DC440: Security (Part 2 of 2): DC440: Security (Part 2 of 2): Logons, permissions and views - Logons, permissions and views - how these systems work and how how these systems work and how to manage themto manage them
Pradeep GanapathyRajPradeep GanapathyRajProgram ManagerProgram ManagerProjectProjectMicrosoft CorporationMicrosoft Corporation
ApproachApproach
Short introductionShort introduction
Let’s set up authenticationLet’s set up authentication
How does authentication work ?How does authentication work ?
Let’s set some security permissionsLet’s set some security permissions
How does authorization work ?How does authorization work ?
What’s special in 2003 ?What’s special in 2003 ?
How do you audit this ?How do you audit this ?
How do we extend this ?How do we extend this ?
Short IntroductionShort Introduction
We depend on IIS authenticationWe depend on IIS authentication
Permissions control access to features Permissions control access to features and dataand data
Project 2002/2003 security <> Windows Project 2002/2003 security <> Windows access controlaccess control
Simplest tool for improving performance Simplest tool for improving performance and scalabilityand scalability
Let’s setup Let’s setup authenticationauthentication
How does auth work ?How does auth work ?
Authentication type
Internet Explorer page
Project page
Project Data Service page
Integrated LGNINT.ASP LGNINTPJ.ASP
LGNINTAU.ASP
Application LGNPS.ASP LGNPSPJ.ASP
LGNPSAU.ASP
Basic LGNBSC.ASP n/a n/a
Authentication Data flowAuthentication Data flow
PreReq.aspSesStart.asp
One of the login pages
Redirect.asp
AuthLib.asp
Session Manager
PJSecurity.asp
Session Manager
MSPJLogonDone.asp
dlEula.asp
Download.asp OR
Logoff_svr.asp
AppStart Page
Let’s set some security Let’s set some security permissionspermissions
ScenarioScenario
Engineering1
Marketing1
Sales1
General Manager1
Engineering2
Marketing2
Sales2
General Manager2
Scenario ObjectivesScenario Objectives
Resource managers can only assign/edit Resource managers can only assign/edit their own resourcestheir own resources
Project managers can only edit their Project managers can only edit their own projectsown projects
But both groups can see But both groups can see projects/resources in other projects/resources in other organizationsorganizations
GMs can view information in their GMs can view information in their organizationsorganizations
Scenario – Updated Scenario – Updated PermissionsPermissions
Engineering1
Marketing1
Sales1
General Manager1
Engineering2
Marketing2
Sales2
General Manager2
R/O
R/O
R/O
R/OR/O
Security ObjectsSecurity Objects
Includes Projects, Resources, and ViewsIncludes Projects, Resources, and Views
Must secure collections of objects = Must secure collections of objects = CategoriesCategories
Can use security rules to auto-populate Can use security rules to auto-populate categoriescategories
Project Server ships with several pre-Project Server ships with several pre-configured categoriesconfigured categories
Examples:Examples:My ProjectsMy Projects
My ResourcesMy Resources
My OrganizationMy Organization
External Access to ProjectsExternal Access to Projects
External Access to ResourcesExternal Access to Resources
Security PrincipalsSecurity Principals
UsersUsers
GroupsGroupsEach group represents a common set of Each group represents a common set of permissions on a common set of objects.permissions on a common set of objects.
Project Server ships with several pre-Project Server ships with several pre-configured groups.configured groups.
