I created a new project server 2010 group "Project Manager 1" using Project Manager template to define global permissions
I synchronized this new group with a specific AD group.
Once I finished , using a User that is member of this AD, I was able to logon the PWA website
I checked the site permissions and find that my user has been added to the Project Managers Group (Microsoft Project Server).
How come ? How SharePoint or Project Server guessed that this user must be added to this specific SharePoint group ?
Thanks for any explanation
By the way, if you know the location of any ressource that can explain the mecanism of synchronisation between Project Server groups and SharePoint group it might interesting me... I can't find any on technet
Project Server users can be automatically added or removed from groups based on Active Directory group membership. This can be configured in Project Server 2010 through the Active Directory synchronization feature. Here is a good explanation on Technet.
Please see a section "The following are possible scenarios and corresponding actions that occur when security group synchronization takes place:"
Active Directory Resource Pool Synchronization -
Hope that helps.
Thanks, Amit Khare |EPM Consultant| Blog: http://amitkhare82.blogspot.com http://www.linkedin.com/in/amitkhare82
Hi Amit & thank you for the answear and the links
Actualy, I do have a good understanding of how to synchronize members of AD group with Project group
Howerver, how Project groups are synchronized with PWA SharePoint group ? I mean, when I created a new project group, I finaly found that the users of the project group have been added to the Project Managers Group (Microsoft Project Server) in PWA.
Why the synchronization happend with the Project Manager SharePoint group instead of Team Members SharePoint group ?
Thanks for any help
- Edited by Stéphane Guilleminot Wednesday, May 09, 2012 1:41 PM re type questions more clearly
What about the scenario in which my PWA group "Project Managers" does not match the SP group "Project Managers"?
Are PWA groups supposed to be just a friendly way of maintaining SP groups (incl. category associations etc.) - inferring that PWA and SP groups are essentially one-and-the-same? That doesn't seem to be the case here. If they are sync'd, where is that controlled? Why would it ever be disabled?
I suspect that you are confusing the membership of a group with the designation of a permission level.
In other words, are you sure the membership of a group has, in fact, been modified by Project Server? I have never seen that happen.
Unfortunately, Project Server also uses 'Project Manager' to denote a specific permission level that a user has - that of being able to open and publish a project using Project Professional. You do not have to be a member of any particular group to be given that permission (though I believe the best practice is to always have users inherit permissions rather than assign them individually). Therefor, when looking at permissions within PWA, Project Server will show 'Project Manager' permissions where you might otherwise expect 'Team Member' because the additional permission to publish via Project Pro has been granted.
Thanks for the help. The Technet article below suggest that the 4 related SharePoint groups are populated by Project Server based on information in each Project Plan. That seems like a bad idea - the people and roles in my (small) organization are well defined, and I'd rather not have PWA monkey around with the SP groups. I've had situations where certain users keep getting dropped out of groups for no apparent reason. The article would seem to imply that this might be happening every time I re-publish the project. What a pain. Why can't PWA just populate the SP groups with the information in its own groups?
I've disabled the auto-sync in the Site Provisioning settings - trying to avoid this confusion. Can anyone tell me why this might be a bad idea?
it is only a bad idea because of the manual effort you have to undertake each time someone needs to get access (or access deny) to the projectsite. I can totally understand that project's permission levels can be a pain in the ass, especially when you want to restrict those snychronized permissions...