Coordinate Project Server and Windows SharePoint Services security

Project Server 2007 did some improvement on WSS integration (If you want to know about integration between project server 2003 and WSS 2.0, please see my post:Customize WSS Role/User permission for Project Server 2003).  You may read Microsoft TechNet article about this: http://technet2.microsoft.com/Office/en-us/library/c9ca0b66-c167-4cd1-8ecf-6b311cf6976a1033.mspx?mfr=true.

 

Project Server 2007 is completed built on the top of WSS 3.0.  It will create four SharePoint groups on every project workspace:

• Web Administrator (Microsoft Office Project Server): Users who have global permission "Manage Windows SharePoint Services".
• Project Managers (Microsoft Office Project Server): Users who have category permission "Save Project to Project Server" on the project.
• Team Members  (Microsoft Office Project Server): Users who are added in project team and assigned to task.
• Readers  (Microsoft Office Project Server):  Users who have category permission "View Project Workspace" on the project OR who are added in project team but not assigned to task.

Normally user would not be in two groups at same time, except team members and readers.  User could be in team members and readers groups if users assigned to tasks and have view project workspace permission on my organization category.

 

By default, WSS security settings will change according to PWA security changes.  However, you can change the settings on the Project Workspace Provisioning Settings page to check the box "Automatically add Project Web Access users to project team Web site when SharePoint site is created or when the project manager publishes the project information to Project Server"

 

Then, what scenarios will change the WSS security?

• New user is created with "Manage Windows SharePoint Services", "Save Project to Project Server", and/or "View Project Workspace" permission.
• A existing user’s permissions have changed.  The above three permissions have been changed.
• A resource with those three permissions are activated or de-activated.
• A resource is added to project and project is published.

Since the first three scenarios may affect large number of project workspace, the best practice is to create/change those resources during non-working hours.

 

Microsoft documents that denying Logon permission and View Project Workspace will affect WSS security.  However, as I tested, I did not find denying those permission will affect WSS.

Advertisement