The security model in Project Server can take a while to fully appreciate, the interplay of groups, categories and security templates is a fairly complex concept and can sometimes throw up unexpected anomalies. Our advice when managing and designing security protocols is to keep things as simple as possible and avoid users belonging to too many groups and whatever you do never add users to Security Categories.
So what do you do when confronted with a situation where a user is suddenly prevented from performing an action or accessing information that has previously been available to them?
In Project Server 2007 Microsoft provided a utility as part of the Project Resource Kit (PRK) that allowed an Administrator to interrogate individual user permissions called “View Effective Rights” – this tool was of great benefit in situations where specific users were experiencing challenges or anomalous permissions. As is sometimes the case with Microsoft this utility was not available for the subsequent 2010 version of Project Server.
The Utility required a degree of SQL competence to install but once in place it could shine a light on apparent anomalies on Project or Resource access permissions.
The good news is that with the 2013 release of Project Server “Check Effective Rights” has been revived and is now not only built into the solution as a matter of course but now offers enhanced interrogation of permissions as it now also covers both Category and Global permissions in addition to Project and Resource Permissions.
[ribbon_new header=”h2″ style=”light”]Accessing Check Effective Rights [/ribbon_new]To exploit this feature select a single user from the “Manage Users” grid, this enables the “Check Effective Rights” button on the ribbon at the top of the grid. Selecting more than one user results in it being disabled.
Click the “Check Effective Rights” button and you are presented with the Effective Rights page for the selected user.
The Permission Type drop down list displays “Global Permission” by default but provides three further options for interrogation.
1. Category Permission – Project
2. Category Permission – Resource
3. Category Permission – View
[ribbon_new header=”h3″ style=”light”]Global Permission [/ribbon_new]
For the Global Permission list the main body of the page displays available Global Permissions and indicates if the user has the right to perform the action – if permitted it will display the Security Group that grants the permission, the name of the group is a Hyperlink and clicking on it will display the details of the selected Security Group.
If a user belongs to more than one security group it will display duplicate permissions with the groups listed in alphabetical order.
If a user belongs to more than one security group it will display duplicate permissions with each Security Group the user is a member of being listed with the more “elevated” groups appearing first in the list.
One other point to note is that the Global Permissions list is broken down in to distinct “areas” and an area can be “collapsed” or “expanded” to make viewing information less cluttered.
[ribbon_new header=”h4″ style=”light”]Category Permission – Project [/ribbon_new]In this element you select the Permission Type first from the drop down list and then select an available Project from the drop down list secondly, this results in the security principal hierarchic list being displayed with relevant permissions listed, the associated category and if the permission is permitted. The Security Category name displayed is a hyperlink clicking on its name will display the relevant Security Category settings.
[ribbon_new header=”h5″ style=”light”]Category Permission – Resource [/ribbon_new]In this element you select the Permission Type first from the drop down list and then select a specific resource, this results in the security principal hierarchic list being displayed with relevant permissions listed, the associated security category and if the permission is permitted. The Security Category displayed is a hyperlink clicking on its name will display the relevant Security Category settings.
[ribbon_new header=”h6″ style=”light”]Category Permission – View [/ribbon_new]For this permission area you select the permission type followed by the view type. This results in a hierarchic list being displayed with permissions, the view type, associated security category and whether the view is permitted or not. Again the Security Category displayed is a hyperlink clicking on its name will display the relevant Security Category settings.
NOTE: Users should not be directly associated with Security Categories, Security Categories align to Security Groups to which users can belong.