Understanding Microsoft Project Server Permissions

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Published: February 1, 2003

Microsoft Corporation

Applies to:
Microsoft Project Server 2002
Microsoft Project Professional 2002
Microsoft Project Web Access

Summary An overview of Microsoft Project Server global and object permissions that can be managed using Microsoft Project Web Access. (12 printed pages)

On This Page

Introduction
Global Permissions in Microsoft Project Web Access

Introduction

Permissions define the actions that a user can take when interacting with Microsoft® Project Server, whether from Microsoft Project Professional 2002 or through Microsoft Project Web Access.

You can allow or deny permissions to individuals or groups of Microsoft Project Web Access users by creating security templates that define sets of permissions, and then assigning permissions to users and groups based on the templates. You use categories to define which specific projects and resources these users and groups are allowed to view. You can also set permissions for Microsoft Project Web Access features to make them universally available or unavailable to the organization.

Note: You can use the PermissionCheck method in the Project Data Service (PDS) to programmatically check a user's permissions to see if he has access to a given area of Microsoft Project Server. For more information about the PDS, see the Project Data Service (PDS) Usage and Methods Reference and the PermissionCheck section of the PDS Reference on MSDN®, the Microsoft Developers Network.

Microsoft Project Web Access permissions work similarly to permissions in Microsoft Windows® 2000 and Microsoft Windows NT. Users and groups are the security principals. Categories and organizations are the security objects. You then use permissions to allow or deny security principals access to security objects. These groupings are discussed more in the following paragraphs.

The following list defines the entities that are part of the Microsoft Project Server security model:

  • Users Individual persons who are granted access to specific areas of Microsoft Project Server. Users can be assigned to Groups.

  • Groups Collections of users with the same access requirements for Microsoft Project Server.

  • Category A selection of securable objects. For example, groups of projects or resources.

  • Security Template A set of pre-defined permissions that can be used to grant access to Users, Groups, and Categories.

  • Organization The layers of projects, resources, and data that exist in a single installation of Microsoft Project Server.

  • Permissions Rules associated with a securable object that regulates access to Microsoft Project Server. There are two types of permissions: Global permissions regulate access to specific features and user activities (for example, permission to check out the enterprise global template), whereas object permissions regulate access to specific areas within the application (for example, the Project Center).

Users

Each individual user must be granted permission to view or access data in a particular area of Microsoft Project Web Access. You can grant permissions at the user level, or you can assign users to groups (recommended) and grant permission at the group level. A single user can be a member of any number of groups.

Groups

A group of users is a collection of individual users who are assigned the same permissions. You can combine individual users who have common security requirements into a single group to reduce the number of security principals to manage. Create custom groups for when you need to provide new ways to access data within your organization; for example, if your company employs contractors, you may want the contractors to have a more restrictive set of permissions than regular team members.

Use security templates in combination with groups to make it easier to set permissions. First create a new security template (ideally with the same name as the group, for example, create a security template called Contractors and then a security group with the same name), and then grant all users in the group permissions based on the new security template. Security templates are reviewed in-depth later in this article.

Note: A group cannot be part of another group.

Microsoft Project Web Access includes the following default groups:

Table 1 Microsoft Project Web Access Security Groups

Security Group

Description

Administrator

The administrators group is granted all available permissions on the Microsoft Project Server and all permissions on the My Organization category.

Executive

Users who require broad visibility of the projects and resources in an organization can be added to the Executives group. This group can view any project and any resource saved or published to the server. Administrators must manually create user accounts for executives. Only team member and project manager accounts can be created automatically. The Executives group is granted permissions on the My Organization category. The Executives group is granted global permissions to view project and resource information in the Project Center, Resource Center, Portfolio Analyzer, and Portfolio Modeler.

Portfolio Managers

Users who manage the enterprise global template and enterprise resources in an organization can be added to the Portfolio Managers group. These users have a broad ability to create and edit data but cannot perform server administrative tasks (for example, they cannot add users or groups). Portfolio Managers are able to view and edit all projects and resources in the organization. This group is granted permissions on the My Organization category.

