Basic Guidelines for Microsoft Project Server 2002 Security Deployment

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Published: June 1, 2003

Applies to:
Microsoft Project Server 2002
Microsoft Project Professional 2002

Summary Learn some basic guidelines for setting up Microsoft Project Server 2002 security in your organization.

Microsoft Project Server provides flexible and scalable security for data storage and dissemination within an organization. With Microsoft Project Server, administrators can create their own groups and specify the permissions associated with those groups, and then assign the groups access to categories of information. This enables administrators to assign users who need access to the same type of data to a single group and to then assign that group to a category. The categories support defining access to both project and assignment information.

Introduction

This article is part of a series of six articles about Microsoft Project Server 2002 security. You can access the other security articles from the links below:

Setting Up Server Security for Your Organization

Microsoft Project Server is configured with predefined groups and categories. These may be adequate for an organizations security needs, or the groups and categories can be customized as necessary.

Whether the predefined categories are sufficient to manage a companys security needs will depend on the size and complexity of the organization. For an organization with three levels of management (resources, project managers, senior executives; in a non-enterprise situation) where project managers and resources are only interested in their own data and senior executives are interested in all the projects on the server, the out-of-the-box security may be adequate.

For a slightly larger organization such as a department or business unit, there may be some customization required for the project manager and senior executive security settings.

A more complex organization with multiple business units or divisions, where access needs to be limited between parts of the organization or among external parties such as clients or suppliers requiring access, new groups and categories will need to be created.

The administrator should initially assign new groups one-to-one with new categories. Creating a new category and group and assigning users to this new group, rather than assigning users to variations of categories, is more time consuming to set up but is much easier to administer on an ongoing basis. This will create groups such as Division X portfolio managers in large organizations. Using additional categories and groups allows the partition of large organizations into smaller workgroups.

When specifying security, there will always be a tradeoff between management overhead and how tightly security is bolted down for each user. Setting security on an individual-by-individual basis with unique functionality and customized views of the data provides the tightest and most personalized security. The tradeoff, however, is the increased amount of administration effort in setting up the security and maintaining it on an ongoing basis.

Predefined Groups

Microsoft Project Server comes with a number of predefined groups that are created during installation:

Administrators
Executives
Portfolio managers
Project managers
Resource managers
Team leads
Team members

Each of these groups has predefined categories and permissions assigned to them.

Two types of users are automatically assigned to specific groups:

Users publishing Microsoft Project plans to the Microsoft Project Server are assigned to the project managers group.
Resources with assignments in the published plan are assigned to the team members group.

Each of these users has predefined categories and permissions implicitly assigned to them when the plan is published. A relationship is also implicitly created between:

A resource assignment and the resource
A resource assignment and project manager
A project and project manager
A project and resource
A project manager and resource
A resource and their functional manager
A project manager and their functional manager

These relationships are stored in the Microsoft Project Server database. This relationship hierarchy or Resource Breakdown Structure handles the resource/project manager relationship, which is then used within the categories to personalize the information displayed.

For other types of users, such as managers, the user accounts must be manually associated with a group by the administrator.

Predefined Categories

There are three predefined categories created when Microsoft Project Server is installed.

My Organization. Defines a collection of data that covers all projects with all views of the data available.
My Projects. Defines a collection of data that covers all projects a user manages or is assigned to with all views of the data available for those projects.
My Tasks. Defines a collection of data that covers all projects a user is assigned to with only a view of the assignments of those projects.
My Resources. Defines a collection of data that covers the resources reporting to a user.

Different groups have been assigned to these collections depending on the role they play in the organization and the scope of data they require.

Each of these categories has predefined groups and permissions assigned to them when Microsoft Project Server is installed:

Portfolio managers, administrators, and executives are assigned to the My Organization category.
Project managers, team leads, and resource managers are assigned to the My Projects category.
Team members are assigned to the My Tasks category.

Setup Options for Security Levels

During setup, the server can be configured at a low security level. This level of security may be sufficient for what a smaller organization requires:

Low security. Non-enterprise configurations will typically use this mode. Microsoft Project users can create project manager accounts on the server, and users are not required to be authenticated by the server. User accounts on the server are automatically created for resources within project plans when those plans are published to the server.

Note: This mode should be used when a server supports any Microsoft Project 2000 user, and it is identical to the functionality in Microsoft Project Central.

Larger organizations can choose two additional security levels during server setup.

Medium security. This setting does not require users to be authenticated by the server, but disables Microsoft Project users from creating project manager accounts. High security requires users to be authenticated by the server, and requires an administrator to create project manager accounts.
High security. Those customers interested in using Microsoft Project Server enterprise features are most likely to use high security. In this mode, a part-time administrator is required to create project manager accounts.

Deployment Recommendations

The following recommendations are a good starting point for server security deployment:

Rename the administrator account and set a password for this account.
Limit the number of users with administration rights.
Change permissions for groups rather than individual users.
If the appropriate group doesn't exist, create new groups.
Avoid assigning users to specific categories; assign groups to specific categories instead.

The best way to define the organization's security model is to work backwards. This is done by deciding what the reporting requirements will look like, then working backwards to define the views, categories, groups, and users. Figure 1 shows this sequence for definition of security.

Having defined all the reports required, try to consolidate the various views and categories with the different groups.

Figure 1: Example security deployment model

Additional Resources

The following links provide more information about security and Microsoft Project Server 2002: