dc440: security (part 2 of 2): logons, permissions and views - how these systems work and how to...

DC440: Security (Part 2 of 2): DC440: Security (Part 2 of 2): Logons, permissions and views - Logons, permissions and views - how these systems work and how how these systems work and how to manage themto manage them

Pradeep GanapathyRajPradeep GanapathyRajProgram ManagerProgram ManagerProjectProjectMicrosoft CorporationMicrosoft Corporation

ApproachApproach

Short introductionShort introduction

Let’s set up authenticationLet’s set up authentication

How does authentication work ?How does authentication work ?

Let’s set some security permissionsLet’s set some security permissions

How does authorization work ?How does authorization work ?

What’s special in 2003 ?What’s special in 2003 ?

How do you audit this ?How do you audit this ?

How do we extend this ?How do we extend this ?

Short IntroductionShort Introduction

We depend on IIS authenticationWe depend on IIS authentication

Permissions control access to features Permissions control access to features and dataand data

Project 2002/2003 security <> Windows Project 2002/2003 security <> Windows access controlaccess control

Simplest tool for improving performance Simplest tool for improving performance and scalabilityand scalability

Let’s setup Let’s setup authenticationauthentication

How does auth work ?How does auth work ?

Authentication type

Internet Explorer page

Project page

Project Data Service page

Integrated LGNINT.ASP LGNINTPJ.ASP

LGNINTAU.ASP

Application LGNPS.ASP LGNPSPJ.ASP

LGNPSAU.ASP

Basic LGNBSC.ASP n/a n/a

Authentication Data flowAuthentication Data flow

PreReq.aspSesStart.asp

One of the login pages

Redirect.asp

AuthLib.asp

Session Manager

PJSecurity.asp

Session Manager

MSPJLogonDone.asp

dlEula.asp

Download.asp OR

Logoff_svr.asp

AppStart Page

Let’s set some security Let’s set some security permissionspermissions

ScenarioScenario

Engineering1

Marketing1

Sales1

General Manager1

Engineering2

Marketing2

Sales2

General Manager2

Scenario ObjectivesScenario Objectives

Resource managers can only assign/edit Resource managers can only assign/edit their own resourcestheir own resources

Project managers can only edit their Project managers can only edit their own projectsown projects

But both groups can see But both groups can see projects/resources in other projects/resources in other organizationsorganizations

GMs can view information in their GMs can view information in their organizationsorganizations

Scenario – Updated Scenario – Updated PermissionsPermissions

Engineering1

Marketing1

Sales1

General Manager1

Engineering2

Marketing2

Sales2

General Manager2

R/O

R/O

R/O

R/OR/O

Security ObjectsSecurity Objects

Includes Projects, Resources, and ViewsIncludes Projects, Resources, and Views

Must secure collections of objects = Must secure collections of objects = CategoriesCategories

Can use security rules to auto-populate Can use security rules to auto-populate categoriescategories

Project Server ships with several pre-Project Server ships with several pre-configured categoriesconfigured categories

Examples:Examples:My ProjectsMy Projects

My ResourcesMy Resources

My OrganizationMy Organization

External Access to ProjectsExternal Access to Projects

External Access to ResourcesExternal Access to Resources

Security PrincipalsSecurity Principals

UsersUsers

GroupsGroupsEach group represents a common set of Each group represents a common set of permissions on a common set of objects.permissions on a common set of objects.

Project Server ships with several pre-Project Server ships with several pre-configured groups.configured groups.

Examples:Examples:Project ManagersProject Managers

Resource ManagersResource Managers

General ManagersGeneral Managers

PermissionsPermissions

Global and Object-Level Permissions Global and Object-Level Permissions Three states: Allow, Deny, Not-AllowedThree states: Allow, Deny, Not-Allowed

Allow permissions are ORedAllow permissions are ORedDeny permissions are ANDedDeny permissions are ANDed

Can be defined in Users, Groups, or Can be defined in Users, Groups, or Category pagesCategory pagesExamples:Examples:

R/W access to my projects and my R/W access to my projects and my resourcesresourcesRead access to projects and resources in Read access to projects and resources in other groupsother groups

Resource Breakdown Resource Breakdown StructureStructure

Enterprise Resource Outline Code 30Enterprise Resource Outline Code 30

Can be used just like ANY outline codeCan be used just like ANY outline code

Leveraged by several security rulesLeveraged by several security rules

Useful for granting access to objects based Useful for granting access to objects based on the reporting structure in an organization – on the reporting structure in an organization – typically to functional managerstypically to functional managers

