none
Issue with "Deny" in category permission to provide "Archive" feature RRS feed

Answers

  • Dear Larry,

    I'm using Project Online.

    I made a test yesterday on a demo tenant with a clean pwa, just to check the current situation and now, finally, it looks working fine for me.

    Here the steps:

    1. Mod Admin as "Admin" and LidiaH as "PM" (default groups in PWA Permission Mode).

    2. Created three projects with sample tasks ("Alpha" (Mod owner), "Beta" (LidiaH owner), "Charlie" (LidiaH owner).

    Here LidiaH is able to see in Project Center and in Project Pro two project "Beta" and "Charlie".

    3. Created a Category "Archive" selecting all the Views (at least those of the Project Center); selected the project "Charlie" to be included in the Category; flag "Deny" for all Category Permissions both in Project and Resources. 

    Here LidiaH is able to see in Project Center and in Project Pro only the project "Beta".

    Please let me know if this work for you and if I'm missed something in your requirement.

    Regards

    Daniele


    Daniele

    Sunday, July 2, 2017 11:49 AM

All replies

  • Hi Daniele,

    Did you unpublish all the tasks? Is there any remaining work on any tasks? Also ensure that the user is refreshing his browser pressing CTRL F5 for cleaning IE cache. See also if you have the same issue with other users.


    Hope this helps,


    Guillaume Rouyre, MBA, MVP, MCC |

    Monday, February 29, 2016 8:54 AM
    Moderator
  • Hi Guillaume and thank for your fast reply.

    I've the issue with a customer tenant, but I'm trying also in a demo environment to avoid configuration error.

    I'm trying with a project populated only with a single task not assigned.

    Sara Davis has permission to that project from some categories, but also the "deny" permission from the Archive category. SaraD is still able to access the project but i know that the deny should win over the allow permission.

    Do you agree?

    If you want i can give you access to my demo tenant (really empty just to test this).

    Thanks

    Daniele


    Daniele

    Monday, February 29, 2016 10:18 AM
  • Hi Daniele,

    Yes, let's do that! You can contact me via LinkedIn.


    Hope this helps,


    Guillaume Rouyre, MBA, MVP, MCC |

    Monday, February 29, 2016 10:43 AM
    Moderator
  • I think I see the issue.

    You have created the archive category, but it is associated with all the security groups (under the permissions section in the category settings). Thus all groups can access to this category. You have to create a non-admin group with all users except the admin, then associate the archive category with the deny permission to the non-admin group.

    Do that make sense to you?


    Hope this helps,


    Guillaume Rouyre, MBA, MVP, MCC |

    Monday, February 29, 2016 11:19 AM
    Moderator
  • Yes, it make sense (also aligned with the office guide).

    But, I thought it should work also assigning groups to that category. This because if i have an AD groups sync situation, i don't want to add the user both to the e.g. Project Manager group and to the Non-Admin group? right?

    But if you tell me that this is the issue, I try with direct assignment of user to a non-admin group.


    Daniele

    Monday, February 29, 2016 11:32 AM
  • Please Guillaume, check now with SaraD. The configuration now is with the non-admin group.
    SaraD now can see the project in Project Center but cannot access it also with an error page.
    I think the project shouldn't be visible in the Project Center.
    This is the same issue i found in the customer tenant.

    Daniele

    Monday, February 29, 2016 11:44 AM
  • Indeed I can confirm what you see, and I actually don't know why the project is still appearing in the project center. I even unpublish the tasks from Project Pro and lock them but still. I'll take a deeper look this afternoon if I get some time.

    Hope this helps,


    Guillaume Rouyre, MBA, MVP, MCC |

    Monday, February 29, 2016 12:01 PM
    Moderator
  • Ok, thanks.


    Daniele

    Monday, February 29, 2016 12:06 PM
  • Got it Daniele!

    You actually have to select in the category settings, views section, all the project center views. It tested it and it works. I think this is because the security settings of the category are applied baed on the selected views. So maybe you could back-test not to have a dedicated non-admin users group.


