Sensei Blog & News

The blog about Microsoft productivity, project and portfolio management and business insights solutions.

Subscribe

Managing Project Web App Site Permissions in Project Online and Project Server 2013 

By Terry Kneeburg, Sensei Project Solutions

Introduction

Imagine that you arrive at work and decide to connect to your Project Web App (PWA) to check the status of your projects.  When you open PWA, everything is pink!  It wasn’t like this yesterday, so what happened?

intro1

In the example above, a very creative project manager decided to “Change the look” of PWA, not realizing that this change impacted all users.  By default, members of the Project Managers group have powerful permissions to customize the PWA site.  In our experience, most organizations do not want to grant these rights to any users who are not application administrators.  This article describes a technique for implementing these security settings for the case where Project Server Permissions mode is deployed.  This technique is applicable to both Project Online and on-premise Project Server 2013.

Goal

The objective is to ensure that all PWA users, with the exception of PWA administrators, have no design permissions to the PWA site.

PWA Permissions Changes for Project Online and Project Server 2013

In Project Server 2010, the default permissions for Project Managers allowed powerful editing rights to the PWA site, just as in Project Online/Project Server 2013.  The difference is that in 2010 the administrator could change the permission level for the Project Managers group, and the permissions would not change subsequently.  In the newer versions, the selection of Project Server Permissions mode enables a feature called “Project Web App Sync”.  By default, this feature is enabled and synchronizes members of Project Server security groups with the corresponding SharePoint groups.  As one may see in the view below, there is a SharePoint group called “Project Managers (Project Web App Synchronized)” that has permission level “Project Managers (Microsoft Project Web App)”.  The Project Web App Sync function in Project Online and Project Server 2013 has the effect of automatically adding users to this SharePoint group when they are added to the Project Server “Project Managers” security group through Server Settings => Manage Groups.  The upside of this feature is that the administrator does not have to manually add users to the SharePoint group so that they can access PWA.  The downside is that even if you alter the permissions, they will revert back to the defaults.

pwapermissions

Default Group Permissions

Let’s have a look at the default Project Managers (Project Web App Synchronized) permissions for the PWA site collection.  We should also be aware that, by default, the Business Intelligence Center inherits permissions from the PWA site.  Navigate to PWA, then click on the Settings (Gear) icon and select Site settings.

permissions1

In the ribbon, select Permission Levels.

permissions2

Click on Project Managers (Microsoft Project Web App) to view this permission level.

permissions3

Note that by default members have Site Permissions such as Manage Permissions, Add and Customize Pages, Apply Themes and Borders, Apply Style Sheets, and Create Groups.  Also, all List Permissions are enabled, including Delete Items.
permissions4

permissions5

Solution

To ensure that “creative” project managers don’t inadvertently wreak havoc in PWA, we need to create a new SharePoint group with more benign permissions.  We will then add PWA users to this new group, and remove them from the old ones.

Create New Permission Level and Group

Best practice is to leave the out of the box groups and permission levels intact.  We will create a new permission level by copying one that is close to the desired result.  In this case, I will copy the permission level Contribute, but I will uncheck two List Permissions: Delete Items and Delete Versions.

From the Permissions Levels page click on the Contribute permission level.  Scroll to the bottom of the page and click Copy Permission Level.

newpermission

Enter the Name and Description for the new Permission Level, disable (uncheck) Delete Items and Delete Versions, and then Save.

newpermission2

 

Next, create a SharePoint group and apply the new permission level to it.  From the Site Settings | Site Permissions page, click on Create Group.

sharepointgroup

Fill in the Name and About Me (Description), then scroll to the bottom and check the permission level you just created.  Save the changes.

creategroup creategroup2

Disable Project Web App Sync

By default, adding a user to a Project Server security group, such as Project Managers, will also add them to the corresponding SharePoint group on the PWA site.  To prevent this automatic synchronization we must disable it.  This function may be accessed through PWA Server Settings, in the Security section.  Uncheck the box next to Enable Project Web App Sync and save.  I don’t advocate disabling the Project Site Sync process, as this would require manually managing permissions on all project sites.

projectwebappsync projectwebappsync2

Modify Group Membership

The last step is to update the SharePoint group membership.  First, add all PWA users to the newly created SharePoint group.  The most efficient way to do this is by utilizing an Active Directory (AD) group that contains all the users who need PWA access.  Add this AD group to the PWA SharePoint group.

modifygroupmembership modifygroupmembership2

 

After you have added all the users (your AD group) to the new SharePoint group, you should remove all users from the SharePoint groups Project Mangers (Project Web App Synchronized) and Team Members (Project Web App Synchronized).

Conclusion and Recommendation

Utilizing the techniques described in this article will provide greater control over your PWA user permissions and ensure that your PWA site theme does not change unexpectedly!  Note that PWA security now has two components to manage: SharePoint and Project Server.  As an administrator you must make sure that your PWA users are assigned to both the correct Project Server security group and the correct SharePoint security group.  As with any security change such as this one, it is best practice to perform validation in a non-production environment first.  The advantages and disadvantages of the Project Web App Sync are summarized in the table below.

Advantages Disadvantages
Project Web App Sync Enabled Ease of use Permissions may be less than desired.
Project Web App Sync Disabled Permissions may be finely tuned Need to manage two sets of groups: SharePoint and Project Server.

 

About Sensei Project Solutions
Sensei Project Solutions is a Gold certified Microsoft Partner specializing in Project and Portfolio Management (PPM) deployments with Microsoft Project, Project Server and Project Online.  With extensive experience on hundreds of PPM deployments and with thousands of users trained, Sensei Project Solutions brings a process-focused approach; and support for industry standards and best practices to all engagements. We offer a complete set of services to help an organization make their Microsoft PPM deployment successful, including full implementation and support services, training as well as pre-configured solutions, report packs and Apps.

 

About Terry Kneeburg, PMP MCITP MCTS, Principal Consultant
Terry has more than 25 years combined experience in product development, project management, and consulting.  He has been working with the Microsoft Project Server platform since 2004. At that time he led his mobile phone development organization in the deployment of EPM.  Terry is passionate about helping clients achieve success in managing their project portfolios, delivering to companies in a variety of industries including Healthcare, Transportation, State and Local Government, Energy, Technology, Insurance, and Pharmaceuticals.  He has conducted training classes for project managers, administrators, portfolio managers, and team members.

Stay up to date with insights from the Sensei Blog

  • This field is for validation purposes and should be left unchanged.