PWA 2007 - Access Denied message

[Clara]

We are using Project Server 2007, have synched with Active Directory, and
thought we had security permissions issues. Now I am wondering - I have users
who are actually logged in, using PWA 2007, when suddenly they receive an
Access Denied message. Closing and reopening PWA does not clear this. All
permissions appear to be correct. Has anyone else seen this? Thoughts on what
might be causing multiple users to receive Access Denied? thanks

 

[Jonathan Sofer]

When you change any user accounts or security groups in 2007 (manually or
using AD synch), the system runs a synchronization queue job which
re-synchronizes permissions of users to all sharepoint sites (project
workspaces) including the top PWA site. First thing the synch job does is
remove the users from all the sites including PWA and then adds them back
in.

Depending on how many users you have in the system, this can take a really
long time and while the job is completing, your users could temporariliy
lose their access to the sites including PWA.

Also, the synchronization job could potentially be stuck in the queue
mid-process in which case you might have to restart the queue services on
the server to get it running again.

The first thing to try is to log in as the system account since that account
never has access loss and go to Site Actions>Site Settings>Advanced
permissions and verify that your entire user list is showing up there.

If not, then go check the queue jobs to see if the job is still running or
is stuck. It could be running really slow so check it once, note the %
completion and then come back a few minutes later to verify that the %
complete is progressing.

Jonathan

 

[Clara]

This is very helpful, thanks. Couple of points to clarify, if you can. By
changing a user account, would moving a user from one group to another, for
instance team member to project manager, cause this synchronization to kick
off? And I have verified that not all my users are in the Advanced
permissions list. For at least one, he is not in the list and still gets the
Access Denied message. How do I fix that?

 

[Jonathan Sofer]

Hi Clara,

Yes, moving a user from one group to another should definitely kick off a
synchronization for that user. You can view the queue at the same time to
validate the it does if you like, in the scenario you described below it
would change the user on the PWA top site from the Reader to the Project
Manager SharePoint role.

In fact, even if you make NO changes yes still hit the save button on the
user, it will perform a synchronization.

For the user in question, I would make sure they have no permissions set at
the user level (like any denys or anything for that matter) and that they
are added to the appropriate security group like other users that are
working, try Team Members to start.

Then validate the the synchronization job for that user gets processed
successfully in the Manage Queue section of Server Settings in PWA.

Jonathan