Loading...
Quick Links

Managing Project Web App Site Permissions in Project Online and Project Server 2013

 Introduction

Imagine that you arrive at work and decide to connect to your Project Web App (PWA) to check the status of your projects.  When you open PWA, everything is pink!  It wasn’t like this yesterday, so what happened?

PWA_1

In the example above, a very creative project manager decided to “Change the look” of PWA, not realizing that this change impacted all users.  By default, members of the Project Managers group have powerful permissions to customize the PWA site.  In our experience, most organizations do not want to grant these rights to any users who are not application administrators.  This article describes a technique for implementing these security settings for the case where Project Server Permissions mode is deployed.  This technique is applicable to both Project Online and on-premise Project Server 2013.

Goal

The objective is to ensure that all PWA users, with the exception of PWA administrators, have no design permissions to the PWA site.

PWA Permissions Changes for Project Online and Project Server 2013

In Project Server 2010, the default permissions for Project Managers allowed powerful editing rights to the PWA site, just as in Project Online/Project Server 2013.  The difference is that in 2010 the administrator could change the permission level for the Project Managers group, and the permissions would not change subsequently.  In the newer versions, the selection of Project Server Permissions mode enables a feature called “Project Web App Sync”.  By default, this feature is enabled and synchronizes members of Project Server security groups with the corresponding SharePoint groups.  As one may see in the view below, there is a SharePoint group called “Project Managers (Project Web App Synchronized)” that has permission level “Project Managers (Microsoft Project Web App)”.  The Project Web App Sync function in Project Online and Project Server 2013 has the effect of automatically adding users to this SharePoint group when they are added to the Project Server “Project Managers” security group through Server Settings => Manage Groups.  The upside of this feature is that the administrator does not have to manually add users to the SharePoint group so that they can access PWA.  The downside is that even if you alter the permissions, they will revert back to the defaults.

PWA_2

Default Group Permissions

Let’s have a look at the default Project Managers (Project Web App Synchronized) permissions for the PWA site collection.  We should also be aware that, by default, the Business Intelligence Center inherits permissions from the PWA site.  Navigate to PWA, then click on the Settings (Gear) icon and select Site settings.

PWA_3

In the ribbon, select Permission Levels.

PWA_4

Click on Project Managers (Microsoft Project Web App) to view this permission level.

PWA_5

Note that by default members have Site Permissions such as Manage Permissions, Add and Customize Pages, Apply Themes and Borders, Apply Style Sheets, and Create Groups.  Also, all List Permissions are enabled, including Delete Items.

PWA_6

PWA_7

Solution

To ensure that “creative” project managers don’t inadvertently wreak havoc in PWA, we need to create a new SharePoint group with more benign permissions.  We will then add PWA users to this new group, and remove them from the old ones.

Create New Permission Level and Group

Best practice is to leave the out of the box groups and permission levels intact.  We will create a new permission level by copying one that is close to the desired result.  In this case, I will copy the permission level Contribute, but I will uncheck two List Permissions: Delete Items and Delete Versions.

From the Permissions Levels page click on the Contribute permission level.  Scroll to the bottom of the page and click Copy Permission Level.

PWA_8

Enter the Name and Description for the new Permission Level, disable (uncheck) Delete Items and Delete Versions, and then Save.

PWA_9

Next, create a SharePoint group and apply the new permission level to it.  From the Site Settings | Site Permissions page, click on Create Group.

PWA_10

Fill in the Name and About Me (Description), then scroll to the bottom and check the permission level you just created.  Save the changes.

PWA_11

PWA_12

Disable Project Web App Sync

By default, adding a user to a Project Server security group, such as Project Managers, will also add them to the corresponding SharePoint group on the PWA site.  To prevent this automatic synchronization we must disable it.  This function may be accessed through PWA Server Settings, in the Security section.  Uncheck the box next to Enable Project Web App Sync and save.  I don’t advocate disabling the Project Site Sync process, as this would require manually managing permissions on all project sites.

PWA_13

PWA_14

 

Modify Group Membership

The last step is to update the SharePoint group membership.  First, add all PWA users to the newly created SharePoint group.  The most efficient way to do this is by utilizing an Active Directory (AD) group that contains all the users who need PWA access.  Add this AD group to the PWA SharePoint group.

