none
Security Groups not working as planned RRS feed

  • Question

  • Hello,

    We have Project Server/Sharepoint 2010 running in a single server farm on Windows 2008 with SQL 2008.

    I'm getting confused about Security Groups.  When I make changes to the Security Template for a group, those permissions don't propagate to any of the members.  For instance, I have a user who's part of the Team Members group.  I go into the Security Template for Team Members, put a check in the box for 'Can be a delegate', 'Manage My Delegates' and 'Manage My Resources Delegates' under Resources, hit Save, and expect that when I go into this users profile in Resource Center, that I'll see those options checked...but I don't.  That user also cannot see those options under Personal Settings (all the delegate options).

    Only when I go into that users profile and check those 3 permissions, 'Can be a delegate', 'Manage My Delegates' and 'Manage My Resources Delegates' and hit Save, will she be able to see those options under Personal Settings.

    Am I missing something?  How else would these Security Groups work if they don't provide blanket permissions to the users that are part of them?

    Any help is greatly appreciated!

    Thanks,

    Andre

    Monday, June 11, 2012 7:29 PM

Answers

  • Andre,

    I spend a better part of a day teaching just this one topic.

    First, don't edit permissions at the user level. It'll only lead to tears and missing hair. There's a reason I'm wearing a hat in my picture. :-)

    Second, security templates are basically a partial backup of your security settings. Updating a security template doesn't change anything, no more than updating a Word template would update current documents based on that template. You have to go into the group and apply the template to make the security changes.

    You can always edit the groups directly but it's a good practice to have a gold copy of the configuration.

    Third, assuming you want to continue to use Security Templates, you will want to read this. The permissions you reference are Global permissions so you have less of a chance of creating a problem immediately. The following is a bigger concern if you want to modify the category permissions later on.

    Be aware, the security template contains both Global and Category permissions. You can choose which set of permissions to apply to a group or category. However, if you blindly apply category permissions from a security template from within the group, you can inadvertently screw up your security model.

    Many groups have a many to many relationship with the categories. This many to many relationship allows for flexible security configuration as groups represent the actions you can take as part of your role on a set of data and categories represent the dataset itself. Different combinations can yield different results. Category permissions are the specific permissions at the intersection of each group and category. Global permissions apply regardless of the dataset.

    For example, the Resource manager group is related to four categories. This is actually a good thing as there are four distinct sets of data that the RM manages and different permissions for each category. They may be able to view certain resources and edit others based on these relationships. So when it comes to category permissions, the intersections between group and category are important.

    When you apply a security template to Resource Managers, only one group-category relationship is represented. You are ok as far as applying group permissions but if you blindly apply category permissions, it's going to get ugly. If you use our RM example again, do you know which of the four default relationships are captured in the security template?

    Something to think about. Good luck and let us know if you have more questions.

    Treb Gatte

    • Proposed as answer by Axel Hammer Tuesday, June 12, 2012 2:21 PM
    • Marked as answer by Andre Janveaux Tuesday, June 12, 2012 2:25 PM
    Tuesday, June 12, 2012 12:22 AM
    Moderator
  • Hi Andre,

    If I understand the issue correctly, set the required permissions to the Groups (Manage Groups) and not the Templates (Manage Templates). Also the permissions wont appear as being set against the user (best practice not to set permissions directly against users) as the user is part of the group - the group has the permissions set.

    Thanks

    Paul


    Paul Mather | Twitter | http://pwmather.wordpress.com


    Monday, June 11, 2012 8:22 PM
    Moderator

All replies

  • Hi Andre,

    If I understand the issue correctly, set the required permissions to the Groups (Manage Groups) and not the Templates (Manage Templates). Also the permissions wont appear as being set against the user (best practice not to set permissions directly against users) as the user is part of the group - the group has the permissions set.

    Thanks

    Paul


    Paul Mather | Twitter | http://pwmather.wordpress.com


    Monday, June 11, 2012 8:22 PM
    Moderator
  • Andre,

    I spend a better part of a day teaching just this one topic.

    First, don't edit permissions at the user level. It'll only lead to tears and missing hair. There's a reason I'm wearing a hat in my picture. :-)

    Second, security templates are basically a partial backup of your security settings. Updating a security template doesn't change anything, no more than updating a Word template would update current documents based on that template. You have to go into the group and apply the template to make the security changes.

    You can always edit the groups directly but it's a good practice to have a gold copy of the configuration.

    Third, assuming you want to continue to use Security Templates, you will want to read this. The permissions you reference are Global permissions so you have less of a chance of creating a problem immediately. The following is a bigger concern if you want to modify the category permissions later on.

    Be aware, the security template contains both Global and Category permissions. You can choose which set of permissions to apply to a group or category. However, if you blindly apply category permissions from a security template from within the group, you can inadvertently screw up your security model.

    Many groups have a many to many relationship with the categories. This many to many relationship allows for flexible security configuration as groups represent the actions you can take as part of your role on a set of data and categories represent the dataset itself. Different combinations can yield different results. Category permissions are the specific permissions at the intersection of each group and category. Global permissions apply regardless of the dataset.

    For example, the Resource manager group is related to four categories. This is actually a good thing as there are four distinct sets of data that the RM manages and different permissions for each category. They may be able to view certain resources and edit others based on these relationships. So when it comes to category permissions, the intersections between group and category are important.

    When you apply a security template to Resource Managers, only one group-category relationship is represented. You are ok as far as applying group permissions but if you blindly apply category permissions, it's going to get ugly. If you use our RM example again, do you know which of the four default relationships are captured in the security template?

    Something to think about. Good luck and let us know if you have more questions.

    Treb Gatte

    • Proposed as answer by Axel Hammer Tuesday, June 12, 2012 2:21 PM
    • Marked as answer by Andre Janveaux Tuesday, June 12, 2012 2:25 PM
    Tuesday, June 12, 2012 12:22 AM
    Moderator
  • Thanks Paul,

    I didn't even see the Global Permissions option at the bottom of the Manage Groups screen...and it did the trick!  Thanks for the help!

    Andre

    Tuesday, June 12, 2012 2:24 PM
  • Hi Treb,

    You answered my next question about 'what's the point of Security Templates'.  From what you're saying, it sounds like I'm better off not touching the templates and just updating the groups directly.  Thanks for the information!

    Andre

    Tuesday, June 12, 2012 2:25 PM
  • Andre,

    They can be useful, but you have to set up additional templates, one for each Group-Category pairing. I find it helpful to have these when I have multiple admins for Project and someone accidentally modifies the group or category permission. It's an easy reset that's a bit more granular than the Admin backup of all permissions.

    --Treb

    Tuesday, June 12, 2012 6:43 PM
    Moderator