DC440: Security (Part 2 of 2): Logons, permissions and views - how these systems work and how to manage them Pradeep GanapathyRaj Program Manager Project Microsoft Corporation
Approach Short introduction Let’s set up authentication How does authentication work ? Let’s set some security permissions How does authorization work ? What’s special in 2003 ? How do you audit this ? How do we extend this ?
Short Introduction We depend on IIS authentication Permissions control access to features and data Project 2002/2003 security <> Windows access control Simplest tool for improving performance and scalability
Let’s setup authentication
How does auth work ? Authentication type Internet Explorer page Project page Project Data Service page IntegratedLGNINT.ASP LGNINTPJ. ASP LGNINTAU.ASP ApplicationLGNPS.ASP LGNPSPJ.A SP LGNPSAU.ASP BasicLGNBSC.ASPn/a
Authentication Data flow
Let’s set some security permissions
Scenario Engineering1 Marketing1 Sales1 General Manager1 Engineering2 Marketing2 Sales2 General Manager2
Scenario Objectives Resource managers can only assign/edit their own resources Project managers can only edit their own projects But both groups can see projects/resources in other organizations GMs can view information in their organizations
Scenario – Updated Permissions Engineering1 Marketing1 Sales1 General Manager1 Engineering2 Marketing2 Sales2 General Manager2 R/O
Security Objects Includes Projects, Resources, and Views Must secure collections of objects = Categories Can use security rules to auto-populate categories Project Server ships with several pre- configured categories Examples: My Projects My Resources My Organization External Access to Projects External Access to Resources
Security Principals UsersGroups Each group represents a common set of permissions on a common set of objects. Project Server ships with several pre- configured groups. Examples: Project Managers Resource Managers General Managers
Permissions Global and Object-Level Permissions Three states: Allow, Deny, Not-Allowed Allow permissions are ORed Deny permissions are ANDed Can be defined in Users, Groups, or Category pages Examples: R/W access to my projects and my resources Read access to projects and resources in other groups
Resource Breakdown Structure Enterprise Resource Outline Code 30 Can be used just like ANY outline code Leveraged by several security rules Useful for granting access to objects based on the reporting structure in an organization – typically to functional managers Scenario: Use the organizational breakdown to define the look-up table for the RBS Take advantage of field descriptions to reduce size of RBS
Best Practices Start with “least access” Add users to groups, Assign permissions to groups Limit the number of categories Leverage security rules whenever possible
Project 2003 Enhancements Active Directory Integration Auto-populate Project Server security group with AD security group Auto-populate users with AD security group New Permissions Adjust Actuals, Approve Timesheets for Resources Assign Resource to Team, Build Team for Project Integration with External Timesheet System Save Baseline
Project 2003 Enhancements Category Enhancements RBS View Filter Direct Reports security rule
Audit tool
Extensibility Re-use existing permissions or create your own Add new pages to PWA and leverage permissions Benefits One user interface for Administrators Leverage the in-the-box UI and security work Skills required ASP/VBScript/JscriptSQL
Reusing an Existing Permission Add record for new page in MSP_WEB_SECURITY_PAGES Find desired global permission in MSP_WEB_SECURITY_FEATURES_AC TIONS Specify global permission as value for WSEC_PAGE_ACT_ID Add record for new menu in MSP_WEB_SECURITY_MENUS
Using Your Own Global Permission Add record for new permission: MSP_WEB_SECURITY_FEATURES_ACTIONS Add permission name into string table: MSP_WEB_CONVERSIONS Define SPROC for permission and add to QYLIBSTD.SQL Add permission into Manage Organization page: MSP_WEB_SECURITY_ORG_PERMISSIONS Create new page and reference new global permission
Using Object-Level Permissions Use existing object-level permissions In ASP, create Project Server security object: Var oSec = CreateObject(“PjSvrSecurity.PjServerSecurity”); oSec.setDBConnection( ); Var f = oSec.CheckSPObjectPermission(,, 1, );
Using Object-Level Permissions Use custom object-level permissions Create object-level permission in same way as global permission, except: WSEC_ON_OBJECT value = 1 In ASP, check rights by calling Project Server security object and new SPROC
Resources MSDN Microsoft Project Server Security Architecture and Planning Guide Microsoft Project Server Security Enhancements article and code samples TechNet Customizing and Administering Microsoft Project Server
Questions ?
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.