Project Manager losing Admin access to their workspace

[Nikki]

I have an issue where workspaces are set up with unique permissions
(from the WSS template). the project server security for PMs is that
they can create, save and publish projects to the server. this gives
the pm access to their workspace - but grants them project manager
access to their workspace. the admin upon being notified goes to the
pms workspace and creates a permission level group - adds the pm into
that group (which has full control).

Issue we face - when the pm's details are resaved or the project is
published the project server permision over rides and the pm has
project manager access to their workspace.

i dont want to change the pm permission level group because then the
pm will have ability to manage permissions on pwa level etc..

is this common behaviour? why does the project sever security over
ride all the time even if there is a custom permission level group?

appreciate any advice

 

[Marc Soester [MVP]]

Nikki, when you say unique permission from the template what exactly do you
mean? Generally you cannot set up usique permission on a WSS template without
custom dev. Also if you want PM's to get a different set of permission you
can manage that directly in PWA permission.

Thanks

 

[Nikki]

Nikki, when you say unique permission from the template what exactly do you
mean? Generally you cannot set up usique permission on a WSS template without
custom dev. Also if you want PM's to get a different set of permission you
can manage that directly in PWA permission.

Thanks
--
Marc Soester [MVP]http://www.i-pmo.com.au









- Show quoted text -

Hi Marc

Unique permissions meaning the workspace does not inherit permissions
from the parent site. The security model needs to be configured that
nobody (except admins) initially have access to the workspace except
those on the schedule. The PM however is required to have access to
the workspace with the permission to access "advanced permissions".
AFter the PM creates the schedule they notify the EPM admin to add
them into a separate permission level on their workspace.


However because the workspace sychronisation is turned on between the
schedule and workspace (server settings > workspace provisioning
settings) this means that anytime you re-save a PM's credentials (like
update resource custom fields etc) there is a synchronisation between
the schedule and workspace the project server permission over rides
and the PM reverts back to having Project Manager access to their
workspace.

The only work around I have for this is to turn off synchronisation
between the schedule and the workspace through server settings. When a
PM creates a Project they need to immediatley notify the epm admin to
add them into the additional security permission level group they
create on the workspace. Even if the workspace is synchronised
manually through server settings or the PMs credentials are saved the
PM will retain access to the workspace based on the permissions in
that additional permission level.
The limitation with this of course is that a PM needs to await the EPM
admin to do this.

there is no option of additional categories because these are project
server permissions. Also this company runs confidential projects so
they need to make sure other PMs cannot access their workspace.

Can you think of any other options to manage this scenario?

thanks
Nikki

p.s long time no hear

 

[Marc Soester [MVP]]

Hi Nikki, yes long time no hear I hope you and the EPM Partner team is
doing well. It's time to catch up soon.

In regards to your scenario, I believe you cannot have the individual
permissions in the workspace template but would have to do this once the
workspace is created. You could work around it with custom dev, but I would
assume that your customer doesnt want that.
How about when a central body ( e.g. PMO ) publishes the project and then
give the PM and the workpsace the permission you are after. It would be an
additioanl step, but would ensure that sensitive data is not seen by the rest
of the organisation?

Not knowing all details, this may be a scenario that works. Call me if you
want to discuss in more detail
Big hello
Marc