Security Best Practices for Project Online & Project Server 2013 in Project Permissions-Mode

  • Article

What are best practices for setting up and administering security in Project Online and Project Server 2013, when using project permissions-mode

Following are some general security best practices for Project Online & Project Server 2013:

  • Use Active Directory synchronization for ease of administration.
  • Don't change existing groups, create your own custom groups.
  • Don't delete default groups (having predefined permissions)…even if it is possible .
  • Highly recommended to avoid using explicit Deny permission...at all.
  • Recommend you leave all Project Web Access Permissions as Allowed and available in your Project Web Access.
  • All Global Permissions can be set at either the User or the Group level.  For ease of management, always set permissions at the Group level.
  • Users can belong to multiple Groups.
  • Create new Groups as needed for your organization.
  • Create new security templates as needed for your organization.  However, leave default security templates unchanged for easy access to original default settings.
  • Don’t associate individual users with a Category. Instead recommend you associate Categories with Groups.

You can use custom security Groups in conjunction with RBS to provide users the access required.

RBS Basics:

  • The Resource Breakdown (RBS) is a method of hierarchically organizing users in Project Server.
  • The RBS hierarchy can be used to determine which projects and resources users have access to.
  • Use the access needs/requirements of your organization to determine the structure of RBS.
  • RBS values are used by dynamic filtering options within Categories to determine what projects and resources a user can access within Project Server.
  • What actions a user can take with the projects and resources to which they have access is determined by the Category permissions that the user has.
  • For RBS filtering to work right, you need to assign an RBS value to each user.

Figuring out how to setup RBS and grant necessary permissions for your users in Project Server/Online is basically a three-step analysis of what you want your users to be able to access and do:

  • STEP 1 What do you want Project Online users to be able to do? 
  • STEP 2 How you will setup RBS?  When you look at your company's organization structure, the quest you have with regards to RBS is what do these people need access to?
  • STEP 3 Then, figure out how you will grant the necessary permissions for users to accomplish that.

I highly recommend anyone planning to work with security design for Project Server/Online read following TechNet article and watch the excellent brief training videos referenced…

Plan groups, categories, and RBS in Project Server 2013
https://technet.microsoft.com/en-us/library/cc197354(v=office.15).aspx