Embed Size (px)
Citation preview
Anaheim, CA | February 2-5, 2014
Michael Wharton, MVPProject/SharePoint ArchitectWharton Computer Consulting
Understanding security in Project Online and Project Server 2013 Nadin Merali
Program ManagerMicrosoft
PC330
Speaker: Michael WhartonAwarded Project MVP (Microsoft Valuable Professional)Over Ten Years Experience with Project Pro and Project ServerOver 25 Project Server Deployments into PMOOver seven Project Server MigrationsTrained over thousand Project Managers using Project ProfessionalTechnical Reviewer for Missing Manual: Project Professional 2013 and 2013Web Site: www.WhartonComputer.ComBlog: www.MyProjectExpert.comTwitter: MyProjectExpertPassed over 42 Microsoft Certification ExamsMichael Wharton, MBA, PMP, MCT, MCITP, MCTS, MCSE+I, MCDBA, MCSD
Speaker: NadinProgram ManagerWorks on Project Online and SecurityWorking on Project < 1 yearPMP CertifiedSoftware Consultant 8+ years
Agenda
Contoso ScenarioPMO Security FundamentalsDifference between Security ModesSharePoint Permissions ModeDeep Dive in Project PermissionsSecurity Strategies and Best PracticesQuestions
Who Are You?
Contoso
ContosoSoftware CompanyBanking softwareCurrently has Client/Server application - SentinelWorking on a new Cloud application – Sky FortressWant to use Project to manage projectsSentinel ClientSentinel ServerSky Fortress – New cloud based service
ContosoOrganization Iris Carr
Owner
Amelia WadeLead BA
Joseph Pettis
BA
Melvin McDowellLead Client Developer
Martha Ramirez
Developer
Toni HuntDeveloper
Elsa Barber
Developer
Billy HatleyServer
Developer Lead
Earl RamsayDevelo
per
Lourdes MossDeveloper
Clyde Stitt
Developer
Helene GoodmanOnline Developer
Lead
Dwight Slattery
Developer
Joni WongDeveloper
Angel Chau
Developer
Marvin OverbyTest On-
Premise Lead
Clifton Mahaffey
Tester
Mayra CollierTester
Terrance MarkleyTester
Rodolfo WooleyTest Online
Lead
Rufus Moorman
Tester
Gabrielle GlennTester
Wilfred LewHR
Josh GowerMarketing/Sale
s Lead
Simone PeckMarketing/Sa
les
Hugo StongeIT
ContosoAD
Executive Business Analyst
Client Developers
Server Developers
Online Developers
On-Premise Testers
Online Testers Marketing/Sales
Engineering leads Domain Admin Doman Users
ContosoPWA Layout
Site Collection
PWA
Sentinel Client Sentinel Server
Sky Fortress
ContosoRequirementsIT AdministratorGeneral AdministratorHandles AD, networking, SharePoint administration
Business Analyst PM’s of the companyNeed to oversee all projects
Developer/Test LeadHandle task assignmentsneed to understand what the their counterparts are doing
ContosoRequirementsDeveloper/TesterSee the work they have to doShare designs/documentation/project collateral
Marketing and SalesWants to know what is going on so they can give feed back to the customers
ExecutiveWants to see the big pictureDoesn’t know what is going on the lower levels so provide restricted access
PMO Security Fundamentals
PMO Security Boundaries
What You Can See What You Can Do
Security Strategies• SharePoint Permissions
(simplest)• Project Permissions (flexible)• Use default out-of-box permissions and sync AD
groups• Adjust permissions groups and categories as
needed• Add additional groups and categories• Manage security based on RBS• Manage projects and resources into categories
Simplest / Small PMO
Complex / Large PMO
PWA Security Model Relationship
Users
Groups
Categories
Projects
Resources
Categories
Projects
Resources
Categories
Projects
Resources
Groups
Categories
Groups
Categories
Categories
SharePoint Permission Project Permission
SharePoint Site Permissions LevelsFull ControlDesignContributeRead
Categories associated with Default GroupsProject Server
Category Name AdministratorsPortfolio Managers
Portfolio Viewers Project ManagersResource Managers
Team Leads Team Members
My Direct Reports
My Organization
My Projects
My Resources
My Tasks
Default Group PermissionsAdministratorsSite Permission Level Full ControlUsers have all global permissions as well as category permissions through the My Organization category. This allows them complete access to everything in Project Web App.
Portfolio ManagersSite Permission Level Design and Manage Sub SitesUsers have permissions to view Project Online data. This group is intended for high-level users who need visibility into projects but are not themselves assigned project tasks.
Portfolio ViewersSite Permission Level ContributeUsers have permissions to view Project and Project Web App data. This group is intended for high-level users who need visibility into projects but are not themselves assigned project tasks.
Default Group PermissionsProject Managers for PWASite Permission Level Design and Manage Sub SitesUsers have permissions to create and manage projects. This group is intended for project owners who assign tasks to resources.
