none
Security issue with Project Manager group when publishing with PSI RRS feed

  • Question

  • Hi,

    I am using PSI to publish projects bringing data from a LOB app using web services in Project Server 2010. 

    Using an app running in background, it reads from a transition database, save and publish the projects using a project template running on a service account, which is an Administrative account in Project Server. After a successful publishing it changes the owner of the project to a Project Manager group account. If the category of this group does not allow to see all projects, the publish process now fails. If you allow, it publishes successfully.

    Initially we thought that PM group needed to have administrative rights, but I started to strip out the permissions until remained only the 'View all present and future project' option in the My Projects category (the only category associated with the PM group). It seems that in Project Server 2007 it was not necessary to able this option. For me this is a security issue, because not all customers will allow their PMs to see all projects.

    Did anybody face with this problem?

    Best regards.

    Monday, March 14, 2011 4:08 PM

Answers

  • Hi Ricardo,

    there seems to be a misunderstanding. (maybe the same I had with George?)

    My idea: you create your group "Temp PM" once (manually).

    Whenever you create a new project with PSI you are doing all following steps within your code: add your future project owner to "Temp PM" group, create project, change project owner, publish, remove project owner from "Team PM". Membership is only needed for own step within your code.

    When you have just created your project, your new PO has no relation to this project at all, so you need him to be member of a group, allowed to do everything (at least save ;-)) for all current and future projects. Then you set him as PO and publish. Now he has a relation to this new project, granting permissions also by default Project Manager group and category My Projects. Remember, My Project defines permissions for "The User is the Project Owner or the User is the Status Manager on assignments within that Project". Therefore you can remove him from the "Temp PM" group at this point. Being member of "Temp PM" group is only necessary for changing him to PO, afterwards permissions are set by default group. So no need for any manual interaction from my point of view.

    However, no garantuee that it is feasible with PSI, but I think so.
    Regards
    Barbara

    • Marked as answer by R.Segawa Monday, April 11, 2011 5:18 AM
    Wednesday, March 30, 2011 3:13 AM
    Moderator

All replies

  • Hi,

    I suggest to apply the most recent CU. In December, there was a change which should help to resolve your issue:

    In Project Server 2010, you try to change the owner for a project in the Project Information Project Detail Page (PDP). However, you cannot change the project owner in the Owner field when the new owner does not have the Save permission on the project.

    This should help, since PSI relies on the same security concept.

    Hope that helps!
    Barbara

    Monday, March 14, 2011 4:29 PM
    Moderator
  • Thank you Barbara,

    I will test with the Dec CU. Later I will give a feedback for you.

    Best regards,

    Ricardo Segawa


    Best regards, Ricardo Segawa Segawas Projetos Microsoft Partner
    Thursday, March 17, 2011 2:39 PM
  • Hi,

    the work around in Project Web App is to set project sepcifiv permissions, to provide save permissions to the future project owner (Project Center - Project Permissions - New - ...). Not sure if this is also possible by PSI. I think the better long term solution is to get this fixed by a CU.

    Good luck!
    Barbara

    Thursday, March 17, 2011 2:54 PM
    Moderator
  • Hi Barbara,

    I installed the Dec 2010 CU and the problem remained.

    When I try to change the owner of a project from Administrator group to Project Manager group, unless the later has see all projects rights in My Projects category (remembering that the PM group is linked only to My Projects category), it fails with the error message below.

    If I allow the PM group to see all present and future projects in My Projects category, I can change the owner of the project successfully using PSI. But if I change to the option 'See only the projects below' with 'See only the project managed by the PM' and those where he is a member of a project (I tried also to check all boxes when I choose the option "See only th projects below') returns the following error message that looks like a SQL connection problem. This message appears also if the user accounts that are not a PM, for instance a Team Member or Executive which are not allowed to save projects.

