A very frequent request I get is how to change the default permissions assigned by Project Server to Project Workspace Sites for all projects, unfortunately this is not something that is configurable in Project Server so the only option out of the box is to disable the permissions sync and manage those permissions manually. Of course if you don’t want Administrators to manage every user manually this is not an option.
This is made more annoying if you want PM’s to be able to manage the site, as by default they only have Contribute like access.
There are a few options that exist out there, notably this one; Adjust the Default Project Web Access Permission Levels, which uses a SharePoint timer job to manage the default Permission Levels. However I have had need for something simpler, and so recently for a customer I implemented the following:
Modifying Basic Site Permissions using Project Events:
My solution is by intent extremely simple, so simple that I will include the main piece of code below (as well as having the full solution attached), in short what this code does is the following:
On Publish of any project does the following;
- Retrieves the OWNER of the Project
- Retrieves the Workspace Site of the Project
- Adds the Owner to the default SharePoint role SPRoleType.Administrator
So as you can see it only updates one user’s permissions, however it would be trivial to update the code to do more based on the Project Team and other requirements.
Here is the bulk of the code:
if (wssData.ProjWssInfo.Count == 0) { LogEventEntry(String.Format("No workspace site found for project: {0}",projectData.Project.First().PROJ_NAME), EventLogEntryType.Warning); } else { // Open the SPSite and web using (SPSite pwsSite = new SPSite(wssData.ProjWssInfo[0].PROJECT_WORKSPACE_URL)) { using (SPWeb pwsWeb = pwsSite.OpenWeb()) { // Handle Null Email Address String ownerEmail; if (resourceData.Resources.First().IsWRES_EMAILNull()) ownerEmail = ""; else ownerEmail = resourceData.Resources.First().WRES_EMAIL; // Add the new role assignment to the Owner SPRoleAssignment roleAssn =new SPRoleAssignment(resourceData.Resources.First().WRES_ACCOUNT, ownerEmail, resourceData.Resources.First().RES_NAME, "Project Owner"); SPRoleDefinition roleDefn =pwsWeb.RoleDefinitions.GetByType(SPRoleType.Administrator); roleAssn.RoleDefinitionBindings.Add(roleDefn); pwsWeb.RoleAssignments.Add(roleAssn); } } }
The code is bound to both OnPublished and OnSummaryPublished (to get the Save from PWA also), and ensures that the Owner will always have Admin rights, and if not all the PM has to do is republish.
Download only the WSP package here with – basic – instructions.
Download the full source package here.
Notes:
- As an Event the solution runs under the security context of the Project Server Event Service account, and so this user must be a user in PWA with appropriate access, I use administrator however it could get by with less.
- This completely ignores the WssSync jobs created by Project Server, as such some actions such as AD sync and group membership changes can apply permissions outside of typical Publish events. However in my experience with 2010 this will not remove existing SharePoint permissions (see one of my previous blogs on this).
- The solution is built with Visual Studio 2010 and packaged as a WSP allowing for simple installation using typical SharePoint means.
- The solution uses Project Server 2010 WCF methods to access the PSI, and so without modification it will not work on Project Server 2007.
- The solution logs error information to the Event Log and not the ULS, this is because I’m lazy. However it means that on Windows Server 2008 if the user (Event Service Account) is not a local admin it will fail and log nothing.
Post comments with any questions or additions even, but please note that I can’t provide support for the standalone WSP package.
Hello Martin,
We need some help with a multi-tenant Project Server 2010 deployment on top of an existing multi-tenant Sharepoint 2010 environment. We’ve looked around and you are the only person on the internet who seems to have ever mentioned multi-tenant Project servers. Other than some social networking sites, this is the only way I’ve found to contact you.
I don’t know if you can see my email address that won’t be published, but can you please contact me. I really need some help.
Sorry to do it this way. Delete this comment whenever.
Thank you in advance.
It’s a great post, you really are a good writer! I’m so glad someone like you have the time, efforts and dedication writing, for this kind of article… Helpful, And Useful.. Very nice post!