Security for Microsoft Project Central

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Applies to:
Microsoft Project 2000
Microsoft Project Central 2000

Summary This article provides guidance on security planning and scheduling tools.

On This Page

Introduction
Security in Microsoft Project Central
Network and Intranet Security
For More Information

Introduction

Microsoft® Project Central, a Web-based companion to Microsoft Project 2000, provides project managers and team members with a powerful set of collaborative planning and scheduling tools. Microsoft Project Central takes advantage of Windows®-based intranets to provide unprecedented levels of project information to the whole project team.

Because it offers broad access to potentially sensitive information, Microsoft Project Central includes rich security features. And Microsoft Project Central uses the robust security of the Windows platform, so that you can protect the integrity of project data and prevent unauthorized viewing of or access to project information.

This overview of the Microsoft Project Central security model for administrators summarizes topics to consider when planning for project data security. (In Microsoft Project Central, an administrator has access to all project data, sets up and customizes the Microsoft Project Central site, including security settings, and sets or changes roles for other users.) While a detailed discussion of intranet/Internet security is beyond the scope of this paper, it will help you identify security issues that will require attention when you deploy Microsoft Project Central.

Microsoft Project Central relies on the enterprise network, including its Web servers, network file system, and database systems, so the security of project information depends on the security of each component and of the network as a whole.

Security in Microsoft Project Central

Access to Microsoft Project Central information requires a user account. Microsoft Project Central includes both authentication and role-based security to ensure that only authorized users are allowed access and that once they are logged in, users can only see the information and perform the actions for which they have permissions. The following sections discuss the creation of user accounts, authentication methods, and assignment of roles to specific users.

Cc768101.prjsecur01(en-us,TechNet.10).gif

Figure 1: The Microsoft Project Central security model

Creating User Accounts

Microsoft Project Central provides several methods for creating new user accounts, including automatic account creation and the capability for users to create accounts for their peers and coworkers. By default, project managers can create new accounts for themselves and any subordinate resources. Accounts for the project manager and team members are created when the project manager sends workgroup messages for his or her resources to a Microsoft Project Central server. Users can create accounts for other users by requesting a status report or delegating a task.

To prevent the creation of unauthorized accounts, you can restrict who is allowed to create new accounts. You can disable the Account Creation options for managers and/or resources on the Security Options–Account Creation page of Microsoft Project Central.

Cc768101.prjsecur02(en-us,TechNet.10).gif

Figure 2: You control who can create new Microsoft Project Central Accounts

Authentication

Authentication requires a user to enter a valid username and password pair before gaining access to the Microsoft Project Central pages. Microsoft Project Central supports two forms of user authentication: Windows NT® authentication, which leverages the username and password used to log on to a Windows network; and Microsoft Project Central authentication, which uses a username and password pair created specifically for access to Microsoft Project Central.

The authentication type is specified for each user account, allowing you to use a mixture of Windows NT and Microsoft Project Central authentication within a single installation. The authentication type for a user account is determined when the account is created.

If the account is created in Microsoft Project Central, you can specify the authentication type when adding or modifying a user (see Figure 3).

If the account is created automatically—for example, when a project manager sends a workgroup message to a resource—the authentication type depends on whether the property sheet for the resource (in Microsoft Project) includes a value in the Windows Account field (see Figure 4). If a Windows Account is specified for the resource, the Microsoft Project Central account is set to Windows NT Authentication, and uses the Windows username and password. If the project manager has not specified a Windows Account, then the Resource Name is used to create the Microsoft Project Central account, and the authentication type is set to Microsoft Project Central Server Authentication.

Cc768101.prjsecur03(en-us,TechNet.10).gif

Figure 3: You can set an appropriate authentication method

Cc768101.prjsecur04(en-us,TechNet.10).gif

Figure 4: For accounts created automatically, the authentication type depends on whether a Windows NT Account is specified for the Resource in Microsoft Project

Microsoft Project Central also provides three authentication modes at the server level. You can select or change the authentication mode on the Authentication Options page to set the authentication method used for the server as a whole, as shown in Figure 5. (Microsoft Project Central must be set to single-user mode before you can change authentication mode.)

  • Windows NT Authentication

    Windows NT Authentication provides the highest level of security. All user accounts created on the Microsoft Project Central server must have corresponding Windows user accounts, specified by the project manager when the account is created.

    Under Windows NT authentication, the Microsoft Project Central Default.asp page determines whether the user has been authenticated by Internet Information Services (IIS), confirms that the Windows user account exists in the Microsoft Project Central database, and then redirects the user to the requested Microsoft Project Central page. If the user has not been authenticated by IIS, or if the logged on account does not exist in the Microsoft Project Central database, the user is redirected to the Microsoft Project Central logon page and prompted to select a valid username.

  • Microsoft Project Central Server Authentication

    Under Microsoft Project Central Server Authentication, a user logs on using the resource name assigned by the project manager when the account was created. A password is optional, but recommended. (By default, the password field is blank.)

