Isolating Enterprise Projects in Project Server similar to separated Team Projects in TFS

  • Article

 

Introduction

TFS is primarily targeted at Product Development efforts whereas we have Project Server(PS) that is targeted at the Project Management Office (PMO) where enterprise project planners use it to plan multiple projects. These are two separate server products (at the time of this writing) and the TFS team has written a Project Server integration extension which integrates these two server products, and synchronizes the data in TFS to the data in PS. This makes both the Product Development teams and PMO offices happy.

In TFS each Team Project(TP) created under a Collection is completely isolated, meaning Project Administrator of a TP can’t see another TP when provisioned initially, unless one explicitly grants priviliges. However the default when you create multiple Enterprise Project Plans (EPPs) in Project Server 2013, is that a Project Manager of one EPP can see other EPPs. This might not be the desired outcome. This post explores this aspect and shows the steps on how to achieve this separation of EPPs from one another in the same manner that exists for TPs on TFS.

 Abbreviations

TFS – Team Foundation Server
TP – Team Project
PS – Project Server
PWA – Project Web App in PS
EPP – Enterprise Project Plan in PS

Mapping cardinality from TFS to PS

  • A PWA can be registered with a single TFS Instance
  • TFS Instance can be mapped to multiple PWAs.
  • A PWA can be mapped to multiple collections within the TFS Instance to which it is registered.
  • An enterprise project can be mapped to a single Team Project
  • Team Project can be mapped to multiple enterprise projects.

Permission modes in Project Server

In PS 2013, being a SharePoint based product,  client applications interact with the underlying data using Web Applications. In the case of Project server the application it creates and relies on  is called a Project Web App (PWA). The default permission mode when you set up a PWA in PS 2013 is SharePoint mode. There is also another mode called “ProjectServer” mode. The issue with default mode is that it is a limited mode, in that it is not recommended if you want to use features like Resource Breakdown Structure (RBS) and others like Delegation, Categories etc.,. So it is a must that in an enterprise scenario where you are using PMO capabilities of PS in conjunction with a large scale enterprise grade system like TFS, you should use the “ProjectServer” permission mode of PS. The other consideration to bear in mind, is you have/want to make this decision upfront as soon as you create a PWA. The reason for this is you had created PWA and defaulted to SharePoint security mode, and a few months down the line, you initiated a switch to ProjectServer security mode, all your existing security and user settings will be impacted. So this is something you will want to consider at the time of PWA creation for a PMO office that is interfacing with TFS.

 

Scenario:

Organization is having to isolate Project Plans (EPPs) completely from each other – Project Owners of one EPP should not be able to see anything in another EPP. Under the default settings when multiple projects are under one PWA this isolation is not possible and one Project Manager/Owner is seeing other projects, which they want to avoid. What is the way (best or otherwise) to achieve such project isolation?

The following shows step by step screen shots with explanation on how to do this.

Setting Permissions on the PWA for Project Server

Create the PWA in SharePoint

This assumes you already have SQL, SharePoint 2013 and Project Server 2013 installed. We also don’t talk much about registering PWA to TFS and them mapping PWA to TPC and mapping EPP to TP. These are documented in TFS documentation.

https://msdn.microsoft.com/en-us/library/vstudio/gg412639(v=vs.120).aspx

 

Now onto getting things done.

Open SharePoint Central Admin and go “Manage Service Applications”

clip_image002

Go to Service Applications and choose Project Server Service apps as shown below:

clip_image003

Click through and create your PWA.

clip_image005

Fill up a new Database in the resulting screen with a name for the PWA. (See below)

clip_image007

 

Changing default permission mode of the PWA

Use SP-ProjectPermissionMode Powershell commandlet to set the permission mode of PWA to ProjectServer

To access the SharePoint Management Shell

For Windows Server 2008 R2:

Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint Management Shell.

For Windows Server 2012:

On the Start screen, click SharePoint Management Shell.

If SharePoint Management Shell is not on the Start screen:

Right-click Computer, click All apps, and then click SharePoint Management Shell

Getting and Setting Permission Mode (see screen shot below)

Getting the default PermissionMode

PS C:\Users\setup> Get-SpProjectPermissionMode -Url: <<PWA_URL>

Setting the permission mode

PS C:\Users\setup> Set-SPProjectPermissionMode -Url: <PWA_URL>

Mode: ProjectServer

clip_image009

Now you should be able to see the Security Section for the PWA you created as shown below.

clip_image011

Add Users and Groups

Use the respective links shown above, for adding Users and Groups as needed for your organization. Once you have done that you can create your enterprise Projects.

Creating Enterprise Projects in Project Server

Once permission mode has been set to “ProjectServer” you can begin creating Enterprise Projects as shown below. Go to the Projects Tab for your PWA and click on the Projects at the top which will drop down to the choices shown below. Choose Enterprise projects.

clip_image012

Choose Browse and pick on owner for this Project.

clip_image013

I choose User1

clip_image015

Click “Save”

Similarly create “DemoProject2” with User2 as owner. (Note: Replace DemoProjectN and UserN with your organizational accounts as needed)

Testing

From any client machine OR from the same machine, log in as User1 ( or USer2) and navigate to see the list of projects. User1 will only be able to projects that User1 owns or has any involvement with and similar is the case for User2.

Summary

These two Enterprise Projects created under the PWA are now completely isolated from one another and only the person chosen as “owner” has any privileges to see, administer and or make changes or add resources and users to these projects.