Project Managers

Users are automatically added to the Project Managers group when a Microsoft Project Professional user publishes project to the Microsoft Project Server and when a Microsoft Project Standard or Professional user creates a project manager account from the Collaborate tab of the Options dialog box. The Project Managers group is granted permissions on the My Projects category. The Project Managers group is able to view and edit projects in the category. Project Managers are granted a number of global permissions that allow creation of new projects, status reports, and to-do lists. They are also granted limited permissions on the My Organization category.

Resource Managers

This group is used for users who do not manage projects but need limited ability to view and edit project information. This group is granted permissions on the My Projects category.

Team Leads

This group is used for users who do not manage projects but need limited ability to view and edit project information. This group is granted permissions on the My Projects category.

Team Members

As projects are published to the server, accounts are created on the server for any new resources in the project plan. By default, the server adds new resources to the Team Members group, which is granted permissions on the My Tasks category. The Team Members group is generally able to view and not edit data in the category. The Team Members account is granted a number of global permissions that allow use of the Microsoft Project Web Access timesheet, status reports, and to-do list features.

Categories

A category is a collection of projects and/or resources that a user or group is granted permission to access, whether a specific function in Microsoft Project (Publish Project Plan, for example) or a general area of Microsoft Project Web Access (View Projects, for example). Create custom categories when you have a need for providing new ways to access project and resource data. Microsoft Project Web Access includes the following default categories:

Table 2 Microsoft Project Web Access Security Groups

Security Category

Description

My Organization

The My Organization category uses security rules to contain all projects, resources, and assignments published or saved to the server.

My Projects

The My Projects category uses security rules to contain all projects that a project manager has saved or published to the server and all assignments in the projects that a project manager has saved or published to the server.

My Tasks

The My Tasks category uses security rules to contain all projects to which a team member is assigned and all of the team member's assignments.

Security Templates

A security template is simply a set of pre-defined permissions. Use security templates to simplify granting permissions to groups of users who need access to the same data. You can associate any number of individual users and groups with a single security template.

Microsoft Project Web Access includes the following default templates:

  • Administrator

  • Executive

  • Portfolio Manager

  • Project Manager

  • Resource Manager

  • Team Lead

  • Resource

Organization

An organization is a collection of projects, users, and data that exists in a single installation of Microsoft Project Server. Setting permissions at the organization level allows you to make features available or unavailable to all users of Microsoft Project Web Access or Microsoft Project Server, depending on the permission. If you allow or deny permissions at the organization level, all users within the organization are affected, regardless of the permissions set elsewhere.

Note: Only one organization can exist for each Microsoft Project Server.

Permissions

Each permission can be allowed, denied, or not allowed in Microsoft Project Web Access, as described in Table 3 below.

Table 3 Microsoft Project Web Access Permission State

Permission State

Description

Allow

Allow must be selected in order for any user or member of a group to be able to perform the actions associated with the permission.

Note: Default group permissions in Microsoft Project Web Access are set to Allow in most cases, depending on the default group. All permissions are set to Allow at the organization level.

Deny

Deny should be used carefully. If a user is denied a specific permission in Microsoft Project Web Access, that user will be denied access everywhere in Microsoft Project Server for that permission, regardless of group, template, or category.

Note: No permissions are set to Deny as a default.

Not Allowed

Not Allowed, while not strictly a permission, is a state that exists when neither Allow or Deny are selected for the same permission in the same group. If a user belongs to more than one group that has the same permission set to Allow (but not Deny) in at least one of the groups, then the user will be allowed to perform the actions associated with the permission for all groups. In other words, if a user is allowed a permission in one group or category, that user will be allowed that permission in all groups and categories that a user belongs to or is associated with.

Note: Be aware when setting permissions that the Deny setting can be very limiting because it can override allowed permissions in other areas. Using Deny as little as possible makes it easier to manage large groups of users.

Permission Scenarios

In the following scenarios, a permission is set to Allow if column A is set to 1 and a permission is set to Deny if column D is set to 1; if both columns are set to 0, then the permission is neither allowed or denied (Not Allow).