Resource Managers Site Permission Level DesignUsers have most global and category-level resource permissions. This group is intended for users who manage and assign resources and edit resource data.
Team LeadsSite Permission Level ContributeUsers have limited permissions around task creation and status reports. This group is intended for persons in a lead capacity that do not have regular assignments on a project.
Default Group PermissionsTeam MembersSite Permission Level ContributeUsers have general permissions for using Project Web App, but limited project-level permissions. This group is intended to give everyone basic access to Project Web App.
Project Server 2013 ArchitectureW
FEA
pp
SQ
L
Project Professional
2013
3rd party on-premises
applications
SharePoint AppsPowerShellBrowser
ASPX Pages Web Services WCF Endpoints
CSOM OData
ForwarderBusiness ObjectsBusiness ObjectsBusiness Objects
WCF Endpoints
Business ObjectsBusiness ObjectsBusiness ObjectsEventin
gQueue PCS Workflow
content configS
hare
Poin
tarchive
dbopublishdraft
Pro
ject
Event Receiver
AzureWorkflow
cubes
Where do I get the users from?On Premise
Active Directory
User/Groups
Project Professional
2013Browser
SharePoint Project Server
Exchange
Where do I get the users from?On Premise Office 365
Active Directory
User/Groups
Active Directory
User/Groups
SharePoint Online
Project Online
Directory Sync
Project Professional
2013Browser
Exchange Online
Permission Modes Differences
SharePoint vs Project Permission Mode
User Management + Permissions controlled through SharePoint
Permissions controlled through Project Server
Simple Permission Model
Allows Resource Delegation (Impersonation)Easy to use AD Group/Custom
Claims
Allows RBS-driven security
SharePoint Project
Customize specific user/group security
Complex + Flexiable
SharePoint Permission Mode GroupsAdministrators for Project Web AppPortfolio Managers for Project Web AppPortfolio Readers for Project Web AppProject Managers for Project Web App
Sync
SharePoint Group Project Group
Team Member for Project Web App
Team Leads for Project Web App
Resource Manager for Project Web App
Administrators
Portfolio Managers
Portfolio Readers
Project Managers
Team Member
Team Leads
Resource Manager
Project Permission Mode Groups
Administrators for Project Web AppPortfolio Managers for Project Web AppPortfolio Readers for Project Web AppProject Managers for Project Web App
SharePoint Group Project Group
Team Member for Project Web App
Team Leads for Project Web App
Resource Manager for Project Web App
Administrators
Portfolio Managers
Portfolio Readers
Project Managers
Team Member
Team Leads
Resource Manager
Sync
Project ServerJob: Synchronization of SharePoint Server permissions to Project Web App permissions job for Project Service Application Every minute by default
Project OnlineEvery minute
SharePoint Permission Synchronization
Project PermissionCalculates amount of changeSmall changes occur immediatelyLarge changes are queued for later time
User Profile Sync
Changing Permission ModeProject Permission Mode SharePoint Permission modeDestructive actionSharePoint groups will override all Project Server permissions
Changing Permission Mode using Project Online
Changing Permission Mode using Project Online
Changing Permission Mode on PremisePowerShellSet-SPProjectPermissionMode
–URL “http://domain/PWA” -AdministratorAccount “domain\AdminAccount”-Mode ProjectServer
Set-SPProjectPermissionMode –URL “http://domain/PWA” -AdministratorAccount “domain\AdminAccount”-Mode SharePoint
SharePoint Permission Mode
SharePoint Permission Mode PWA Groups
Administrators for Project Web AppPortfolio Managers for Project Web AppPortfolio Readers for Project Web AppProject Managers for Project Web App
Sync
SharePoint Group Project Group
Team Member for Project Web App
Team Leads for Project Web App
Resource Manager for Project Web App
Administrators
Portfolio Managers
Portfolio Readers
Project Managers
Team Member
Team Leads
Resource Manager
SharePoint Permission ModeShare Point Project Site GroupsVisitorsMembersOwners Project: Heavy
GalaxySharePoint Group: Heavy Galaxy Visitors
SharePoint Group: Heavy Galaxy Members
SharePoint Group: Heavy Galaxy Owners
SharePoint Group Sync
Team Member for Project Web App
Team Member
Custom
Sync
AD Users
AD Groups
Windows Group
Forms-based
Sync
AD Users
AD Groups
Windows Group
Forms-based
Custom
ContosoSharePoint PWA Assignments
Administrators
Domain Admin
Portfolio Managers
Business Analyst
Portfolio Viewers
Executive
Marketing/
Sales
Project Managers
Engineering leads
Resource Managers
Engineering leads
Team Members
Domain Users
ContosoSharePoint Site Collection AssignmentsSentinel Client
Owners
Business Analyst
Members
Client Develope
rs
On-Premise Testers
Visitors
Engineering leads
Marketing/Sales
Sentinel Server
Owners
