Permissions and security (Must know)
In this chapter we'll examine the various permissions, services accounts needed, and various roles involved in this integration. We'll also cover the steps you'll need to perform to set each of these. Please keep in mind that depending on your unique environment, and re-use of existing accounts and groups, some of these permissions may have already been granted.
To begin with, we need to make sure we are set up for success. Let's look at this from a server by server view:
- Team Foundation Server: In order to perform any of the operations in this chapter you will need to belong to the Team Foundation Administrators group (alternately you could also assign the view instance-level information and edit instance-level information to Allow). You'll also need to have access to the Team Foundation Server Administration Console page (alternately, you could also use the Group Membership dialog box in Team Explorer, but the Team Foundation Administration Console page is much easier to work with for this).
Team Foundation Sever Administration Console
- Project Server: In Project Server, you'll need the Manage users and groups global permission for an instance of Project Web Access or PWA. To set these, you'll need access to the Project Server through PWA.
Project Web App
- SQL Server: To grant Project Server 2010 permissions for the reporting database, you need to be a member of the administrators' security group for the SQL Server databases for Project Server.
- SharePoint: In SharePoint, you must belong to the Farm Administrators group, the administrators group for the web application that supports Project Server, or the SharePoint Administration group. The exact group membership you will use will depend on the specifics of your deployment.
Required permissions matrix for integration with Project Server 2010. Detailed instructions on how to set these are below this reference table:
Account in context
Team Foundation permissions
Project Server 2010 permissions
Service account for Team Foundation Server
Set the following Global and Category permissions to the service account for Team Foundation Server:
The Global permissions for the following users are:
- Admin: Manage Enterprise Custom Fields, Manage Server Events, Manage Site Services, and Manage Users and Groups
- General: Log On, New Task Assignment, and Reassign Task
- Project: Build Team on New Project
- Views: View Approvals, View Project Center, View Resource Center, and View Task Center
The Category permissions for the following users are:
- Project: Open Project and View Project Site
- Resource: View Enterprise Resource Data
Grant Full Control permissions to start the Project Server Service Application.
Service account for the Project Server web application pool
Grant the service account for the Project Server web application pool. The following are the SQL Server permissions for the PWA reporting database:
- Alter any Schema
- Create Table
For the PWA Publish database, grant the Select permission.
Service account for the Project Server event handler
Full Control permissions to the Project Server Service Application.
Users who configure the integration by running the TfsAdmin, ProjectServer, and RegisterPWA/UnRegisterPWA commands
Add these users to the Team Foundation Administrators group.
Add these users to the Administrators group for each instance of PWA that you will register with TFS.
Accounts of users who configure the integration by running TfsAdmin and ProjectServer commands but who do not register or unregister instances of PWA
Grant the Administer Project Server integration permission to these users.
User accounts assigned as resources in the project plan or to the "Assigned To field for a work" item
Add accounts of team members to the contributor group for the team project.
Add team members to the Team Members group for PWA, or grant them the Open Project and View Project Site permissions in project. You must also add these accounts to the enterprise project pool and to the resource pool for the project plan.
Accounts of users of Project Professional.
Grant view project-level information or assign them as members of the project Reader group.
Add these accounts to the Project Manager group on Project Server.
How to do it...
We'll lay the steps out here by subject to make it easy to follow and refer back to later.
Granting Team Foundation Administrative Permissions:
In order to configure the integration of Team Foundation Server and Project Server, you must have permissions to administer Team Foundation Server or at least a team project collection. For both configuration and synchronization, you must also grant permission to administer Project Server integration to the user who will configure the integration of the two server products. Following are the steps to show how to grant this permission:
- Launch the Team Foundation Server Administration Console page.
Team Foundation Server Administration Console, Administer Security
Expand the server node (Application Tier), click on Team Project Collections, click on a collection, and then click on the Administer Security option.
- In the Global Security window, click on [Collection]\Project Collection Service Accounts.
- Under Permissions for the Administer Project Server integration, select the Allow checkbox.
- Click on the Close option to close the Global Security window.
- Add the account of the user who will register an instance of PWA to Team Foundation Server to the administrators group
- Either add the service account for Team Foundation Server to the administrators group, or grant that account the minimum set of Global and Category permissions as described in the previous reference table.
- Add the accounts of any Team Foundation members who will submit status updates to Project Server to the Team Members group
- Adding an account to Project Server and assigning it to the administrators group for Project Server 2010:
- From the PWA home page, in the Quick Launch area (from the side menu, on the left-hand side, scroll all the way down), select Server Settings.
- From the Server Settings page, select Manage Users.
- From the Manage Users page, select New User. This will begin the creation of a new user account. You will return here as needed by add additional administrators.
- On the New User page, enter at least the required fields. Some things to keep in mind as you are doing this are:
- Uncheck the checkbox for User can be assigned as a resource if the account is a service account. This would be left as default for normal users, but not for an administrator.
- In the User Authentication field, enter the account name of the user or service account you want to use.