PWA_15

PWA_16

After you have added all the users (your AD group) to the new SharePoint group, you should remove all users from the SharePoint groups Project Mangers (Project Web App Synchronized) and Team Members (Project Web App Synchronized).

 

Conclusion and Recommendation

Utilizing the techniques described in this article will provide greater control over your PWA user permissions and ensure that your PWA site theme does not change unexpectedly!  Note that PWA security now has two components to manage: SharePoint and Project Server.  As an administrator you must make sure that your PWA users are assigned to both the correct Project Server security group and the correct SharePoint security group.  As with any security change such as this one, it is best practice to perform validation in a non-production environment first.  The advantages and disadvantages of the Project Web App Sync are summarized in the table below.

PWA_17

 

About Sensei Project Solutions
Sensei Project Solutions is a Microsoft Partner specializing in Project and Portfolio Management (PPM) deployments with Microsoft Project and Project Server on the SharePoint platform. With extensive experience on hundreds of PPM deployments and with thousands of users trained, Sensei Project Solutions brings a process-focused approach; and support for industry standards and best practices to all engagements. We offer a complete set of services to help an organization make their Microsoft PPM deployment successful, including full implementation and support services, training, as well as pre-configured solutions and report packs. info@senseiprojectsolutions.com


Related Content

Articles:
Closing Out a Project Schedule in PWA
Site Creation Settings in Project 2013 and Project 2016


Share This Post
26 Comments
  1. Excellent article, Terry!

    Reply
  2. Terry Kneeburg

    Thank you, Dale!

    Reply
  3. Terry, I have been fighting an issue with Project Server 2007 where “approved” Actuals turn pink! Now the Actuals won’t update back to the project!
    (I was trying to paste a copy for you but can’t) When I saw your article i was overjoyed to think that someone had published a solution to my problem! I liked the article but unfortunately it wasn’t related. Have you ever heard of this problem? I’ve had the server rebooted. The queues appear to be working – no error messages, but the Actuals are NOT showing up! HELP!!!!!

    Reply
  4. Hi Terry,

    i’ve done it but:
    the Pdp Library has unic permission and must be managed to give access to the Project Details Pages to the PWA Group.
    Other lists or impact?

    With your configuration, the site permission sync with owner and Team Member of the project is already automatic?

    Thanks for your post

    Regards

    Reply
  5. Terry Kneeburg

    Daniele, the article is about permissions to the PWA site, and assumes that PWA lists and libraries are set to inherit permissions. If you have broken permissions inheritance, then you are already manually controlling permission levels and may need to review those.

    The project site permission sync is a separate setting (Enable Project Site Sync), which I recommend you enable so that you don’t have to manually manage permissions on every project site. With Project Site Sync enabled, the Project Manager and Team Members automatically get access to the appropriate project sites.

    Reply
  6. Terry Kneeburg

    Joseph, I don’t recall seeing this issue in any version of Project Server. Have you checked to make sure the projects are being published after the task updates are approved?

    Reply
  7. Can permissions settings be different for PWAs in project online. One PWA with SharePoint and the other PWA with Project Server permissions?

    Reply
  8. Terry Kneeburg

    Jerry, yes you can do this in Project Online. Each PWA instance’s permission mode can be set independently of the others.

    Reply
  9. Thank you Terry.

    Reply
  10. Hi Terry,

    Great article but my requirements are slightly different. I’m trying to configure Project Online so that team members (the default permission group) only has read access to Project Sites. This isn’t how the default permission model works, so we modified the SharePoint group to remove all permissions except those that would grant read-only. Works fine so far.

    The issue occurs when there is any change to the permission model, including adding a new user to the system. Project Online does a full sync of permissions against all sites, and reverts Project Site permissions back to the default setting, effectively overwriting our custom Team Member permissions.

    Can you recommend a workaround for this scenario?

    Reply
  11. Terry Kneeburg

    Phil, the only way to do what you want is to disable Project Site Sync (Server Settings, Manage User Sync Settings). Please be aware that if you do this you will have to manually manage permissions on every project site as users will no longer be automatically granted access. Hope this helps.

