Project Server 2010: RBS antecedents not being granted Project Site permissions


Unfortunately there is a bug in Project Server 2010 that incorrectly removes, and/or does not apply permissions to users who should be entitled project site rights when a Project Site synchronisation happens (the action manually started from the Project Sites Server Settings page, or the action started after an AD group sync). The case when this occurs is for projects that fall into a security category that have the tick box “The Project Owner is a descendant of the User via RBS”. This is when you are trying to get Project Server users designated as ‘managers’ by the RBS structure to have access to something that a descendent user is owner of. The permissions apply without a hitch within PWA and the manager users can manage the project without issue. However, any permissions that should be applied to the Project’s Project Site are not. The user isn’t even added to the permissions list on the project site.

Example

Say there is a project owned by a user (Jerry) whose RBS value is “Corporate.PMO.PM”, and the project falls into a security category called “PMO descendant’s projects” where the “The Project Owner is a descendant of the User via RBS” tick box is selected. The “PMO Managers” group is assigned the “PMO descendant’s projects” security category and the permission “View Project Site” is given.

However, when Tom, a user with the RBS value “Corporate.PMO” and a member of the security group PMO Managers attempts to view the Project Site for this project – he is denied. Project Server has not applied project site permissions for any of the users that have the RBS value of “Corporate.PMO” or higher, despite any PWA/Project Center permissions that have been granted being applied correctly.

Solutions

  • This is a known bug that has not hit the support thresholds required to be hotfixed. Therefore it is unlikely to ever be fixed for 2010 and has existed since the 2007 product. If the next solution isn’t an option, check out the workarounds.
  • Upgrade to SharePoint 2013 as apparently it has been fixed (yet to be tested)

Workarounds

  • Modify an arbitrary value within the resources who should have the Project Site permission. This causes a sync against project sites correctly which puts the right permissions, based on RBS values, in place. Unfortunately as soon as the next project site sync happens, the permissions will be lost. However, if you disabled the Project Site sync action, you could write a script to do this with a script periodically or attached to a suitable event. Applying a change to all resources in your pool may take a while, so it might be wise for the script/code to filter down to active users or even better, to users who actually have RBS descendants.
  • Disable the project site sync actions and write your own code that runs periodically to apply permissions to the project sites.

Raw response from Microsoft

Issue Definition

When setting the security category with the option “The Project Owner is a descendant of the user via RBS”. The permissions applied to this security category work within PWA and allow the superiors of Project Owners to manage their projects, however the permission “View Project Site” does not seem to work as the superiors cannot even see the project site – they are given Access Denied.
The Problem is that users cannot access Project Sites. When a project manager publishes a project, users who are a part of the team, those who are status managers and so forth are added to the project site. If users are related solely via RBS, however, they are not automatically added to the site and therefore don’t get access to it.

Environment

Project Server 2010 SP1 with June 2012 CU running on top of SharePoint 2010 SP1 with June 2012
Operating System: Windows Server 2008 R2

Scope Agreement

As discussed this is a known product limitation. We can archive the case as soon as you tested the provided workaround to the product limitation.

If you do not agree with the scope defined above, or would like to amend it, please let me know as soon as possible. If you have any questions or concerns, please don’t hesitate to contact me.

Workarounds

In Project 2010, use the Project Permissions feature. Or, project managers can add users manually to the project. To do this, they can use the Build-team feature where they can filter on RBS equals the project owner’s and then add the returned set of users to the project.

or

  1. If you go to Manage Users and edit one of the resources and you change a property such as e-mail or initials and save and look at the users who have access to the site you will see that the user has now access to the site.
  2. But if you go to Server Settings – Project Sites and select the site for the project and click the Synchronize button the edited resource will be removed from the site permissions.

This is essentially what happens from Project Pro though once the user is added to the site (done via steps 1-2) a Project Pro publish won’t remove them from the site.


Geek, wanderluster, pochemuchka, wannabe-polyglot, photographer and UK-resident kiwi here for the travel.

Leave a Reply

Your email address will not be published. Required fields are marked *