Categories in Project Server provide users access to resources and projects. There is a tendency that I have noticed in the field for people to try and get one category to give access to all the projects that a user might need access to within all the roles that user plays in the system. For example:
My Projects. Many administrators see this category and correctly assume that this is the category to which their project managers should belong. But then they try to set the permissions in the category so that it lets the project managers see not only the projects they manage but also the projects on which they are resources. This seems fine in theory but there is an important problem here. The permissions that the project managers need for the projects they manage "Open Project" and "Save Project" are generally more than you want to give a resource on a project. You want the PM to be able to these things on the projects they manage but NOT on projects where they are assigned as resources.
But if they have the permissions checked as shown above AND they have access to the projects listed below they will be able to take any project where they are assigned as resources into Project Pro and save changes made to the plan, even though they are not the project manager of that project.
The administrator of the this category over-thought the roles that project managers might fill. This admin tried to get the My Projects category to do more than one thing. A better solution would have been to ONLY check the first box in the My Projects category and then also assign the project managers that might be team members to a group that gave them access to a category where ONLY the second box was checked, giving them permissions to see projects where they are team members. This second category would NOT have the Open Project or Save Project permission.
You can have as many categories as you want, there is no limit. Make them single purpose\single role. If a person is going to fill multiple roles then associate them with multiple categories. If a person is a PM for some projects, a Resource Manager of some resources and also a team member then make sure they get associated with the My Projects, My Resources and My Tasks categories and that these categories are constructed so that they give access to ONLY the items that that specific role would need to see.
Think about Roles not about people when building your security model.
This is the very essence of the concept of having single categories. It *sounds* as if your PM2 is a memeber of a category that gives him permissions to edit projects that are assigned to resources he manages. If this is the case then this category is giving it's people too many permissions. It allows them to SEE these projects AND to edit them. It should let them see all these projects read only and then a 2nd category should allow them to see and EDIT a smaller number of projects (the ones they manage).
I will contact you offline to discuss this further.
Brian K
Posted by: Brian Kennemer | Wednesday, November 10, 2004 at 11:03 PM
My frustration with project server is that it doesn't seem to work well with a cross matrixed organization like mine. For example, pm1 (1.1) creates a project with resources (1.1.1) and also adds a resource from (1.2.1) now PM2 (1.2) comes along and he can now edit and save the project pm1 created.
I have tried several ways to work this out with custom groups and views and I haven't found a way around this. I really want to avoid directly assigning projects to categories.
Posted by: John | Wednesday, November 10, 2004 at 10:38 PM
Hi,
I totally agree on your comments but I think that it is not always possible.
When a PMO initializes a project plan and publish it to the project server, it is automatically considered as the project manager of the plan.
But when the PMO does not want to play that role but ask one of the resource assigned to this project plan to be the project manager, this resource can not manage the project.
Two reasons:
- As a team member he has no rights to manage the project plan,
- project server does not consider him as a project manager because he has not publish the project plan.
So I am obliged to check both boxes in the Project Category for example.
This is how we solved this problem but maybe there is another way to do it and to respect the single purpose rule of the category
Posted by: Pierre-Paul Desutter | Tuesday, September 07, 2004 at 01:24 AM