Scenario One

A user belongs to three groups: Group 1, Group 2, and Resource. Both Group 1 and Group 2 are custom groups that you have created, but you have set the permission Assign Tasks To Users to Deny for the custom groups:

Name        A   D 
---------- --- --- 
Group 1     0   1 
Group 2     0   1 
Resource    1   0 

In this case, the user is explicitly denied permission to assign tasks to users in the custom groups. This overrides the Allow permission set in the Resource group. Consequently, this user cannot assign tasks to users.

Scenario Two

A user belongs to two groups: Group 1 and Group 2. These are both custom groups that you have created, but you forgot to allow the View Timesheet permission:

Name        A   D 
---------- --- --- 
Group 1     0   0 
Group 2     0   0 

In this case, the user is neither allowed nor denied permission to view his or her timesheet. Since the user has not been explicitly allowed to view the timesheet, he or she doesn't have access to the timesheet.

Scenario Three

A user belongs to three groups: Resource, Group 1, and Group 2. Both Group 1 and Group 2 are custom groups that you have created, but you did not specify whether users belonging to the custom groups should be able to log on to Microsoft Project Server:

Name        A   D 
---------- --- --- 
Resource    1   0 
Group 1     0   0 
Group 2     0   0 

In this case, your users will still be able to log on because you didn't deny them permission to do so in any group, and they are allowed in one group.

Global Permissions in Microsoft Project Web Access

The following table lists all global permissions used in Microsoft Project Web Access, including a description of the permission itself, the database permission ID, and the names of the ASP pages that are affected by the permission.

Table 4 Global Permissions in Microsoft Project Web Access

General Permissions in Microsoft Project Web Access

General Permission

Description

ASP Pages

View Home

Allows a user to view the home page in Microsoft Project Web Access.

Home/HomePage.asp

Log On

Allows a user log on to Microsoft Project Web Access using either Microsoft Project Server or Windows NT Authentication.

 

Change Password

Allows a user to change their Microsoft Project Server password.

Home/Password.asp

Set Personal Notifications

Allows any user to subscribe to a notification or reminder.

Notifications/Self_Notifications.asp

Set Resource Notifications

Allows a manager to set a resource's notification or reminder subscription.

Notifications/Mgr_Notifications.asp

Go Offline

Allows a user to work offline.

 

Tasks Permissions

Task Permission

Description

ASP Pages

View Timesheet

Allows a user to view their Timesheet or their chart portion of the Gantt Chart view.

Tasks/TasksPage.asp

New Project Task

Allows a user to create a new task to insert into an existing project.

 

Delegate Task

Allows a user to delegate an assigned task to another (existing) user.

Tasks/TasksPage.asp?Delegation=1

Tasks/DelegatePage.asp

Tasks/RequestUpdate.asp

Hide Task from Timesheet

Allows a user to hide (remove) a task from their timesheet.

 

Transfer Calendar Entries

Allows a user to transfer calendar entries from Microsoft Outlook to Microsoft Project Server.

WebCalendar/outlook1.asp

Transfer Calendar Entries

Allows a user to transfer calendar entries from Microsoft Outlook to Microsoft Project Server.

WebCalendar/outlook1.asp

Change Work Days

Allows a user to send working time updates to their manager.

WebCalendar/outlook1.asp?GetFromUI=1

Task List Permissions

Task List Permission

Description

ASP Pages

Create and Manage To-Do List

Allows a user to create, modify, delete, or transfer ownership of a to-do list.

Tasks/NewTaskList.asp

Tasks/TaskListPage.asp

Tasks/TaskListOptions.asp

Publish To-Do List to All Users

Allows a user to make a to-do list available to all users.

 

Assign To-Do List Tasks

Allows a user to assign to-do list tasks to any user.

 

Transactions Permissions

Transactions Permission

Description

ASP Pages

Manage Task Changes

Allows a manager to accept or reject a resource's task transactions.

Transactions/TaskTransactions.asp

Transactions/TaskTransHistory.asp

Manage Calendar Changes

Allows a manager to accept or reject a resource's calendar transactions.

Transactions/CalendarTransactions.asp

Manage Rules

Allows a manager to set rules on how update transactions will be automatically processed.