- Uncheck the checkbox for Resource can be leveled if the account is an administrator or a service account. This would be left as default for normal users, but not for an administrator as noted previously.
Lastly, you'll need to add the account to the Administrators group, from Security Groups, select Administrators in the list and then click on Add.
- Click on Save.
Project Web App, New User
- Granting the minimum Global permissions to the service account for Team Foundation Server:
- From the PWA page, in the Quick Launch area, click on the Server Settings option.
- From the Server Settings page, click on Manage Users.
- From the Manage Users page, click on New User.
- From the New User page, type the required information in each field. Note the following:
Clear the checkbox for User can be assigned as a resource because the account is a service account.
For user authentication, type the account name of the service account.
To assign Global Permissions, select the Allow checkbox for each permission that you want to set, and as specified earlier in this topic.
- Click on Save.
- Granting Category permissions to the service account:
- From the home page for PWA, in the Quick Launch area, click on the Server Settings option.
- From the Server Settings page, click on the Manage Categories option.
- From the Manage Categories page, click on the New Category option.
- From the Add or Edit Category page, type a name for the service account category. For example, type Servicing Account.
- Under the Available Users list, click on the name of the service account for Team Foundation Server, and then click on Add.
- Under the Projects list, click on the All current and future projects in Project Server database option.
- Click on Save.
- Adding Team Foundation members to the Team Members group:
- From the home page for PWA, in the Quick Launch area, click on Server Settings option.
- From the Server Settings page, in the Security section, click on the Manage Groups options.
- From the Manage Groups page, click on the Team Members option.
- From the Add or Edit Group page, hold down the Shift key, click on the users whom you want to add from the Available Users list, and then click on Add.
- Under Categories, verify or add My Tasks from Available Categories to Selected Categories.
Adding the Service Account for Team Foundation Server to the Project Server Service Application for Project Server 2010:
In order to enable status update processing by the synchronization engine for integration with Project Server 2010, you must add the service account for Team Foundation Server to the Project Server Service Application. This can be done alternatively you could use Windows PowerShell (not covered here).
Following are the steps to add the Service Account using SharePoint Central Administration:
- Launch the SharePoint Central Administration page for Project Server.
- Under Application Management, choose the Manage service applications option.
- From the Manage Service Applications page, highlight the Project Server Service Application row by clicking within the row but not the name of the application.
The ribbon will now be available.
- In the ribbon, select the Permissions option.
- In the Connection Permissions for Project Server Service Application dialog box, type the name of the service account, and then select Add.
- In the middle pane, make sure that the name of the newly added service account is highlighted.
- In the bottom pane, select the Full Control checkbox, and then select OK.
Manage Service Applications dialog box, for step 3
Granting Permissions to PWA databases to the service account for the web application pool for Project Server 2010:
To enable data synchronization, you need to grant permissions to the service account for the web application pool to update two SQL Server databases for each instance of PWA for Project Server 2010.
Following are the steps to grant permissions to a database for an instance of PWA:
- Log on to the data-tier server for Project Server.
- Select, SQL Server Management Studio in Start | All Programs| Microsoft SQL Server 2008.
- The Connect to Server dialog box will now open.
- In the Server type list, select Database Engine.
- In the Server name field, type the name of the server that hosts the databases for Project Server, and then select Connect. (If SQL Server is installed on a cluster, type the name of the cluster, not the computer name. If you have specified a named instance, type the server and instance name in the following format: DatabaseServer\InstanceName. If you have Project Server and SQL Server installed on the same machine, the localhost name that this dialog box defaults to, will work fine.)
- The SQL Server Management Studio page opens.
- Expand the Databases option, open the shortcut menu for the database for the instance of PWA (for example, PWA_Reporting), and then select Properties.
- Under Select a page, select Permissions.
- Add the service account of the web application pool for Project Server, and grant the required permissions. For example, Alter any Schema, Create Table, Delete, Execute, Insert, Select, and Update are the permissions required for the reporting database.
- On the Publishing database (PWA_Published), grant the Select permission.
- Repeat steps 7 through 10 for each instance of PWA that will participate in data synchronization with Team Foundation Server.
Database Properties, Permissions dialog box, for step 8
Although we've covered most of the key parts already, there are a few other things you might want to consider. We'll cover those in the following section.
Logon permission for services
You must grant all service accounts for Project Server and SharePoint products, permission to log on to the computer on which the service is running.
Service account permissions
The service account for Team Foundation Server also runs the Team Foundation Background Job Agent Service. All TfsAdmin commands are run in this service accounts context, except for the /RegisterPWA and /UnregisterPWA options, which are run under the executing user. The Team Foundation Background Job Agent Service manages data synchronization processes. This service account requires permissions to access each instance of PWA that has been mapped and permissions to call Project Server integration services.
About this Except:
Portions of this excerpt were re-published by the author (me). The full book is available for purchase here http://www.amazon.com/dp/1849688540/?tag=packtpubli-20. Note that some content may be different (pictures, charts, etc.) as I'm trying to format this post for the web.