  • Mixed

    Mixed authentication is the default mode. In this mode, some users are authenticated using Windows NT authentication, while others are authenticated using Microsoft Project Central authentication.

Cc768101.prjsecur05(en-us,TechNet.10).gif

Figure 5: You can set the authentication mode for the entire Microsoft Project Central server on the Authentication Options page

Microsoft Project Central User Directory

You can use the Microsoft Project Central User Directory to designate individual accounts as active or inactive,, which provides additional security. This setting is controlled on the Modify User page. (See Figure 6.) Only active accounts are allowed access to Microsoft Project Central information, so you can prevent access to Microsoft Project Central information by designating an account as inactive.

Cc768101.prjsecur06(en-us,TechNet.10).gif

Figure 6: You can set an account to Active or Inactive on the Modify User tab of the Admin/Users page

When you change the authentication mode to either Windows NT authentication or Microsoft Project Central authentication, all accounts set to use the disabled authentication mode are rendered inactive. For example, switching from Mixed or Microsoft Project Central Server authentication to Windows NT Authentication Only inactivates all accounts designated for Microsoft Project Central Server authentication. Switching back to the other authentication mode (or to mixed authentication) does not reactivate the inactivated accounts; you must reactivate the accounts manually.

Roles: Controlling What Users Do

Microsoft Project Central uses roles to limit the functionality available to a specific user. Each user account is assigned one of three roles:

  • Administrator

    Administrators set up and customize the Microsoft Project Central site, including security settings. In addition, administrators set or change roles for other users and define categories. Administrators have access to all project data.

  • Manager

    Managers assign tasks, track hours, and define and request status reports. Managers are allowed to view specific projects, as set by the administrator.

  • Resource

    Resources include team members working on the project as well as other stakeholders, such as executives or business decision-makers. Resources can view tasks, enter work complete, and fill out status reports. By default, resources can view all projects for which they have assigned tasks. The administrator can also grant permission to view specific projects and other resources' tasks.

The administrator sets the role for a particular user when adding or modifying that user (see Figure 3.) Accounts created automatically, for example, when a project manager assigns a task, are created as resources by default.

Views and Categories: Controlling What Users See

Users of Microsoft Project Central interact with project information using views—rich, customizable displays that present detailed information in many useful forms. You can define custom views to control what information is displayed and how, and create categories, which control which users have access to a specific view.

Views

Three types of views are available in Microsoft Project Central:

  • Portfolio View displays a high-level representation of predefined groups of projects.

  • Project View shows general task and status information for a specific project.

  • Assignment View enables an authorized user (such as a resource manager) to view overall resource allocation for an entire department or small enterprise, or to view the assignments for one or more resources across all their projects.

The administrator defines the views, including formatting. You also specify the views available to each user, the projects the user has access to, and the exact fields and data the user can see in each project (see Figure 7.) For example, a resource may be allowed to view only her assigned tasks, tasks assigned to all resources, or tasks assigned to specific resources. By default, resources can see a portfolio of any projects for which they have been assigned a task, but only for tasks to which they are assigned as a resource. You can make other project information available, such as the status of tasks that they depend on, by setting permissions for a specific user on the User Permissions for Views page (see Figure 8.)

As the Microsoft Project Central Administrator, you can create new views as you want. And Microsoft Project Central includes several predefined views you can use as-is or modify:

View name (page)

Type

Description

Assignments Cost

Project

Displays cost information

Assignments Detail

Project

Displays slack time and slippage

Assignments Earned Value

Project

Displays earned value information

Assignments Summary

Project

Displays basic assignment information

Assignments Tracking

Project

Displays schedule vs. baseline dates

Assignments Work

Project

Displays work information

Resources Cost

Project

Displays cost information

Resources Earned Value

Project

Displays earned value information

Resources Summary

Project

Displays basic resource information

Resources Work

Project

Displays work information

Tasks Cost

Project

Displays cost information

Tasks Detail

Project

Displays slack time and slippage

Tasks Earned Value

Project

Displays earned value information

Tasks Leveling

Project

Displays changes made by leveling

Tasks Schedule

Project

Displays scheduling information

Tasks Summary

Project

Displays basic task information

Tasks Top-Level

Project

Displays top-level task information

Tasks Tracking

Project

Displays schedule vs. baseline dates

Tasks Work

Project

Displays work information

Cost

Portfolio

Displays cost information

Earned Value

Portfolio

Displays earned value information

Summary

Portfolio

Displays basic project information

Tracking

Portfolio

Displays schedule vs. baseline dates

Work

Portfolio

Displays work information

Summary

Assignment

Displays basic timesheet information

Microsoft Project Central also provides two views available to all users. They are:

  • Personal Gantt view

    Personal Gantt view presents a graphic display of all project information available to a user. Users can choose from pre-defined views and chart styles made available by the project administrator or customize their view by reordering columns, filtering for specific tasks, and sorting or grouping tasks. This view can also be modified to include activities from the user's Microsoft Outlook® Tasks list.