    Hope this helps,


    Guillaume Rouyre, MBA, MVP, MCC |

    Monday, February 29, 2016 12:48 PM
    Moderator
  • Great Guillaume,

    now it works also associating groups to categories.

    But it was a bit tricky to understand; so I have to select the views where I'm going to deny access to those specific projects?

    I thought views selection was only for view availability to that category... i remember different behaviour in Project Server, but maybe I'm wrong.

    I'll go for more deep testing with different cases.

    Thanks for your help

    Best regards

    Daniele


    Daniele

    Monday, February 29, 2016 1:47 PM
  • Ehi Guillaume,

    as I expected, there is something wrong.

    Now in the tenant i share with you: I'd like SaraD to access only the "Summary" project center view but the category Archive give SaraD still access to all the other views.

    Do I have to create a different category for each different availability of views... this doesn't look a good solution.


    Daniele

    Update: checked a Project Server 2013 environment.

    In the "Archived" category, groups works and views are not needed so I'm 90% sure that this is a bag.

    I think that is really strange no one has my same issue. How do others archive projects?

    Filters in views is not enough if you want to hide all projects also from Project Professional.


    Monday, February 29, 2016 2:29 PM
  • Indeed it is strange.. But I actually found the "views" trick on this same forum. So I think that this is either a bug (but I don't think so) or a difference in the views behavior versus security in Project Online. 

    Anyway I agree with you that it is still unclear and confusing. That being said, the view trick should do the job, since you want to make unaccessible the archvied projects, whatever the view selected in the project center.


    Hope this helps,


    Guillaume Rouyre, MBA, MVP, MCC |

    Monday, February 29, 2016 2:52 PM
    Moderator
  • Agreed about the visibility on PWA, but if you open the Project Professional the project is still accessible. So I think is not enough for a customer solution.

    I'll try to open a support ticket to Microsoft for clarification.

    Thanks for your help

    Ciao
    Daniele


    Daniele

    Monday, February 29, 2016 3:25 PM
  • Daniele, did you ever get a final solution for this issue?  I have this same issue with restricting projects. I found out (after a LOT of trying) that I can do this fine in an on-premise Project Server 2013, but the same configuration doesn't work in Project Online.  Are you using Project Online?  Thanks...Larry

    Larry Christofaro, PMP, MCITP

    Friday, June 30, 2017 6:29 PM
  • Dear Larry,

    I'm using Project Online.

    I made a test yesterday on a demo tenant with a clean pwa, just to check the current situation and now, finally, it looks working fine for me.

    Here the steps:

    1. Mod Admin as "Admin" and LidiaH as "PM" (default groups in PWA Permission Mode).

    2. Created three projects with sample tasks ("Alpha" (Mod owner), "Beta" (LidiaH owner), "Charlie" (LidiaH owner).

    Here LidiaH is able to see in Project Center and in Project Pro two project "Beta" and "Charlie".

    3. Created a Category "Archive" selecting all the Views (at least those of the Project Center); selected the project "Charlie" to be included in the Category; flag "Deny" for all Category Permissions both in Project and Resources. 

    Here LidiaH is able to see in Project Center and in Project Pro only the project "Beta".

    Please let me know if this work for you and if I'm missed something in your requirement.

    Regards

    Daniele


    Daniele

    Sunday, July 2, 2017 11:49 AM
  • Daniele, thank you for validating that it works.  I did EXACTLY what you, other blogs, and my on-premise instance has and it wasn't working.  I submitted a ticket (the reason this took so long to reply) did nothing but rename the category to match their instance, and it worked.  Don't know what happened, it's very frustrating, but all is working now as expected. Thanks again for your help...Larry

    Larry Christofaro, PMP, MCITP

    Tuesday, July 11, 2017 1:12 AM
  • Glad to be helpfull Larry!!

    Please be aware also about this now:

    https://social.technet.microsoft.com/Forums/projectserver/en-US/313b6a94-535a-4b3b-b6b4-11e0a1be95f9/inactive-task-shown-in-capacity-and-demand-how-to-solve?forum=projectprofessional2010general

    Regards

    Daniele


    Daniele

    Thursday, July 13, 2017 3:14 PM