration:
When at all possible, use universal settings. Under the Admin tab, Server Configuration, Features is a security template used for universal Allow/Deny. All features identified here must be either allowed or denied; no features should be left blank. The Allow/Deny selection is actually a three-state selection. Allow means that the feature is active. Any permission denied in this template is denied for all users of the system. A Deny anywhere is an absolute Deny everywhere. A blank, neither Allow nor Deny, means that the decision to provide the feature to a particular user is decided at another security level and is called a soft deny. Blank features are inappropriate on the Server Configuration Features template as universal features are being selected.
The Server Configuration Features template is the correct place to Deny unwanted functions or permissions to all users. For instance, you want to disable the Delegate Task feature because you do not allow delegation of tasks as a matter of policy. The Delegate Task permission would be set to Deny thus denying Delegate Task to all users. Review "Project Server Permissions" in Appendix C of the Microsoft Project Server 2003 Administrator's Guide to determine whether a feature is appropriate for your installation.
All permissions are set to Allow by default with the exception of Connect to Project Server Using Microsoft Project 2002, Approve Timesheet for Resources, and Timesheet Approval. For a complete 2003 installation, including Microsoft Office Project Professional 2003, the Deny for Connect to Project Server Using Microsoft Project 2002 is appropriate. If the installation is a mixed environment of Server 2003 and Professional 2002, this use permission should be set to Allow. Be aware that several features of Project Server 2003 are not available in a mixed installation.
The features Approve Timesheet for Resources and Timesheet Approval are used with the managed timesheets functionality. If you do not intend to use managed timesheets, make sure that these features are set to Deny. If you choose to apply the managed timesheets feature, make sure that these features are set to Allow.
It is strongly recommended that the Account Creation permissions be set to Deny, as shown in Figure 8.3.
Figure 8.3. Account creation features should be set to Deny.
These Deny permissions protect the creation of user accounts in the database to only those Groups that have Manage Users and Groups permissions, or Groups authorized to add resources to the Enterprise Resource Pool. Allowing the Account Creation permissions under any other conditions loosens authority over user account creation and jeopardizes resource pool and database user integrity.
It is assumed that few defaults will be changed in features. Changes will be due to your identifying features not applicable to your particular operation. All changes should be documented to assist the administrator with future security troubleshooting. To document your initial settings, select Print Grid below the Features window, which exports the current grid to an Excel spreadsheet, as shown in Figure 8.4.
Figure 8.4. Print Grid documents your Features settings.