    Reply
  12. Terry. I’ve a Project Server 2013 on premisses test environment. But this didn’t work for me. It seems to be AD sync fail. Everything was fine untill Modify Group Membership. I add the new AD group name to the Share ‘Project Web App’ page, but after project creation to test it, the new group was empty, no users on it. The AD sync with Sharepoint needs some additional configuration? Thanks..

    Reply
  13. Terry Kneeburg

    Luis, you may need to add each user individually to the SharePoint group. I have also seen the behavior you describe.

    Reply
  14. Thank you Terry.
    Don’t you think that Microsoft should implement some kind of flexibility, to manipulate the permissions at PWA level more efficiently? For instante, I don´t agree with delete list and delete documents permission to team members.
    Regards.

    Reply
  15. Correcting the last message. “delete list and documents at the project site, allowing to configure permissions ….”

    Reply
  16. Nice one Terry. 🙂

    One point. The Project Details Pages (PDP) library has unique permissions and this SP group needs to be added to it as well. Otherwise user gets a Site Permission Share Error.

    Reply
  17. Hi Terry,

    I have a user who is an owner of a project, she only have contribute permission in the said project, when I tried to edit it to full access, after 15 mins or more it revert back to the original permission. Any idea what is causing it? And how to sort it out?

    Reply
  18. Hi Terry,

    If I wanted to change the settings so only the administrators were able to change the theme of the site…if we just disable those 4 settings (add/customize, apply theme changes, create groups and create borders) for the project managers group, won’t that disallow all people in the project managers group the ability to change the theme for the entire site?

    It looks like the administrators group would retain those rights, which is the ideal.

    Great article, I’m just wondering if in our situation if we’ll need to create a whole new group.

    Thanks!

    Reply
  19. Terry Kneeburg

    Daniel, the permissions changes to the Project Managers (Project Web App Synchronized) will be overwritten, so that’s why you must create a new group. It may appear initially that you are able to adjust the permissions, but they will revert. Hope this helps.

    Reply
  20. Excellent article. I was wondering if this would be aplicable with the Sharepoint permission mode. What I want is to have “read only” users (customers, executives,…) but with the default PWA group permission, although they are allowed only to read the projects, they can modifiy the page (to turn pink of course :-)). Any suggestion on how to do that? Thanks in advance.

    Reply
  21. Great Article!

    Reply
  22. Hi Terry –

    Ran into the same issue with project managers changing the themes. Followed your steps and it does prevent access to changing the theme/look however it also is restricting access to Project sites. The only way we are able to allow project site access while restricting changing the look and theme was to modify the “Project Managers (Project Web App Synchronized)” group. The only difference we can see is under the permissions for “Project Managers (Project Web App Synchronized)” there is a grayed out box, Limited Access – Can view specific lists, document libraries, etc. which isn’t available when copying. Due to being grayed out you cannot un-check it either. Any thoughts on what we’re doing wrong?

    Thank you,
    Justin

    Reply
  23. Hi Terry, I set the Project Permission Sync Setting on as stated above in a test instance, but it seems that the emails of the people in the different groups are not being sent emails. It is not synced. In production it is synced, how do I turn the process of syncing on?

    Reply
  24. When I select to Resource pool then enterprise resource pool is greyed out.
    The AD Group has succesfully synchronized with the Enterprise
    Resource Pool

    Question: How can we enable the Use synchronized with the Enterprise
    Resource Pool?

    Reply
  25. Hi,

    This fix no longer works with Project Online as the PWA Users group doesn’t get added to the Project Detail Page permissions so Project Managers will no longer be able to access PDP pages or open projects from the Project Center. You will need to, as an additional step, break the unique permissions on the Project Details Pages page so that the Project Detail Pages permissions are inherited from PWA. The PWA Users group will now be added and then stop inheriting permissions from the parent and remove all extraneous user groups that are added when you removed the unique permissions (PWA Owners, PWA Visitors, etc.). Now that you have completed these extra steps you will remove the PMs ability to make changes to the PWA site.

    Reply
  26. How do you address the individual project sites and permissions based upon the issues in this article

    Reply

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please complete this equation so we know you’re not a robot. *

− 1 = 1

Thanks for submitting your comment!
You must be logged in to comment.