Home/Rules.asp

Views Permissions

Views Permission

Description

ASP Pages

View Project View

Allows a user to view project data displayed in Microsoft Project Web Access in a similar format to how it is displayed in Microsoft Project 2002.

Views/ProjectReport.asp

View Assignments View

Allows a user to view assignment data displayed in Microsoft Project Web Access in a similar format to how it is displayed in Microsoft Project 2002.

Views/WebclientView.asp

View Project Center

Allows a user to view the Project Center in Microsoft Project Web Access.

Views/PortfolioView.asp

View Resource Center

Allows a user to view the Resource Center in Microsoft Project Web Access.

Views/ResourcesRegisterView.asp

View Portfolio Analyzer

Allows a user to view the Portfolio Analyzer (the results of online analytical processing [OLAP] and resource cube generation) in Microsoft Project Server.

Views/VisionView.asp

Views/VisionView.asp?resource=1

View Models

Allows an administrator to create, modify, open, analyze, delete, and unlock Microsoft Project Web Access models. This user must also have permission to Manage Enterprise Features.

Modeling/*.asp

View Resource Allocation

Allows a user to view resource allocation data in Microsoft Project Web Access.

Views/ResGraph.asp

Status Report Permissions

Status Report Permission

Description

ASP Pages

View Status Report List

Allows a user to view sent status reports stored in the Status Reports Archive, plus view Miscellaneous Reports to view all messages that were either forwarded to the user, were unrequested, or copied to the user.

StatusReports/MyStatusReports.asp

StatusReports/MiscStatusReports.asp

StatusReports/PastStatusReport.asp

Submit Status Report

Allows a user to respond to a status report request from their manager.

StatusReports/EnterStatusReport.asp

StatusReports/InsertTask.asp

Manage Status Report Request

Allows a user to create a status report request and view a team report.

StatusReports/TeamStatusReports.asp

StatusReports/StatusReportWizard1.asp

StatusReports/MergedStatusReport.asp

StatusReports/MultipleStatusReport.asp

Microsoft Project Server Administrator Permissions

Microsoft Project Server Administrator Permission

Description

ASP Pages

Manage Users and Groups

Allows an administrator to add new users and create groups of users, plus modify existing users and groups.

Admin/Sec_Users.asp

Admin/Sec_Users_AddModify.asp

Admin/Sec_Groups.asp

Admin/Sec_Groups_AddModify.asp

Manage Security

Allows an administrator to change Microsoft Project Server security settings, create security categories and security templates, plus specify how accounts should be created and the methods used for Microsoft Project Web Access log on.

Admin/Sec_DefineCategory.asp

Admin/Sec_EditCategory.asp

Admin/Sec_Templates.asp

Admin/EditTemplate.asp

Admin/security.asp

Admin/authenticate.asp

Manage Views

Allows an administrator to create new views or modify existing views.

Admin/views_specify.asp

Admin/views_addmodify.asp

Admin/defineviewsdsn.asp

Manage Organization

Allows an administrator to create custom centers and activities in Microsoft Project Web Access or hide default centers and activities.

Admin/sec_organizations.asp

Admin/sec_editmenu.asp

Customize Microsoft Project Web Access

Allows an administrator to add, modify, or delete links and content sections on the Microsoft Project Web Access Home page.

Admin/Timeperiod.asp

Admin/DefineGantt.asp

Admin/DefineGroups.asp

Admin/Calendar.asp

Admin/theme.asp

Admin/notification/asp

Manage Enterprise Features

Allows an administrator to enable enterprise features, specify OLAP and resource cube settings, add and edit project versions, and check-in resources and projects.

Admin/Ent_Mode.asp

Admin/cube_settings.asp

Admin/Ent_CheckIn.asp

Admin/Ent_Versions.asp

Manage Licenses

Allows an administrator to enter the current number of licensed copies available for Microsoft Project Web Access.

Admin/License.asp

Clean up Microsoft Project Server Database

Allows an administrator to delete tasks, status reports, projects, and updates from the Microsoft Project Server database.

Admin/DBCleanup.asp

Clean up Microsoft Project Server database

Allows an administrator to delete tasks, status reports, projects, and updates from the Microsoft Project Server database.

