Eplicitly 'deny' a permission?

[John Benak]

When setting group permissions in PSWA, there is an
option to explicitly 'allow' and explicitly 'deny' a
particular permission. Many of the default groups have
various settings where the 'allow' is checked, and others
where neither the 'deny' nor the 'allow' is checked. I
don't recall having seen any default permissions where
the 'deny' has been explicitly checked.

I'm setting up some customized groups, and I need to know
what exactly happens when you check the 'deny' box for a
specific permission (as opposed to simply leaving both
the 'allow' and 'deny' blank). Is this similar to what
happens in conventional NTFS permissions? Is there an
implied 'deny' when the 'allow' is not checked for a
given PSWA permission? It's not too clear, and I don't
want to lock things down TOO much, or cause something to
break by clamping down more than is necessary. At the
same time, I'd like to be able to create the view/edit
hierarchy that my customer is wanting.

It would seem to follow from NTFS that there is an
implied 'deny' unless 'allow' is explicitly checked, and
the explicit 'deny' may be for hierarchical permission
blocking or setup. However, I haven't seen anything on
this, so I submit it to the group for consideration.

All help is appreciated!

Thanks!
John Benak
HP Services

 

[Gary Chefetz [MVP]]

John:

Good instincts! The absence of allow or deny implicitly means "not allowed"
just as you suspected. The precedence of these is: Denied - Allowed - Not
Allowed. I have yet to ever use a Deny at any level other than at a
system-wide level for any implementation I've performed. Try to avoid it. If
you do have to use it, be careful and mindful that permissions are
cumulative in Project Server. If a user has a permission denied in any group
or category, it applies across the board.

--
Gary Chefetz [MVP]
http://www.msprojectexperts.com
"We wrote the book on Project Server"

*** Remember to look for line breaks in links posted to the news group, use
cut and paste for these.