Contoso Iris Carr Owner Amelia Wade Lead BA Joseph Pettis BA Melvin McDowell Lead Client Developer...

Preview:

Citation preview

Anaheim, CA | February 2-5, 2014

Michael Wharton, MVPProject/SharePoint ArchitectWharton Computer Consulting

Understanding security in Project Online and Project Server 2013 Nadin Merali

Program ManagerMicrosoft

PC330

Speaker: Michael WhartonAwarded Project MVP (Microsoft Valuable Professional)Over Ten Years Experience with Project Pro and Project ServerOver 25 Project Server Deployments into PMOOver seven Project Server MigrationsTrained over thousand Project Managers using Project ProfessionalTechnical Reviewer for Missing Manual: Project Professional 2013 and 2013Web Site: www.WhartonComputer.ComBlog: www.MyProjectExpert.comTwitter: MyProjectExpertPassed over 42 Microsoft Certification ExamsMichael Wharton, MBA, PMP, MCT, MCITP, MCTS, MCSE+I, MCDBA, MCSD

Speaker: NadinProgram ManagerWorks on Project Online and SecurityWorking on Project < 1 yearPMP CertifiedSoftware Consultant 8+ years

Agenda

Contoso ScenarioPMO Security FundamentalsDifference between Security ModesSharePoint Permissions ModeDeep Dive in Project PermissionsSecurity Strategies and Best PracticesQuestions

Who Are You?

Contoso

ContosoSoftware CompanyBanking softwareCurrently has Client/Server application - SentinelWorking on a new Cloud application – Sky FortressWant to use Project to manage projectsSentinel ClientSentinel ServerSky Fortress – New cloud based service

ContosoOrganization Iris Carr

Owner

Amelia WadeLead BA

Joseph Pettis

BA

Melvin McDowellLead Client Developer

Martha Ramirez

Developer

Toni HuntDeveloper

Elsa Barber

Developer

Billy HatleyServer

Developer Lead

Earl RamsayDevelo

per

Lourdes MossDeveloper

Clyde Stitt

Developer

Helene GoodmanOnline Developer

Lead

Dwight Slattery

Developer

Joni WongDeveloper

Angel Chau

Developer

Marvin OverbyTest On-

Premise Lead

Clifton Mahaffey

Tester

Mayra CollierTester

Terrance MarkleyTester

Rodolfo WooleyTest Online

Lead

Rufus Moorman

Tester

Gabrielle GlennTester

Wilfred LewHR

Josh GowerMarketing/Sale

s Lead

Simone PeckMarketing/Sa

les

Hugo StongeIT

ContosoAD

Executive Business Analyst

Client Developers

Server Developers

Online Developers

On-Premise Testers

Online Testers Marketing/Sales

Engineering leads Domain Admin Doman Users

ContosoPWA Layout

Site Collection

PWA

Sentinel Client Sentinel Server

Sky Fortress

ContosoRequirementsIT AdministratorGeneral AdministratorHandles AD, networking, SharePoint administration

Business Analyst PM’s of the companyNeed to oversee all projects

Developer/Test LeadHandle task assignmentsneed to understand what the their counterparts are doing

ContosoRequirementsDeveloper/TesterSee the work they have to doShare designs/documentation/project collateral

Marketing and SalesWants to know what is going on so they can give feed back to the customers

ExecutiveWants to see the big pictureDoesn’t know what is going on the lower levels so provide restricted access

PMO Security Fundamentals

PMO Security Boundaries

What You Can See What You Can Do

Security Strategies• SharePoint Permissions

(simplest)• Project Permissions (flexible)• Use default out-of-box permissions and sync AD

groups• Adjust permissions groups and categories as

needed• Add additional groups and categories• Manage security based on RBS• Manage projects and resources into categories

Simplest / Small PMO

Complex / Large PMO

PWA Security Model Relationship

Users

Groups

Categories

Projects

Resources

Categories

Projects

Resources

Categories

Projects

Resources

Groups

Categories

Groups

Categories

Categories

SharePoint Permission Project Permission

SharePoint Site Permissions LevelsFull ControlDesignContributeRead

Categories associated with Default GroupsProject Server

Category Name AdministratorsPortfolio Managers

Portfolio Viewers Project ManagersResource Managers

Team Leads Team Members

My Direct Reports

My Organization

My Projects

My Resources

My Tasks

Default Group PermissionsAdministratorsSite Permission Level Full ControlUsers have all global permissions as well as category permissions through the My Organization category. This allows them complete access to everything in Project Web App.

Portfolio ManagersSite Permission Level Design and Manage Sub SitesUsers have permissions to view Project Online data. This group is intended for high-level users who need visibility into projects but are not themselves assigned project tasks.

Portfolio ViewersSite Permission Level ContributeUsers have permissions to view Project and Project Web App data. This group is intended for high-level users who need visibility into projects but are not themselves assigned project tasks.