Admin/DBCleanup.asp

Manage SharePoint Team Services

Allows an administrator to create and delete SharePoint Team Services subwebs, update the list of authorized users, and maintain the servers running SharePoint Team Services.

Admin/DefaultSTSSettings.asp

Admin/ManageSTS.asp

Workgroup Permissions

Workgroup Permission

Description

ASP Pages

Publish / Update / Status

Allows a manager to assign tasks, change tasks, and request a task's status.

 

Account Creation Permissions

Account Creation Permission

Description

ASP Pages

Create Accounts from Microsoft Project

Allows a user to create new resource accounts when publishing from Microsoft Project. This permission can also be set by selecting (Allow) or clearing (Deny) the Allow managers to create accounts for themselves checkbox on the Specify how user accounts should be created in the Manage Security page in Microsoft Project Web Access.

 

Create Manager Accounts from Microsoft Project

Allows a user to create new manager accounts from Microsoft Project. This permission can also be set by selecting (Allow) or clearing (Deny) the Allow managers to create accounts for themselves checkbox on the Specify how user accounts should be created page in the Manage Security section of Microsoft Project Web Access.

 

Create Accounts when Delegating Tasks

Allows a user to create new resource accounts while delegating tasks. This permission can also be set by selecting (Allow) or clearing (Deny) the Allow resources to create accounts for other resources checkbox on the Specify how user accounts should be created page in the Manage Security section of Microsoft Project Web Access.

 

Create Accounts when Requesting Status Reports

Allows a user to create new resource accounts when requesting status reports. This permission can also be set by selecting (Allow) or clearing (Deny) the Allow managers to create accounts for themselves checkbox on the Specify how user accounts should be created page in the Manage Security section of Microsoft Project Web Access.

 

Enterprise Permissions

Enterprise Permission

Description

ASP Pages

New Project

Allows a user to add a new project to the database.

Tasks/NewTaskPage.asp?_ID=-1

New Resource

Allows a user to add a new resource to the database without importing the resource from Microsoft Project.

 

Read Enterprise Global

Allows a user to read the enterprise global.

 

Save Enterprise Global

Allows an administrator to save the enterprise global.

 

Backup Global

Allows an administrator to backup the enterprise global.

 

Read Summary Assignments

Used by Microsoft Project Professional to access the Build Team feature (click Tools, and then select Build Team from Enterprise).

 

Save Project Template

Allows a user to create and save an enterprise template to the Microsoft Project Server database.

 

Open Project Template

Allows a user open a project template.

 

Collaboration Permissions

Collaboration Permission

Description

ASP Pages

View Documents

Allows a user to view the Documents center in Microsoft Project Web Access. Users with this permission will be able to add, update, and delete documents, plus link to tasks, in all subwebs for all projects the user has permission for.

DocLib/DocLibProjView.asp

DocLib/DocLibMain.asp?ProjID=-1

DocLib/SearchDocs.asp

View Issues

Allows a user to view the Issues center in Microsoft Project Web Access. Users with this permission will be able to add and update issues, plus link to tasks and documents.

Issues/IssueMain.asp

Issues/IssueShell.asp

Issues/IssueMain.asp

Object Permissions in Microsoft Project Web Access

The following table lists all object permissions used in Microsoft Project Web Access, including a description of the permission itself and the names of the ASP pages that are affected by the permission.

Table 6 Object Permissions in Microsoft Project Web Access

Permission

Description

ASP Pages

See Projects in Project Center

Allows a user (or group of users) to view a specific project in the Project Center for a particular project..

 

See Projects in Project Views

Allows a user (or group of users) to view a specific project in Project Views for a particular project..

 

See Resource Assignments in Assignment Views

Allows a user (or group of users) to view resource assignments in the Assignment View for a particular resource.

 

View Documents and Issues

Allows a user (or group of users) to view Documents and Issues for a particular project..

 

Save Project

Allows a user (or group of users) to save a particular project.

 

Open Project

Allows a user (or group of users) to open a particular project.

 

Save Enterprise Resource Data

Allows a user (or group of users) to save enterprise resource data.

 

Edit Enterprise Resource Data

Allows a user (or group of users) to check out a specific enterprise resource.