    System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo, SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64 timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, SqlConnection owningObject) at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject) at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart) at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance) at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance) at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection) at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options) at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) at System.Data.SqlClient.SqlConnection.Open() at wsAIPro.DataSets.LogsTableAdapters.LogsTableAdapter.CadastraLog(Nullable`1 TipoLog, String ResumoLog, String ErroLog, Nullable`1 CodProjeto) in C:\Documents and Settings\Brasoftware\Desktop\AIPro_v04\wsAIPro\DataSets\Logs.Designer.cs:line 1649 at wsAIPro.BO_wsAIPro.Logs.CadastrarLog(Int32 TipoLog, String ResumoLog, String ErroLog, DateTime DataLog, Int32 CodProjeto, String NomeProjeto, String strEmail) in C:\Documents and Settings\Brasoftware\Desktop\AIPro_v04\wsAIPro\BO_wsAIPro\Logs.cs:line 18 at wsAIPro.BO_wsAIPro.Project_BO.CriaProjeto(String pProj_Uid, String pGuid_Template, String pNomeProjeto, String pDataInicio, String pDescricao, String pFase, String pHolding, String pNRO_PJ, String pProprietario, String pEquipe_EPM, String pContrato, String pID_PMO, String pRegional, String pTecnologia, String pUnidadeNegocio, String pGRUPO_PROJETO, String pEstado, String pProjeto_Id, String pNOMEPM) in C:\Documents and Settings\Brasoftware\Desktop\AIPro_v04\wsAIPro\BO_wsAIPro\Project_BO.cs:line 210 at wsAIPro.wsAIPro.CriaProjeto(String pProj_Uid, String pGuid_Template, String pNomeProjeto, String pDataInicio, String pDescricao, String pFase, String pHolding, String pNRO_PJ, String pProprietario, String pEquipe_EPM, String pContrato, String pID_PMO, String pRegional, String pTecnologia, String pUnidadeNegocio, String pGRUPO_PROJETO, String pEstado, String pProjectID, String pNOMEPM) in C:\Documents and Settings\Brasoftware\Desktop\AIPro_v04\wsAIPro\wsAIPro.asmx.cs:line 58 --- End of inner exception stack trace ---

    My explanation for this message is that if I did this process manually it would appear a dialog box in PWA and as there is not any user response, there is a time out of the SQL connection (but manually it is not necessary to allow the PMs to see all projects, but only in PSI). I think it is not a problem of connection, because if I allow the PMs to see all projects, this error does not happen, therefore the connection is working.

    Looking at Event Viewer, SQL Logs, ULS Logs, only in the Project Server ULS Log and Event Viewer Log there is this error message. In other logs there are not any error.

    Any ideas?

    Ricardo Segawa


    Best regards, Ricardo Segawa Segawas Projetos Microsoft Partner
    Wednesday, March 23, 2011 1:48 PM
  • Hi Ricardo,

    seems that I missed your reply for some time. When notification re-started, there were quite a lot e-mails, seems too may for me. Sorry.

    I am not sure what you did? Did I understand correctly:

    1. new project owner is member of Administrators group
    2. you change the owner of your project to this new owner
    3. you publish your project
    4. you remove user from Administrator group and keep him in Project Managers group

    Did I miss something or are you using different steps? You get this error at step #4?

    Regards
    Barbara

    Tuesday, March 29, 2011 5:56 AM
    Moderator
  • Hi Barbara,

    There is not any problem. I myself do not receive some of these notifications from the forums and I forget to take a look at them sometimes.

    Only the steps 1 to 3 are correct. The right description is:

    1. new project owner is member of Administrators group and the PSI publishes the new project at the first time in Project Server.
    2. The PSI code changes the owner of this project to this new owner which is a member of Project Manager group
    3. The PSI code republishes this project (here appears the error message)

    The new owner of step 2 belongs to Project Manager group pointed to My Projects category only (you can assume both set as default settings). If in My Project category cannot see all projects, I get the error in step 3.

    If I allow thr My Project category to see all projects, it works like a charm. It is not necessary to the owner have all Administrator rights to make the code work.

    I also tried to use a Project Manager group member as a owner in step 1, without steps 2 and 3, but i got the same error.

    Any idea on how to find a workaround?


    Best regards, Ricardo Segawa - Segawas Projetos / Microsoft Partner

    Tuesday, March 29, 2011 7:07 PM
  • Hi Ricardo,

    I have an idea for a work around, with no idea if it does work:

    Preparation:

    • Make sure that your new project manager is member of default Project Manager group
    • Create a new group like "Temp PM". Add default category My Organization to this new group and set all permissions for project and resources to allow within this group for this category and global permissions with Project Manager template. This will grant all necessary permissions for all projects.

