New info: PWA user suddenly changed groups

[Hall]

In PWA, we set up custom groups. Two of them are Managers and Members. Bob
is only in Managers. Categories etc we're set up fine. As for permissions,
all permissions allowed for Members are allowed for Managers; that is,
Members' permissions are a subset of Managers' permissions. All went well.

.... Until I assigned a task to Bob using Project Pro. That seemed to
automatically put Bob in both Managers and Members. Since these 2 groups
have different permissions, Bob was now not able to do what we
intended him to do.

What could cause this? We use RBS to define our structure. And we're on
version 2002.

 

[Dale Howard]

Hall --

Here's what I think may have happened: you may have automatic creation of
user accounts enabled in PWA. Please do the following steps to confirm or
deny whether automatic account creation is enabled:

1. Log into PWA with Administrator permissions
2. Click the Admin menu
3. Click the Manage Organization link
4. In the Account Creation section, determine if any of the four items are
set to "Allow"

If this is the case, then when Bob was assigned to a task in a project and
the project was published, that makes Bob a Team Member as well as a Project
Manager. Because of this, PWA used the automatic account creation settings
above to add Bob to the Team Members group. To prevent the problem from
occurring again, you should disable those four account creation settings and
remove Bob from the Team Members group.

Perhaps this explains your situation, but maybe the others will have some
more ideas. Hope this helps.

 

[Hall]

Dale, you're help has been awsome!

All 4 settings are set to allow in organization. In fact, the security
intention we've used is that everything in Organization is allow, and only
at the group and category level do we specify allow or deny. All groups
(other than admin) have deny for these 4 permissions.

In this case, the Project Pro user who made the assignment of Bob was in a
Project Managers group (with these 4 permissions denied). So what would
trigger an automatic account creation? There's something I'm not getting
here.

 

[Dale Howard]

Hall --

I'm not sure I'm able to answer the specifics of "why" things have worked
the way they have. All I can say for sure is that you should disallow the
four automatic account creation permissions at the global level and that
will take care of the problem. I simply don't believe that you want user
accounts being created or modified automatically when one of your PM's
publishes a project. If a new user account is needed, that is where the
Project Server administrator needs to get involved, and then to create
whatever accounts are needed. Hope this followup helps.

 

[Gary Chefetz [MVP]]

Hall:

Your use of the "Deny" state is the culprit here. You should remove that
from the Team Members group and simply make them not allowed by unchecking
the all four allowed boxes as well. I'm not sure I've ever used Deny in any
implementation that I've done. Deny trumps allowed and not allowed.
Permissions are cumulative, use that to your advantage.