The security model in Microsoft Project Online can take a while to fully appreciate, the interplay of groups, categories and security templates is a fairly complex concept and can sometimes throw up unexpected anomalies. Our advice when managing and designing security protocols is to keep things as simple as possible and avoid users belonging to too many groups.

So, what do you do when confronted with a situation where a user is suddenly prevented from performing an action or accessing information that has previously been available to them?

The good news is that within the PWA Settings of Project Online there is a built-in feature called Check Effective Rights. This feature offers an interrogation of permissions, covering both Category and Global permissions in addition to Project and Resource Permissions.

To access Check Effective Rights, navigate to the Manage Users setting, select a user from the grid and select the Check Effective Rights button on the ribbon at the top.
Note: selecting more than one user is not enabled.

Manage users setting in Project Online screenshot

When you click the Check Effective Rights button you are presented with the Effective Rights page for the selected user.

There are two types of permissions in Project Online:

  • Global Permissions grant users and groups the ability to perform actions throughout an instance of Project Web App. Global Permissions are assigned on a user or group level.
  • Category Permissions grant users and groups the ability to perform actions on specific projects and resources. Category Permissions are assigned on a category level.

The Permission Type drop-down list displays Global Permission by default but provides three further options for interrogation:

  1. Category Permission – Project
  2. Category Permission – Resource
  3. Category Permission – View

Global Permissions

For the Global Permission list, the main body of the page displays available Global Permissions and indicates if the user has the right to perform the action – if permitted it will display the Security Group that grants the permission. The name of the group is a hyperlink and clicking on it will display the details of the selected Security Group.

Global permissions in Project Online

A Project Online user can be a member of multiple Groups if they wear different hats within the organisation. For example, for one project a user may be participating as a Team Member, and on another project, that same user may be the Project Manager.

If a user belongs to more than one security group, it will display duplicate permissions with the groups listed in alphabetical order.

Permissions groups in Project Online

One other point to note is that the Global Permissions list is broken down into distinct areas and an area can be collapsed or expanded to make viewing information less cluttered.

Global permissions list with security principle name in Project Online

Category Permission – Project

For the ‘Project’ Category Permission, you must first select the Permission Type and then select a project available from the drop-down list. This will then display what the selected user can access for that specific project.

The Security Category name displayed is a hyperlink. Clicking on the name will display the relevant Security Category settings.

Security category name in Project Online

Category Permission – Resource

For the ‘Resource’ Category Permission, you must first select the Permission Type and then select a resource available from the drop-down list. This will then display what the selected user can access for that specific resource.

For example, from the list of category permissions available, the user is only able to View Enterprise Resource Data and View Resource Assignments for the selected resource.

The Security Category name displayed is a hyperlink. Clicking on the name will display the relevant Security Category settings.

Security category settings in Project Online

Category Permission – View

For the ‘View’ Category Permission, you must first select the Permission Type and then select a View Type from the drop-down list. This will then display the different views available, the associated security category and whether the view is permitted or not to the selected user.

Again, the Security Category name displayed is a hyperlink. Clicking on the name will display the relevant Security Category settings.

Security category name in Project Online

NOTE: Users should not be directly associated with Security Categories.
Security Categories align to Security Groups to which users can belong.