none
Group is able to edit the project and resources even if category associated with the group doesn't have the permision to edit RRS feed

  • Question

  • Hi All,

    I am facing an issue with project server online.There is a group of user "PF viewer" ,requirement is this group should only be able to view projects,resources neither edit nor create new group and resources.

    Category associated with the group have only below permission related to projects and Resources

    Project:

    View Project summary in Project Center

    Resources:

    View Resource Data

    Manage Resources Delegates

    View Enterprise Resource Data

    Problem is this "PF viewer " group is able to edit Project and resources even though they do not have required permissions.This group is not able to create new projects and resources but it can edit the existing projects\resources.

    If anyone has any idea,please lemme know.Any help will be greatly appreciated.


    Wednesday, March 30, 2016 9:04 AM

Answers

  • Hi Anuj,

    Take a look at the Global Permissions associated with this security group.  You might have accidentally checked an extra box in this area.  Follow the link below for an in-depth explanation of what each of the Global Permissions grants.

    https://technet.microsoft.com/en-us/library/cc197631.aspx

    Thanks,

    Jim


    Jim Project

    • Marked as answer by anuj astro Thursday, March 31, 2016 8:35 AM
    Wednesday, March 30, 2016 7:34 PM
  • Hi Anuj,

    If thats the case,then try creating a new group from scratch and give permissions one by one and check in parallel the access rights users have belonging to this group.

    For this existing 'PF Viewer',if you wish you can run SQL against Published database to check what global permissions this group have -

    SELECT     WSG.WSEC_GRP_NAME AS [Group], CONV.CONV_STRING AS Permission, WCP.WSEC_DENY AS Denied, WCP.WSEC_ALLOW AS Allowed,
                          MSP_RESOURCES.RES_NAME AS ResourceName
    FROM         MSP_WEB_SECURITY_GROUPS AS WSG INNER JOIN
                          MSP_WEB_SECURITY_SP_CAT_RELATIONS AS WSCR ON WSG.WSEC_GRP_GUID = WSCR.WSEC_SP_GUID INNER JOIN
                          MSP_WEB_SECURITY_SP_CAT_PERMISSIONS AS WCP ON WCP.WSEC_REL_UID = WSCR.WSEC_REL_UID INNER JOIN
                          MSP_WEB_SECURITY_FEATURES_ACTIONS AS SFA ON SFA.WSEC_FEA_ACT_UID = WCP.WSEC_FEA_ACT_UID INNER JOIN
                          MSP_WEB_CONVERSIONS AS CONV ON CONV.CONV_VALUE = SFA.WSEC_FEA_ACT_NAME_ID INNER JOIN
                          MSP_WEB_SECURITY_GROUP_MEMBERS ON WSG.WSEC_GRP_GUID = MSP_WEB_SECURITY_GROUP_MEMBERS.WSEC_GRP_GUID INNER JOIN
                          MSP_RESOURCES ON MSP_WEB_SECURITY_GROUP_MEMBERS.WRES_GUID = MSP_RESOURCES.RES_SECURITY_GUID
    WHERE(CONV.LANG_ID = 1033)
    AND WSG.WSEC_GRP_NAME = 'PF Viewer'
    

    Hope it helps.

    Thanks,
    Ashish

    Mark it as answer if it helps.

    • Marked as answer by anuj astro Thursday, March 31, 2016 9:56 AM
    Thursday, March 31, 2016 8:50 AM

All replies

  • Hi Anuj,

    I tried to reproduce the same scenario and it works fine for me.With the above given Project & Resources permissions on category through 'PF Viewer' group,this group is only able to view project summary details in Project Center and when clicks on any project to edit,it gives Access Denied error.

    For Resources,only with above permissions,you would not be able to view resources in resource center unless you have given 'View Resource Center' permission in global permission for group.Once you apply global permission,the group users will be able to only see the resources,click on 'Edit Resource' would throw a message of 'You do not  have sufficient permissions to check out or update the selected resource'.

    I would suggest you to go through your group and category once again and check if permission is to edit is coming from somewhere else.

    Thanks,

    Ashish

    Mark it as answer if it helps.

    Wednesday, March 30, 2016 3:54 PM
  • Hi Ashish,

    Thanks for the response.I have tried lots of time but not able to find out from where the permission is coming.

    Can you please suggest what else can be done if  I am unable to find out from where permission is coming?

    Thanks again

    Wednesday, March 30, 2016 6:13 PM
  • Hi Anuj,

    Take a look at the Global Permissions associated with this security group.  You might have accidentally checked an extra box in this area.  Follow the link below for an in-depth explanation of what each of the Global Permissions grants.

    https://technet.microsoft.com/en-us/library/cc197631.aspx

    Thanks,

    Jim


    Jim Project

    • Marked as answer by anuj astro Thursday, March 31, 2016 8:35 AM
    Wednesday, March 30, 2016 7:34 PM
  • Also, check that the permissions aren't assigned at the user level.

    Ben Howard [MVP] | web | blog | book | P2O

    Wednesday, March 30, 2016 7:58 PM
  • Hi Anuj,

    If thats the case,then try creating a new group from scratch and give permissions one by one and check in parallel the access rights users have belonging to this group.

    For this existing 'PF Viewer',if you wish you can run SQL against Published database to check what global permissions this group have -

    SELECT     WSG.WSEC_GRP_NAME AS [Group], CONV.CONV_STRING AS Permission, WCP.WSEC_DENY AS Denied, WCP.WSEC_ALLOW AS Allowed,
                          MSP_RESOURCES.RES_NAME AS ResourceName
    FROM         MSP_WEB_SECURITY_GROUPS AS WSG INNER JOIN
                          MSP_WEB_SECURITY_SP_CAT_RELATIONS AS WSCR ON WSG.WSEC_GRP_GUID = WSCR.WSEC_SP_GUID INNER JOIN
                          MSP_WEB_SECURITY_SP_CAT_PERMISSIONS AS WCP ON WCP.WSEC_REL_UID = WSCR.WSEC_REL_UID INNER JOIN
                          MSP_WEB_SECURITY_FEATURES_ACTIONS AS SFA ON SFA.WSEC_FEA_ACT_UID = WCP.WSEC_FEA_ACT_UID INNER JOIN
                          MSP_WEB_CONVERSIONS AS CONV ON CONV.CONV_VALUE = SFA.WSEC_FEA_ACT_NAME_ID INNER JOIN
                          MSP_WEB_SECURITY_GROUP_MEMBERS ON WSG.WSEC_GRP_GUID = MSP_WEB_SECURITY_GROUP_MEMBERS.WSEC_GRP_GUID INNER JOIN
                          MSP_RESOURCES ON MSP_WEB_SECURITY_GROUP_MEMBERS.WRES_GUID = MSP_RESOURCES.RES_SECURITY_GUID
    WHERE(CONV.LANG_ID = 1033)
    AND WSG.WSEC_GRP_NAME = 'PF Viewer'
    

    Hope it helps.

    Thanks,
    Ashish

    Mark it as answer if it helps.

    • Marked as answer by anuj astro Thursday, March 31, 2016 9:56 AM
    Thursday, March 31, 2016 8:50 AM
  • Thanks Ashish,

    I created a new group from scratch

    Thursday, March 31, 2016 9:59 AM
  • Hope that worked for you.

    Thanks,

    Ashish

    Thursday, March 31, 2016 10:11 AM