Adjust or create security templates for each of the roles identified. It is important that there be a security template for each role. This eliminates the possibility of redundant permission entries at other stages of security design. There are several opportunities to affect permissions in different steps of the security process. By allowing one security template per role and only managing the security template for permissions, redundancy and hidden assignments are eliminated.
Security templates are the best place to manage roles-based security. Later in this chapter, you will see multiple places to select permissions for an individual user, Group, Category, or system feature. Applying permissions at any or all of these locations makes troubleshooting security impossible. Both Groups and Categories have a Set Permissions with Template button to copy permissions from the template to the Group or Category. By maintaining permissions at the security template, there is only one place to manage permissions and then distribute them to the correct Group or Category as necessary.
Creating Security Templates
Security templates are created by selecting Admin, Manage Security, Security Templates, and then Add Template. To create a security template, perform the following steps:
There is no harm in modifying the current templates or adding additional templates. Templates should be named with a unique name so that the distinction is obvious long after this exercise is completefor example, Organization Project Manger, Project Manager See All Projects, Division Executive, and so on. These distinctions will come in handy later when you define the Groups. Templates and Groups should be named the same, and that name should identify the role you want a person to assume when assigned to a proper Group. This naming is not trivial because it will help you troubleshoot later why a Group or person has a particular security model.
After you have chosen the template names by adding or modifying templates, open each template and select the permissions that role possesses. In the template, select both use and data permissions. Review "Project Server Permissions" in Appendix C and "Default Settings" in Appendix D of the Microsoft Project Server 2003 Administrator's Guide to determine whether a feature is appropriate for this role.
Because some features have been turned off at the features level, you must decide how to note this in the templates. In the previous discussion of Allow/Deny, remember that a blank state means "not decided here." Therefore, it is suggested that you leave all template selections tuned off at the features level blank, signifying that the selection has been decided at a different security level. Because the only level above templates is features, a blank selection in a template tells you that the feature has been turned off at the system level. This is not a requirement, but it will help you troubleshoot security model problems well into the future.
Do not select Deny in the template. Because Deny is absolute, it is better to have the Allow/Deny selection blank, creating a soft Deny (see Figure 8.6). It is possible for a user to be placed in more than one Group. A Deny anywhere would be a Deny everywhere for that user causing troubleshhoting problems. Deny is best used only at the Select Features level turning off a permission for everyone.
Figure 8.6. Template selection blanks used for denied features.
Because the templates contain both use and data permissions, take your time to analyze and discuss each selection in light of the role this template represents. Both the Group and Category selections have a Set Permissions with Template button that assigns the template permissions to the appropriate Group and/or Category. Because the Template permissions are transferred to the Group and Category, the template is the best place to define the permissions a role needs to be a successful user in Project Server. Because of this association between Templates, Groups, and Categories, Templates are the best place to manage role-based security.