Project Server and SharePoint Server security
Applies to: SharePoint Server 2010, Project Server 2010
Topic Last Modified: 2011-11-18
Microsoft Project Server 2010 is completely dependent on Microsoft SharePoint Server 2010 to support its user interface and farm topology. Security at the authentication level is tightly integrated between Project Server 2010 and SharePoint Server 2010, whereas user and group authorization is handled separately by Project Server 2010. When a project is published, if the server was configured to enable it, a project workspace site is created. You can configure Project Server 2010 to automatically synchronize Microsoft Project Web App (PWA) users with Project sites when they are created, when projects are published, and when user permissions change in PWA.
When you do this, users who have been added to the project or who have been granted Manage SharePoint Foundation permission in Project Server 2010 are added to at least one of four SharePoint Server 2010 groups:
Web Administrator (Microsoft Project Server) Users who have Manage SharePoint Foundation permission in Project Web App and are contributors to the project workspace site, meaning that they can create and edit documents, issues, and risks.
Project Managers (Microsoft Project Server) Users who have published this project or who have Save Project permission in Project Web App and are contributors to the project workspace site, meaning that they can create and edit documents, issues, and risks.
Team members (Microsoft Project Server) Users who have assignments in this project in Project Server 2010 and are contributors to the project workspace site, meaning that they can create and edit documents, issues, and risks.
Readers (Microsoft Project Server) Users who have been added to this project in Project Server 2010, but not assigned to tasks.
Project Server 2010 groups and SharePoint Server 2010 are synchronized when a project is published (assuming that the auto synchronize option is enabled) or the administrator selects a project workspace site on the Project Workspaces page and then clicks Synchronize.
Additional Project Server permissions that govern SharePoint Server 2010 access are as follows:
Log on Denies or allows user access to the Project Web App site and to project workspace sites.
View Project Workspaces Category permission that denies or allows user access to projects in the category.
Create object links Category permission that denies or allows user ability to create links between SharePoint Server 2010 objects and tasks.
There might be a circumstance where you want to grant people who are not members of the project access to the project workspace site. Anyone assigned to the Web Administrator group can create new users for a project workspace site. In addition to the four groups that were mentioned earlier, there are four default SharePoint Server 2010 groups. They are as follows:
Full Control Has all personal, site, and list permissions.
Design Can edit lists, document libraries, and pages in the Web site.
Contribute Can view pages and edit list items and documents.
Read Can view pages, list items, and documents.
Project workspace security groups are equal to the SharePoint Server 2010 security groups.
Web Administrator equals Full Control
Project Managers equals Design
Team members equals Contribute
Readers equals Read