Tuesday 26 January 2010

EPM2007 – Preventing Users from Modifying PWA Pages and Personalization

Ever got a call from a user one morning to say that the data on PWA page is not showing i.e. only a blank page shows with no error messages. Or, the PWA theme has been changed! Puzzling….you investigate and get the same result, say for example the REMINDERS are not showing on the Home Page within PWA! You investigate and determine that the the webpart was removed by someone. But WHO! You are the only administrator. No one else is forthcoming to state that they have done something.  Could it be someone external?

If you are an EPM Application Administrator or PMO and you have encountered this situation and/or concerned that this could happen in your deployment, then read on.

Where to start looking?

Determine what the Project Managers or Team Members can and can’t do. Log in with role-based test user accounts, if necessary. Within PWA Home Page, navigate to Site Actions and determine if the user is able to EDIT PAGE for example. See fig below.

PWAPageChange_Global

(click picture to enlarge)

Based on the above fig, the user is able to create, modify PWA pages by removing and adding webparts within the page and edit site themes, affecting all other PWA users within the environment.

Users belonging to Project Managers group within Project Server 2007 will be able to do this by default!

The next thing you may wish to check for is the ‘Personalization’ capability i.e. changes that are local to the user and do not affect the other users. See fig below. 

PersonalizePage 

Where to make changes to default PWA Site Permission settings?

To make changes to the default permission settings, navigate to PWA > Site Settings and select Advanced Permissions.

PWAUserGroupAdvancedPermission 

Next, from the Settings dropdown, select Permission Levels.

PWAUserGroupAdvancedPermission_Settings

Here you will see the User Groups at PWA root site site level. The one that you need to review and modify is the ‘Project Managers’ user group. See highlighted in figure below.

SecurityGroups

Select this user group and make following changes;

Uncheck the Manage List check box.

ManageLists

Next, uncheck the options for ‘Add and Customize Pages’, ‘Apply Themes and Borders’ and ‘Apply Style Sheets’.

AddAndCustomizePages

Once this is done, the Project Managers will not see the ‘Site Actions’ Tab.

NoSiteActionsCapability 

Whereas before they saw ‘Create’, ‘Edit Page’ and ‘Site Settings’ within Site Actions as in the first fig above.

Where to make changes to default PWA Personal Permissions settings?

If you want to further restrict users from making personal changes. Then uncheck the Personal Permissions options for PWA site user group. See fig below.

AdvancedPermission_Personal 

This, in my view, is optional. I would personally leave this unchanged. The users have the option to Show Shared View or Reset Page Content if they are not happy with their personal page changes.

ShowingSharedView&ResttingContent

Considerations for making changes to default PWA Site Permissions in an existing system

Ideally, the above changes should be considered during the planning phase and modified before the users are added to the Project Server User Groups. If, however, you decide the make the above changes in an existing deployment where users are already added to Project Server User groups, you will need to take the following action;

  • Re-apply Project Server security by first removing and adding back users into the affected Project Server user group, in this case it is the Project Managers user group. Ensure you save changes after removal and addition of users back into group(s).

As always, document and test any changes thoroughly on a development environment before making changes to the live system. A virtual PWA instance/environment is sufficient for this purpose.

Hope this helps you keep a tighter control of your EPM environment.

Note: Also read how Project Server Security Groups map to SharePoint Security Groups

No comments:

Post a Comment

Please include your email address with comments.