How to force permissions sync for PWA 2007

[RichardG]

Hi,

We are experiencing a problem with users not being able to access PWA in
Project Server 2007. We have about 17,000 users in our resource pool.
Most of these users get "Access Denied" when they try to open PWA. The
"View Effective Rights" tool shows that they have "Log On" permission. They
can all access the PWS sites for their various projects without problem.

When I looked further into this, I saw that in PWA -> Site Settings ->
People and Groups, the list of users stops partway through the Hs. i.e.,
any resource whose surname starts with A to G, plus a few of the Hs can
access PWA, but nobody else can. It seems that the process that
synchronised the permissions on PWA stopped part way through.

Is there any way to force the permissions to be synchronised? I've seen the
Project Server Workspace Sync tool on CodePlex
(http://projectworkspacesync.codeplex.com), but this seems only to work for
PWS sites. Does anyone know how to do this for PWA?

Thanks,
Richard

 

[Jonathan Sofer [MVP]]

Try modifying the Team Member's security group in PWA>Server Settings>Manage
Groups and then saving that group (Just saving the group will probably be
enough to initiate a synchronization). This will re-synchronize all the
users in that group by first removing their security access and then
re-adding them back one at a time with the appropriate security roles based
on their group membership. It will do this in alphabetical order.

It seems to me that this might be what already happened in your system and
that the synchronization failed part way through. I would be interested to
see if you are able to get the synchronization job to complete without
erroring out again. You have a very large set of users which could be
causing some issues with the synchronization timing out.

Jonathan

 

[RichardG]

Hi Jonathan,

Thanks for the quick reply. What you describe sounds very likely,
especially the fact that users' permissions are re-added in alphabetical
order. Project Server 2003 handled this number of users without a hitch.
(This has all come up as we try to migrate from PS2003 to 2007)

I tried to update the Team Members group. Clicking the "Save" button waits
a long time (2-3 minutes) before returning to the Manage Groups page or,
sometimes, an error page. I've noticed items in the event log that mention
SQL timeouts. I changed the database timeout from 15 seconds to 60, using
"stsadm -o setproperty -pn database-connection-timeout -pv 60" to see if
that might help. I haven't had it produce the error page since.

I think what I'm experiencing is described in the post at
http://projectserverblogs.com/?p=2259. Annoyingly, is seems as if the "User
Synchronization for Project Web Access App Root Site and Project WSS
Workspace" jobs don't appear in the Queue until something else comes along
to clobber it (like me trying to save the Team Members group again). I
only ever see them when they're stuck in the "Getting Queued" state, or when
they've failed with "Failed But Not Blocking Correlation".

I've just tried to kick off another sync, using the method you suggested,
and am leaving everything alone for a while. There's nothing showing in the
queue to suggests anything is happening, but I'm hoping that it is just the
queue display that is lying to me...

(FYI, we are not using Active Directory synchronisation)

Any other info or suggestions would be very welcome!

Thanks,
Richard

 

[Jonathan Sofer [MVP]]

I have not experienced the situation you describe of the synch job not
showing in the manage queue right away. When I modify a security group and
save it or a single user and save it, the job usually shows right away. Try
modifying a single user or a smaller security group to test this out. Make
an actual change though to guarantee that the permission synchronization
does kick off.

Jonathan