Default Group PermissionsProject Managers for PWASite Permission Level Design and Manage Sub SitesUsers have permissions to create and manage projects. This group is intended for project owners who assign tasks to resources.

Resource Managers Site Permission Level DesignUsers have most global and category-level resource permissions. This group is intended for users who manage and assign resources and edit resource data.

Team LeadsSite Permission Level ContributeUsers have limited permissions around task creation and status reports. This group is intended for persons in a lead capacity that do not have regular assignments on a project.

Default Group PermissionsTeam MembersSite Permission Level ContributeUsers have general permissions for using Project Web App, but limited project-level permissions. This group is intended to give everyone basic access to Project Web App.

Project Server 2013 ArchitectureW

FEA

pp

SQ

L

Project Professional

2013

3rd party on-premises

applications

SharePoint AppsPowerShellBrowser

ASPX Pages Web Services WCF Endpoints

CSOM OData

ForwarderBusiness ObjectsBusiness ObjectsBusiness Objects

WCF Endpoints

Business ObjectsBusiness ObjectsBusiness ObjectsEventin

gQueue PCS Workflow

content configS

hare

Poin

tarchive

dbopublishdraft

Pro

ject

Event Receiver

AzureWorkflow

cubes

Where do I get the users from?On Premise

Active Directory

User/Groups

Project Professional

2013Browser

SharePoint Project Server

Exchange

Where do I get the users from?On Premise Office 365

Active Directory

User/Groups

Active Directory

User/Groups

SharePoint Online

Project Online

Directory Sync

Project Professional

2013Browser

Exchange Online

Permission Modes Differences

SharePoint vs Project Permission Mode

User Management + Permissions controlled through SharePoint

Permissions controlled through Project Server

Simple Permission Model

Allows Resource Delegation (Impersonation)Easy to use AD Group/Custom

Claims

Allows RBS-driven security

SharePoint Project

Customize specific user/group security

Complex + Flexiable

SharePoint Permission Mode GroupsAdministrators for Project Web AppPortfolio Managers for Project Web AppPortfolio Readers for Project Web AppProject Managers for Project Web App

Sync

SharePoint Group Project Group

Team Member for Project Web App

Team Leads for Project Web App

Resource Manager for Project Web App

Administrators

Portfolio Managers

Portfolio Readers

Project Managers

Team Member

Team Leads

Resource Manager

Project Permission Mode Groups

Administrators for Project Web AppPortfolio Managers for Project Web AppPortfolio Readers for Project Web AppProject Managers for Project Web App

SharePoint Group Project Group

Team Member for Project Web App

Team Leads for Project Web App

Resource Manager for Project Web App

Administrators

Portfolio Managers

Portfolio Readers

Project Managers

Team Member

Team Leads

Resource Manager

Sync

Project ServerJob: Synchronization of SharePoint Server permissions to Project Web App permissions job for Project Service Application Every minute by default

Project OnlineEvery minute

SharePoint Permission Synchronization

Project PermissionCalculates amount of changeSmall changes occur immediatelyLarge changes are queued for later time

User Profile Sync

Changing Permission ModeProject Permission Mode SharePoint Permission modeDestructive actionSharePoint groups will override all Project Server permissions

Changing Permission Mode using Project Online

Changing Permission Mode using Project Online

Changing Permission Mode on PremisePowerShellSet-SPProjectPermissionMode

–URL “http://domain/PWA” -AdministratorAccount “domain\AdminAccount”-Mode ProjectServer

Set-SPProjectPermissionMode –URL “http://domain/PWA” -AdministratorAccount “domain\AdminAccount”-Mode SharePoint

SharePoint Permission Mode

SharePoint Permission Mode PWA Groups

Administrators for Project Web AppPortfolio Managers for Project Web AppPortfolio Readers for Project Web AppProject Managers for Project Web App

Sync

SharePoint Group Project Group

Team Member for Project Web App

Team Leads for Project Web App

Resource Manager for Project Web App

Administrators

Portfolio Managers

Portfolio Readers

Project Managers

Team Member

Team Leads

Resource Manager

SharePoint Permission ModeShare Point Project Site GroupsVisitorsMembersOwners Project: Heavy