Examples:Examples:Project ManagersProject Managers
Resource ManagersResource Managers
General ManagersGeneral Managers
PermissionsPermissions
Global and Object-Level Permissions Global and Object-Level Permissions Three states: Allow, Deny, Not-AllowedThree states: Allow, Deny, Not-Allowed
Allow permissions are ORedAllow permissions are ORedDeny permissions are ANDedDeny permissions are ANDed
Can be defined in Users, Groups, or Can be defined in Users, Groups, or Category pagesCategory pagesExamples:Examples:
R/W access to my projects and my R/W access to my projects and my resourcesresourcesRead access to projects and resources in Read access to projects and resources in other groupsother groups
Resource Breakdown Resource Breakdown StructureStructure
Enterprise Resource Outline Code 30Enterprise Resource Outline Code 30
Can be used just like ANY outline codeCan be used just like ANY outline code
Leveraged by several security rulesLeveraged by several security rules
Useful for granting access to objects based Useful for granting access to objects based on the reporting structure in an organization – on the reporting structure in an organization – typically to functional managerstypically to functional managers
Scenario:Scenario:Use the organizational breakdown to define the Use the organizational breakdown to define the look-up table for the RBSlook-up table for the RBS
Take advantage of field descriptions to reduce size Take advantage of field descriptions to reduce size of RBSof RBS
Best PracticesBest Practices
Start with “least access”Start with “least access”
Add users to groups, Assign Add users to groups, Assign permissions to groupspermissions to groups
Limit the number of categoriesLimit the number of categories
Leverage security rules whenever Leverage security rules whenever possiblepossible
Project 2003 EnhancementsProject 2003 EnhancementsActive Directory IntegrationActive Directory Integration
Auto-populate Project Server security Auto-populate Project Server security group with AD security groupgroup with AD security group
Auto-populate users with AD security groupAuto-populate users with AD security group
New PermissionsNew PermissionsAdjust Actuals, Approve Timesheets for Adjust Actuals, Approve Timesheets for ResourcesResources
Assign Resource to Team, Build Team for Assign Resource to Team, Build Team for ProjectProject
Integration with External Timesheet SystemIntegration with External Timesheet System
Save BaselineSave Baseline
Project 2003 EnhancementsProject 2003 Enhancements
Category EnhancementsCategory EnhancementsRBS View FilterRBS View Filter
Direct Reports security ruleDirect Reports security rule
Audit toolAudit tool
ExtensibilityExtensibility
Re-use existing permissions or create your Re-use existing permissions or create your ownown
Add new pages to PWA and leverage Add new pages to PWA and leverage permissionspermissions
BenefitsBenefitsOne user interface for AdministratorsOne user interface for Administrators
Leverage the in-the-box UI and security workLeverage the in-the-box UI and security work
Skills requiredSkills requiredASP/VBScript/JscriptASP/VBScript/Jscript
SQL SQL
Reusing an Existing Reusing an Existing PermissionPermission
Add record for new page in Add record for new page in MSP_WEB_SECURITY_PAGESMSP_WEB_SECURITY_PAGES
Find desired global permission in Find desired global permission in MSP_WEB_SECURITY_FEATURES_ACMSP_WEB_SECURITY_FEATURES_ACTIONSTIONS
Specify global permission as value for Specify global permission as value for WSEC_PAGE_ACT_IDWSEC_PAGE_ACT_ID
Add record for new menu in Add record for new menu in MSP_WEB_SECURITY_MENUSMSP_WEB_SECURITY_MENUS
Using Your Own Global Using Your Own Global PermissionPermission
Add record for new permission: Add record for new permission: MSP_WEB_SECURITY_FEATURES_ACTIONSMSP_WEB_SECURITY_FEATURES_ACTIONS
Add permission name into string table: Add permission name into string table: MSP_WEB_CONVERSIONSMSP_WEB_CONVERSIONS
Define SPROC for permission and add to Define SPROC for permission and add to QYLIBSTD.SQLQYLIBSTD.SQL
Add permission into Manage Organization Add permission into Manage Organization page: page: MSP_WEB_SECURITY_ORG_PERMISSIONSMSP_WEB_SECURITY_ORG_PERMISSIONS
Create new page and reference new global Create new page and reference new global permissionpermission
Using Object-Level Using Object-Level PermissionsPermissions
Use existing object-level permissionsUse existing object-level permissions
In ASP, create Project Server security In ASP, create Project Server security object:object:
Var oSec = Var oSec = CreateObject(“PjSvrSecurity.PjServerSecurity”);CreateObject(“PjSvrSecurity.PjServerSecurity”);
oSec.setDBConnection(<Project Server name>);oSec.setDBConnection(<Project Server name>);
Var f = Var f = oSec.CheckSPObjectPermission(<resGUID>,<ProjIDoSec.CheckSPObjectPermission(<resGUID>,<ProjID>, 1, <PermID>);>, 1, <PermID>);
Using Object-Level Using Object-Level PermissionsPermissions
Use custom object-level permissionsUse custom object-level permissions
Create object-level permission in same Create object-level permission in same way as global permission, except: way as global permission, except: WSEC_ON_OBJECT value = 1WSEC_ON_OBJECT value = 1
In ASP, check rights by calling Project In ASP, check rights by calling Project Server security object and new SPROCServer security object and new SPROC
ResourcesResources
MSDNMSDNMicrosoft Project Server Security Microsoft Project Server Security Architecture and Planning GuideArchitecture and Planning Guide
Microsoft Project Server Security Microsoft Project Server Security Enhancements article and code samplesEnhancements article and code samples
TechNetTechNetCustomizing and Administering Microsoft Customizing and Administering Microsoft Project ServerProject Server
Questions ?Questions ?
© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.