Skip to main content

Project Online and Project Site Security


Security for Project Online and the Project Sites

Wanted to write a blog about one of the most common questions in Project Server and Project Online.
So clients always have a common question when users of PWA are accessing Project Sites.
Part of the confusion is based on the security model being thought of as PWA exclusively.
What I mean by that is though it is true if you are in Project Permission mode you are using that security model for PWA, but what about the SharePoint piece?

Let’s review the project site security groups [keep in mind this assumes you are using the Enable Web App Sync under the Manage User Sync Permissions] that are present from the SharePoint side.

Ok so depending on the Project Online configuration, a user is normally made a member of one of these groups. Notice the (Project Web App Synchronized) after each one a dead give away of what is syncing’d here:

Groups

Readers (Project Web App Synchronized) which has equivalent permissions to the Read SharePoint permission level. This means a member of the group can view pages, lists items & documents on the SharePoint site.

Project Managers (Project Web App Synchronized) which has equivalent permissions to the Design SharePoint permission level. This means a member of the group can edit lists, document libraries, and pages on the SharePoint site.

Web Administrators (Project Web App Synchronized) which has equivalent permissions to the Full Control SharePoint permission level. This means all personal, site, and list permissions are granted for the SharePoint site.

Team members (Project Web App Synchronized) have equivalent permissions to the Contribute SharePoint permission level. This means a member of the group can view pages, edit lists items & documents on the SharePoint site.

So when we change a user’s permission, a Synchronization job will enter the Project Online queue.

 

Project Online sync

This will happen with any changes to someone’s PWA security group being altered. So the sync job is making sure that the user or users get dropped in the correct groups above.

Now, remember this has to do with Project Site permissions and this is not changing any AD group syncing that might be going on in PWA. This is strictly looking at SharePoint.
 

lets talk

Now the membership to the SharePoint security group determines what the user has access to such as documents, lists..... So if you have the Sync User Permissions enabled under each Project Type in PWA Settings you will grant project work resources to the project site of that type.

This outline below is assuming that the permissions under Site Settings have not to be altered. You could make changes to these groups, but it is not recommended.

You should see 7 groups 3 are out-of-the-box SharePoint Groups [Project Name prefix] that are custom if you need secondary groups for a site. They are called Members, Owners, and Visitors.

Now the PWA syncing groups are as follows:

Groups


Web Administrator (Project Web App Synchronized) - User has Manage SharePoint Foundation global permission assigned. By default, this is assigned to a member of the Project Server Administrators group.

Project Manager (Project Web App Synchronized) -User has Manage Lists in Project Web App global permission assigned. By default, this is assigned to a member of the Project Server Executives, Portfolio Managers or Project Managers’ group.

Team member (Project Web App Synchronized)    User has Contribute to Project Web App global permission assigned. By default, this is assigned to a member of the Project Server Team Leads, Resource Manager or Team Members group.

Readers (Project Web App Synchronized)    User has Log On global permission assigned.

Wooo that's a lot of groups to worry about.....lol

In all seriousness, this is a complicated process if you are not familiar with PWA or SharePoint security settings.
Please feel free to call us with any questions………