Tuesday, October 21, 2008

Project Server 2007 and Unique Workspace Permissions

The scenario:
You have a project workspace linked to a project
That workspace has a custom document library/list or Item that requires limited user access
The permissions for the document library are not inherited from the parent site
Users for this document library/list are added individually

The action
Customer permissions are changed in PWA
User Sync kicks off and re-syncs the users permissions

The outcome
The user permissions are removed and re-added to the site as expected
Any "unique" user level permissions on the site are removed (ie if you have added additional "contributor" access as well as the Microsoft Office Project Server group permissions, etc)
The users permissions on the list/item that do no inherit from the site are also removed but are not re-added

It appears that the user synchronisation can remove all permissions from the site, lists and items including those where permissions are not inherited, but can only add site level and inherited permissions. Therefore
a - all list/item level specific permissions are removed
b - any unique site security for these resources is also removed

Workarounds/Recommendations

1 Create list access GROUPS and grant access to these lists using groups memberships (not assigning individuals)
2 Create a subsite(s) of the parent site wherever permissions on the lists/libraries are required to be different from the parent site