GalaxySharePoint Group: Heavy Galaxy Visitors

SharePoint Group: Heavy Galaxy Members

SharePoint Group: Heavy Galaxy Owners

SharePoint Group Sync

Team Member for Project Web App

Team Member

Custom

Sync

AD Users

AD Groups

Windows Group

Forms-based

Sync

AD Users

AD Groups

Windows Group

Forms-based

Custom

ContosoSharePoint PWA Assignments

Administrators

Domain Admin

Portfolio Managers

Business Analyst

Portfolio Viewers

Executive

Marketing/

Sales

Project Managers

Engineering leads

Resource Managers

Engineering leads

Team Members

Domain Users

ContosoSharePoint Site Collection AssignmentsSentinel Client

Owners

Business Analyst

Members

Client Develope

rs

On-Premise Testers

Visitors

Engineering leads

Marketing/Sales

Sentinel Server

Owners

Business Analyst

Members

Server Developer

s

On-Premise Testers

Visitors

Engineering leads

Marketing/Sales

Sky Fortress

Owners

Business Analyst

Members

Online Developer

s

Online Testers

Visitors

Engineering leads

Marketing/Sales

ContosoChanges Iris Carr

Owner

Amelia WadeLead BA

Joseph PettisBA

Melvin McDowellLead Client Developer

Martha Ramirez

Developer

Toni HuntDeveloper

Elsa BarberDeveloper

Billy HatleyServer Developer

Lead

Earl RamsayDevelop

er

Lourdes Moss

Developer

Clyde Stitt

Developer

Helene GoodmanOnline Developer

Lead

Dwight Slattery

Developer

Joni WongDeveloper

Angel ChauDeveloper

Clyde StittDeveloper

Marvin OverbyTest On-Premise

Lead

Clifton Mahaffey

Tester

Mayra CollierTester

Terrance MarkleyTester

Rodolfo WooleyTest Online Lead

Rufus Moorman

Tester

Gabrielle GlennTester

Wilfred LewHR

Josh GowerMarketing/Sales

Lead

Simone PeckMarketing/Sal

es

Aarif MaaloufMarketing/Sal

es

Hugo StongeIT

DemoSyncing in SharePoint Permission Mode

Deep Dive Project Permissions

Determining Security Mode• SharePoint Permissions

(simplest)• Project Permissions (flexible)• Use default out-of-box permissions and sync AD

groups• Adjust permissions groups and categories as

needed• Add additional groups and categories• Manage security based on RBS• Manage projects and resources into categories

Simplest / Small PMO

Complex / Large PMO

Server Settings / Project Premise

Out-of-Box Security for Project PremiseUsers

Portfolio Managers

My Organization

Project Managers

My Organization

Projects

Resources

My Projects

Projects

Resources

My Tasks

Projects

Resources

Team Members

My Tasks

Resource Managers

My Organization

My Projects

My Resources

Global Permissions

Category Permissions

Permission is the authority to perform a specify action with the context of Project Server

Global Permissions grant users and groups the ability to perform actions throughout PWA and are assign to a group or user.

Category Permissions grant users and groups the ability to perform actions on specify projects and resources and are assign on a category level

Enabling and Disabling Permissions

ALLOWCheck to EnableUncheck to Disable

DENYCheck to Disable

EverywhereUncheck to ignore

Permissions that may get changeProject Manager Roles

Delete ProjectNew ProjectSave Project TemplateManage Rules

Resource Manager RolesLog on Project Server from Project ProfessionalTeam Member RolesCreate New Task or AssignmentSelf-Assign Team TasksReassign Task

Contoso Security ModelUsers

Administrators

My Organization

Project / Resources

Marketing/Sales

My Organization

Project / Resources

Business Analyst

My Organization

Project / Resources

E n g in eer in g Lead s ( Project Man ag er s an d Resou r ce Man ag er )

My Organization

Project / Resources

Team Members

My Organization

Project / Resources

Resource Managers

My Organization

Project / Resources

Executive

My Organization

Project / Resources

Demo: Create Project Group

Create New GroupAdd Categories and Set PermissionsAssign Group to a User

Designing Security and Best Practices

Putting it all togetherBuild Team to Define Security RequirementsGather Security RequirementsDesign and Build Security ModelTest Security Design Rollout Security

Best PracticesUse AD Groups for Group SyncingAssign user to Project Groups or SP GroupsSet permissions on Groups (not Users)Do not add categories to usersDo not use the DENY permissions

Feature SharePoint Permission

Project Server

Use a single set of security groups across Project Web App and SharePoint Server.

*

Permissions inheritance for PWA and Project Sites *

Direct authorization against Active Directory security groups *

Claims-based authorization * *

Manage authorization by role-based groups * *

Extensible and customizable * *

User delegation *

Ability to secure work resources *

Impersonation *

Security filtering using the Resource Breakdown Structure *

Custom Security Categories *

Summary of Permission Mode

QuestionsQuestions

Michael Wharton, MVPProject/SharePoint ArchitectWharton Computer Consulting

Nadin MeraliProgram ManagerMicrosoft

Thank You

Michael WhartonNadin Merali

MyPC fill out evaluations & win prizes!

Fill out session evaluations by logging into MyPC on your laptop or mobile device.

Evaluation prizes daily! Claim your prize at the Registration Desk on Level 1.

www.msprojectconference.com

After the event, over 100 hours of resources; including all of the PPT decks and session videos will be available.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Design and Build Security Model

• SharePoint Permissions (simplest)

• Project Permissions (flexible)• Use default out-of-box permissions and sync AD

groups• Adjust permissions groups and categories as

needed• Add additional groups and categories• Manage security based on RBS• Manage projects and resources into categories

Simplest / Small PMO

Complex / Large PMO

Recommended