Imagine that you arrive at work and decide to connect to your Project Web App (PWA) to check the status of your projects. When you open PWA, everything is pink! It wasn’t like this yesterday, so what happened?
In the example above, a very creative project manager decided to “Change the look” of PWA, not realizing that this change impacted all users. By default, members of the Project Managers group have powerful permissions to customize the PWA site. In our experience, most organizations do not want to grant these rights to any users who are not application administrators. This article describes a technique for implementing these security settings for the case where Project Server Permissions mode is deployed. This technique is applicable to both Project Online and on-premise Project Server 2013.
The objective is to ensure that all PWA users, with the exception of PWA administrators, have no design permissions to the PWA site.
PWA Permissions Changes for Project Online and Project Server 2013
In Project Server 2010, the default permissions for Project Managers allowed powerful editing rights to the PWA site, just as in Project Online/Project Server 2013. The difference is that in 2010 the administrator could change the permission level for the Project Managers group, and the permissions would not change subsequently. In the newer versions, the selection of Project Server Permissions mode enables a feature called “Project Web App Sync”. By default, this feature is enabled and synchronizes members of Project Server security groups with the corresponding SharePoint groups. As one may see in the view below, there is a SharePoint group called “Project Managers (Project Web App Synchronized)” that has permission level “Project Managers (Microsoft Project Web App)”. The Project Web App Sync function in Project Online and Project Server 2013 has the effect of automatically adding users to this SharePoint group when they are added to the Project Server “Project Managers” security group through Server Settings => Manage Groups. The upside of this feature is that the administrator does not have to manually add users to the SharePoint group so that they can access PWA. The downside is that even if you alter the permissions, they will revert back to the defaults.
Default Group Permissions
Let’s have a look at the default Project Managers (Project Web App Synchronized) permissions for the PWA site collection. We should also be aware that, by default, the Business Intelligence Center inherits permissions from the PWA site. Navigate to PWA, then click on the Settings (Gear) icon and select Site settings.
In the ribbon, select Permission Levels.
Click on Project Managers (Microsoft Project Web App) to view this permission level.
Note that by default members have Site Permissions such as Manage Permissions, Add and Customize Pages, Apply Themes and Borders, Apply Style Sheets, and Create Groups. Also, all List Permissions are enabled, including Delete Items.
To ensure that “creative” project managers don’t inadvertently wreak havoc in PWA, we need to create a new SharePoint group with more benign permissions. We will then add PWA users to this new group, and remove them from the old ones.
Create New Permission Level and Group
Best practice is to leave the out of the box groups and permission levels intact. We will create a new permission level by copying one that is close to the desired result. In this case, I will copy the permission level Contribute, but I will uncheck two List Permissions: Delete Items and Delete Versions.
From the Permissions Levels page click on the Contribute permission level. Scroll to the bottom of the page and click Copy Permission Level.
Enter the Name and Description for the new Permission Level, disable (uncheck) Delete Items and Delete Versions, and then Save.
Next, create a SharePoint group and apply the new permission level to it. From the Site Settings | Site Permissions page, click on Create Group.
Fill in the Name and About Me (Description), then scroll to the bottom and check the permission level you just created. Save the changes.
Disable Project Web App Sync
By default, adding a user to a Project Server security group, such as Project Managers, will also add them to the corresponding SharePoint group on the PWA site. To prevent this automatic synchronization we must disable it. This function may be accessed through PWA Server Settings, in the Security section. Uncheck the box next to Enable Project Web App Sync and save. I don’t advocate disabling the Project Site Sync process, as this would require manually managing permissions on all project sites.
Modify Group Membership
The last step is to update the SharePoint group membership. First, add all PWA users to the newly created SharePoint group. The most efficient way to do this is by utilizing an Active Directory (AD) group that contains all the users who need PWA access. Add this AD group to the PWA SharePoint group.
After you have added all the users (your AD group) to the new SharePoint group, you should remove all users from the SharePoint groups Project Mangers (Project Web App Synchronized) and Team Members (Project Web App Synchronized).
Conclusion and Recommendation
Utilizing the techniques described in this article will provide greater control over your PWA user permissions and ensure that your PWA site theme does not change unexpectedly! Note that PWA security now has two components to manage: SharePoint and Project Server. As an administrator you must make sure that your PWA users are assigned to both the correct Project Server security group and the correct SharePoint security group. As with any security change such as this one, it is best practice to perform validation in a non-production environment first. The advantages and disadvantages of the Project Web App Sync are summarized in the table below.
About Sensei Project Solutions
Sensei Project Solutions is a Microsoft Partner specializing in Project and Portfolio Management (PPM) deployments with Microsoft Project and Project Server on the SharePoint platform. With extensive experience on hundreds of PPM deployments and with thousands of users trained, Sensei Project Solutions brings a process-focused approach; and support for industry standards and best practices to all engagements. We offer a complete set of services to help an organization make their Microsoft PPM deployment successful, including full implementation and support services, training, as well as pre-configured solutions and report packs. firstname.lastname@example.org