Scenario:Scenario:Use the organizational breakdown to define the Use the organizational breakdown to define the look-up table for the RBSlook-up table for the RBS

Take advantage of field descriptions to reduce size Take advantage of field descriptions to reduce size of RBSof RBS

Best PracticesBest Practices

Start with “least access”Start with “least access”

Add users to groups, Assign Add users to groups, Assign permissions to groupspermissions to groups

Limit the number of categoriesLimit the number of categories

Leverage security rules whenever Leverage security rules whenever possiblepossible

Project 2003 EnhancementsProject 2003 EnhancementsActive Directory IntegrationActive Directory Integration

Auto-populate Project Server security Auto-populate Project Server security group with AD security groupgroup with AD security group

Auto-populate users with AD security groupAuto-populate users with AD security group

New PermissionsNew PermissionsAdjust Actuals, Approve Timesheets for Adjust Actuals, Approve Timesheets for ResourcesResources

Assign Resource to Team, Build Team for Assign Resource to Team, Build Team for ProjectProject

Integration with External Timesheet SystemIntegration with External Timesheet System

Save BaselineSave Baseline

Project 2003 EnhancementsProject 2003 Enhancements

Category EnhancementsCategory EnhancementsRBS View FilterRBS View Filter

Direct Reports security ruleDirect Reports security rule

Audit toolAudit tool

ExtensibilityExtensibility

Re-use existing permissions or create your Re-use existing permissions or create your ownown

Add new pages to PWA and leverage Add new pages to PWA and leverage permissionspermissions

BenefitsBenefitsOne user interface for AdministratorsOne user interface for Administrators

Leverage the in-the-box UI and security workLeverage the in-the-box UI and security work

Skills requiredSkills requiredASP/VBScript/JscriptASP/VBScript/Jscript

SQL SQL

Reusing an Existing Reusing an Existing PermissionPermission

Add record for new page in Add record for new page in MSP_WEB_SECURITY_PAGESMSP_WEB_SECURITY_PAGES

Find desired global permission in Find desired global permission in MSP_WEB_SECURITY_FEATURES_ACMSP_WEB_SECURITY_FEATURES_ACTIONSTIONS

Specify global permission as value for Specify global permission as value for WSEC_PAGE_ACT_IDWSEC_PAGE_ACT_ID

Add record for new menu in Add record for new menu in MSP_WEB_SECURITY_MENUSMSP_WEB_SECURITY_MENUS

Using Your Own Global Using Your Own Global PermissionPermission

Add record for new permission: Add record for new permission: MSP_WEB_SECURITY_FEATURES_ACTIONSMSP_WEB_SECURITY_FEATURES_ACTIONS

Add permission name into string table: Add permission name into string table: MSP_WEB_CONVERSIONSMSP_WEB_CONVERSIONS

Define SPROC for permission and add to Define SPROC for permission and add to QYLIBSTD.SQLQYLIBSTD.SQL

Add permission into Manage Organization Add permission into Manage Organization page: page: MSP_WEB_SECURITY_ORG_PERMISSIONSMSP_WEB_SECURITY_ORG_PERMISSIONS

Create new page and reference new global Create new page and reference new global permissionpermission

Using Object-Level Using Object-Level PermissionsPermissions

Use existing object-level permissionsUse existing object-level permissions

In ASP, create Project Server security In ASP, create Project Server security object:object:

Var oSec = Var oSec = CreateObject(“PjSvrSecurity.PjServerSecurity”);CreateObject(“PjSvrSecurity.PjServerSecurity”);

oSec.setDBConnection(<Project Server name>);oSec.setDBConnection(<Project Server name>);

Var f = Var f = oSec.CheckSPObjectPermission(<resGUID>,<ProjIDoSec.CheckSPObjectPermission(<resGUID>,<ProjID>, 1, <PermID>);>, 1, <PermID>);

Using Object-Level Using Object-Level PermissionsPermissions

Use custom object-level permissionsUse custom object-level permissions

Create object-level permission in same Create object-level permission in same way as global permission, except: way as global permission, except: WSEC_ON_OBJECT value = 1WSEC_ON_OBJECT value = 1

In ASP, check rights by calling Project In ASP, check rights by calling Project Server security object and new SPROCServer security object and new SPROC

ResourcesResources

MSDNMSDNMicrosoft Project Server Security Microsoft Project Server Security Architecture and Planning GuideArchitecture and Planning Guide

Microsoft Project Server Security Microsoft Project Server Security Enhancements article and code samplesEnhancements article and code samples

TechNetTechNetCustomizing and Administering Microsoft Customizing and Administering Microsoft Project ServerProject Server

Questions ?Questions ?

© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.