Microsoft Office Project Conference 2007 - Simple Effective Rights

Microsoft Office Project Conference 2007 - Simple Effective Rights

  • Comments 2

I'm Phil Smail, one of the Program Managers from the Product Group. One of my presentations during the MOPC 2007 was one of security programmability. As part of that Presentation I demonstrated some code that I wanted to get onto this blog

This code is a Simple Effective Rights tool. It's essentially a cut down version of the View Effective Rights tool we shipped with the Project 2003 Project Resource Kit (and will be shipping soon in the Project 2007 Project Resource Kit)

It's a Winforms application that uses the PSI to brute force calculate why a user does/doesn't have the correct permissions. This version only does Project Permissions but could be very easily modified to handle Resource and Global permissions. It uses the PSI to work out the permissions

When you first start the application you'll get the following logon screen:

image

When you enter the URL you are presented with the main Form page:

image

There are three drop downs at the top of the page. One to select the User, the second to choose the relevant permission, and the third to choose the Project Name. One those details have been entered you just need to hit the 'EffectivizeName Possible my Rights' button. It then looks like the following:

image

The columns mean the following:

Column Name Possible Values Purpose
Right Allow/Deny The right specified for the selected Permission
Object Present True/False Whether the object is explicitly added to the category. If not then it may be accessible through the Category rules
Category Name N/A The name of the category giving the user permissions
User/Group Name User name or the Group name If this is via the User then the User Name is displayed else we just display the name of the Group
Applicable Rules

· All current and future projects in Project Server database

· Only the projects indicated

· The User is the Project Owner or the User is the Status Manager on assignments within that Project

· The User is on that project's Project Team, The Project Owner is a descendant of the User via RBS

· A resource on the project's Project Team is a descendant of the User via RBS

The Project Owner has the same RBS value as the User

The rules specified by the Category that may be relevant to the effective Permission

The rules specified by the Category that may be relevant to the effective Permission

As you can see in the case above the following can be understood from this:

· The effective right is Deny for this user, this permission on this project

· The user is denied in 4 categories, 3 directly on the user, one through a group

What it’s doing under the covers is going through the user object and working out what categories they have permissions on and whether the object exists and what permission the user has on those objects. It then goes through all the groups the user belongs to, works out what categories they have permissions on and calculates the same information. This will give the effective right the user has.

Why do we have to go through every item to work out the effective right of the user? Unfortunately there isn’t a PSI that tells us the effective permission of a user other than the logged on user.

Attachment: SimpleVER.zip
Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
  • For your information, Phil Smail (Program Manager from the EPM Product Group) has just released this

  • For your information, Phil Smail (Program Manager from the EPM Product Group) has just released this

Page 1 of 1 (2 items)