Business Analyst
Members
Server Developer
s
On-Premise Testers
Visitors
Engineering leads
Marketing/Sales
Sky Fortress
Owners
Business Analyst
Members
Online Developer
s
Online Testers
Visitors
Engineering leads
Marketing/Sales
ContosoChanges Iris Carr
Owner
Amelia WadeLead BA
Joseph PettisBA
Melvin McDowellLead Client Developer
Martha Ramirez
Developer
Toni HuntDeveloper
Elsa BarberDeveloper
Billy HatleyServer Developer
Lead
Earl RamsayDevelop
er
Lourdes Moss
Developer
Clyde Stitt
Developer
Helene GoodmanOnline Developer
Lead
Dwight Slattery
Developer
Joni WongDeveloper
Angel ChauDeveloper
Clyde StittDeveloper
Marvin OverbyTest On-Premise
Lead
Clifton Mahaffey
Tester
Mayra CollierTester
Terrance MarkleyTester
Rodolfo WooleyTest Online Lead
Rufus Moorman
Tester
Gabrielle GlennTester
Wilfred LewHR
Josh GowerMarketing/Sales
Lead
Simone PeckMarketing/Sal
es
Aarif MaaloufMarketing/Sal
es
Hugo StongeIT
DemoSyncing in SharePoint Permission Mode
Deep Dive Project Permissions
Determining Security Mode• SharePoint Permissions
(simplest)• Project Permissions (flexible)• Use default out-of-box permissions and sync AD
groups• Adjust permissions groups and categories as
needed• Add additional groups and categories• Manage security based on RBS• Manage projects and resources into categories
Simplest / Small PMO
Complex / Large PMO
Server Settings / Project Premise
Out-of-Box Security for Project PremiseUsers
Portfolio Managers
My Organization
Project Managers
My Organization
Projects
Resources
My Projects
Projects
Resources
My Tasks
Projects
Resources
Team Members
My Tasks
Resource Managers
My Organization
My Projects
My Resources
Global Permissions
Category Permissions
Permission is the authority to perform a specify action with the context of Project Server
Global Permissions grant users and groups the ability to perform actions throughout PWA and are assign to a group or user.
Category Permissions grant users and groups the ability to perform actions on specify projects and resources and are assign on a category level
Enabling and Disabling Permissions
ALLOWCheck to EnableUncheck to Disable
DENYCheck to Disable
EverywhereUncheck to ignore
Permissions that may get changeProject Manager Roles
Delete ProjectNew ProjectSave Project TemplateManage Rules
Resource Manager RolesLog on Project Server from Project ProfessionalTeam Member RolesCreate New Task or AssignmentSelf-Assign Team TasksReassign Task
Contoso Security ModelUsers
Administrators
My Organization
Project / Resources
Marketing/Sales
My Organization
Project / Resources
Business Analyst
My Organization
Project / Resources
E n g in eer in g Lead s ( Project Man ag er s an d Resou r ce Man ag er )
My Organization
Project / Resources
Team Members
My Organization
Project / Resources
Resource Managers
My Organization
Project / Resources
Executive
My Organization
Project / Resources
Demo: Create Project Group
Create New GroupAdd Categories and Set PermissionsAssign Group to a User
Designing Security and Best Practices
Putting it all togetherBuild Team to Define Security RequirementsGather Security RequirementsDesign and Build Security ModelTest Security Design Rollout Security
Best PracticesUse AD Groups for Group SyncingAssign user to Project Groups or SP GroupsSet permissions on Groups (not Users)Do not add categories to usersDo not use the DENY permissions
Feature SharePoint Permission
Project Server
Use a single set of security groups across Project Web App and SharePoint Server.
*
Permissions inheritance for PWA and Project Sites *
Direct authorization against Active Directory security groups *
Claims-based authorization * *
Manage authorization by role-based groups * *
Extensible and customizable * *
User delegation *
Ability to secure work resources *
Impersonation *
Security filtering using the Resource Breakdown Structure *
Custom Security Categories *
Summary of Permission Mode
QuestionsQuestions
Michael Wharton, MVPProject/SharePoint ArchitectWharton Computer Consulting
Nadin MeraliProgram ManagerMicrosoft
Thank You
Michael WhartonNadin Merali
MyPC fill out evaluations & win prizes!
Fill out session evaluations by logging into MyPC on your laptop or mobile device.
Evaluation prizes daily! Claim your prize at the Registration Desk on Level 1.
www.msprojectconference.com
After the event, over 100 hours of resources; including all of the PPT decks and session videos will be available.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Design and Build Security Model
• SharePoint Permissions (simplest)
• Project Permissions (flexible)• Use default out-of-box permissions and sync AD
groups• Adjust permissions groups and categories as
needed• Add additional groups and categories• Manage security based on RBS• Manage projects and resources into categories
Simplest / Small PMO
Complex / Large PMO