  • Timesheet view

    The Timesheet provides a simple interface that everyone involved in a project can use to send updated information to the project manager. From the Timesheet, a team member can update hours, task percent complete, or any editable field for the tasks displayed. As in the Personal Gantt view, tasks shown in the timesheet can be filtered and grouped, allowing team members to organize the data the way they want.

Cc768101.prjsecur07(en-us,TechNet.10).gif

Figure 7: You can set options for new views on the Specify Views page

Cc768101.prjsecur08(en-us,TechNet.10).gif

Figure 8: You can use the User Permissions for Views page to control the views and tasks that are visible to a specific user

Categories

To specify which views a specific team member can see, you assign the views to a category. You define a category by mapping the list of users to the list of available projects and views. For each category, you can specify the users that belong to that category, the projects those users can see, and the views with which they can look at the portfolio of projects, individual projects and resource assignment information.

Microsoft Project Central includes four predefined categories: Team Member, Project Manager, Resource Manager, and Executive. By default, all users defined as resources belong to the Team Member category, and users defined as project managers belong to the Project Manager category. By default, users in these categories can see high-level information in a portfolio view for all projects they are working on. The Project Manager and Team Member categories cannot be deleted. The Resource Manager and Executive categories do not contain any users by default. You can create additional categories as needed, and you can add users to any category manually, either in the Specify Categories page (shown in Figure 9) or in the User Permissions for Views page (shown in Figure 8).

Before specifying categories, you must set permissions to control which assignments users in a specific category can see. Until you set permissions, users can see only their own assignment data in Microsoft Project Central assignment views.

Cc768101.prjsecur09(en-us,TechNet.10).gif

Figure 9: You can use the Specify Categories page to customize a category

Network and Intranet Security

Because Microsoft Project Central is installed on a network and accessible over an intranet, security of Microsoft Project Central information depends on the security of the network itself. Security concerns for a typical installation include the security of the network, the security of the Web server hosting the Microsoft Project Central server, and the security of the database in which project information is stored.

A complete discussion of security issues associated with each of these areas is beyond the scope of this paper. The following sections summarize issues specifically related to Microsoft Project Central.

IIS Security

Microsoft Project Central is accessible through a set of Active Server Pages (ASPs) that reside on a Web Server running Microsoft Internet Information Services (IIS). To ensure that Microsoft Project Central security features and access controls function as intended, certain IIS settings must be configured properly. Further, the IIS administrator must ensure the security of the Web server itself to prevent unauthorized access to Microsoft Project Central.

For more information on configuring IIS settings for Microsoft Project Central, please refer to the document named SVRSETUP.HTM which is included on the product CD. SVRSETUP.HTM includes detailed instructions for configuring a Microsoft Project Central server in both an intranet and Internet environment.

Note that Secure Sockets Layer (SSL) can be used only with Service Release 1 (SR-1) of Microsoft Project Central. SSL provides an additional level of security by encrypting data during transmission between the client and server. (For more information on upgrading to SR-1, visit the Microsoft Downloads Center.)

Security of Projects Stored In Files

Microsoft Project Central relies on one or more Microsoft Project files (.mpp files) on a corporate network or projects stored in a database to display the detailed information in a project view. If project information is stored in a file, the true security of that project information depends on the security of the network share in which the files reside, which may be accessed over the network without using Microsoft Project or Microsoft Project Central. Microsoft Project Central administrators should work closely with their network administrators to limit access to project files, while ensuring that files are accessible by Microsoft Project Central.

To make project files available to Microsoft Project Central, the Anonymous account for IIS must be set to be a domain account that has access to the network share where the project files are stored. Network administrators may find it convenient to create a domain account solely for use by Microsoft Project Central. Note: If the domain account password is set to expire, it must be updated manually in IIS every time the password is changed.

Security of Projects Stored in Databases

Maintaining the security of project information that is stored in a database requires not only that you protect the files from unauthorized access, but also that you take precautions to safeguard the data itself. This includes backing up your data regularly and monitoring the state of the database, as you would with any other application database. The Microsoft Project 2000 Resource Kit provides detailed discussion of administering the Microsoft Project Central database. In addition, the Resource Kit Toolbox includes SQL scripts that can be used to perform basic database administration tasks on an MSDE database.

If your organization's projects are stored in a SQL Server™, Microsoft Access, MSDE, or Oracle database (rather than an .mpp file), you can allow users to look at information through Microsoft Project Central project views without allowing access to the database itself. Doing so requires a standardized approach to saving projects to a database via a DSN.

That is, project managers should all use the same system data source name (DSN) with the same database logon ID and password. After saving their projects to the database, project managers must update the Microsoft Project Central server using the Update Project to Web Server command from within Microsoft Project 2000.

The administrator must specify a user ID and password for the DSN listed on the Data Sources for Views page in Microsoft Project Central. The administrator must next create the same-named DSN on the Microsoft Project Central server, pointing to the same database using the same user ID and password. DSNs can be created using the ODBC Data Sources Administrator program in Control Panel on the server. If an organization chooses to use multiple DSNs rather than standardizing, this process must be performed for each DSN that is used to save a project file to a database.

For More Information