    Project creation:

    • Create your project with PSI
    • Add this PM to your new group with PSI (only temporarily)
    • Change ownership by PSI
    • Publish your project (PSI)
    • Remove Project Manager from your new group. This will remove permissions for all current and future projects. Since he is still member of default Project Manager group and now Project Owner, he will still have access to all projects.

    It is only an idea I had today, when reading another question. To be honest, this question made me looking for the status on our discussion: http://social.technet.microsoft.com/Forums/en-US/project2010custprog/thread/9b206318-3841-4af3-aad9-27c0f6724ed8

    Regards
    Barbara

    Tuesday, March 29, 2011 7:18 PM
    Moderator
  • Thank you Barbara.

    In my case this workaround cannot be used (although you suggestiont may work), because all this automation is to avoid PMO or Administrator manual intervention. The customer needs to import batches of hundreds of small projects and each batch can have dozens of projects that belongs to the same project manager each week. So I would not be able to remove the Project Manager from the "Temp PM" group due to the recurrent assignment as a owner week after week, project after project.

    Anyway I will think something using your suggestion until tomorrow and I will give you a feedback If I found out a workaround.

    Best regards,


    Best regards, Ricardo Segawa - Segawas Projetos / Microsoft Partner
    Tuesday, March 29, 2011 7:39 PM
  • Hi Ricardo,

    there seems to be a misunderstanding. (maybe the same I had with George?)

    My idea: you create your group "Temp PM" once (manually).

    Whenever you create a new project with PSI you are doing all following steps within your code: add your future project owner to "Temp PM" group, create project, change project owner, publish, remove project owner from "Team PM". Membership is only needed for own step within your code.

    When you have just created your project, your new PO has no relation to this project at all, so you need him to be member of a group, allowed to do everything (at least save ;-)) for all current and future projects. Then you set him as PO and publish. Now he has a relation to this new project, granting permissions also by default Project Manager group and category My Projects. Remember, My Project defines permissions for "The User is the Project Owner or the User is the Status Manager on assignments within that Project". Therefore you can remove him from the "Temp PM" group at this point. Being member of "Temp PM" group is only necessary for changing him to PO, afterwards permissions are set by default group. So no need for any manual interaction from my point of view.

    However, no garantuee that it is feasible with PSI, but I think so.
    Regards
    Barbara

    • Marked as answer by R.Segawa Monday, April 11, 2011 5:18 AM
    Wednesday, March 30, 2011 3:13 AM
    Moderator
  • Thursday, March 31, 2011 4:47 PM
    Moderator
  • Hi Barbara,

    I read that George did it sucessfully and I am contacting him to get some help.

    I was thinking in another approach. Since the problem is to allow the My Project category to see al projects, I will try to give a temporary authorization to see all projects while the PMs get ownership of the projects and at the end disable this right of the categoryto see all projects. I took a look at the Project SDK and I found something about changing and creating new Global permission, but I need to teka e more careful look at that to see how it works.

    Thank you.

    Best regards,


    Best regards, Ricardo Segawa - Segawas Projetos / Microsoft Partner
    Monday, April 4, 2011 3:38 PM
  • Hi Ricardo,

    this is a similar approach - or at least the effect is the same: give your future project owner full acces to a project, make him an owner and change his permissions back to default. However, I think to add a user temporarily to an existing group (with necessary permissions on category level) is less effort that changing category settings? Let's see if George will help you.

    Regards
    Barbara

    Monday, April 4, 2011 3:46 PM
    Moderator
  • Hi Barbara,

    You dit it!

    Your suggestion worked using the code help from George.

    My suggetion to change the category became impossible due to the lack of example in the PSI documentation and the code from George was halfway to the solution.

    Now I am asking him to give me some hints to get the code more robust for a productive environment.

    So your reply is the answer.

    Thank you.


    Best regards, Ricardo Segawa - Segawas Projetos / Microsoft Partner
    Monday, April 11, 2011 5:26 AM