cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Project Management authorizations

Go to solution
Former Member

on ‎10-22-2014 3:18 PM

0 Kudos

Hi all,

I have a situation where I have a lot of users who created a lot of Item and Projects. I need to lock the system for all, and then I will give ACO_SUPER for some users to let them work with the projects again.

When the users have created the projects they automatically have "admin" rights and thus are not affected if I add all users to the portfolio authorizations with "Read" access.

Is it in any way possible to make sure that, even though users have created the Items and Projects, I can overwrite the "admin" authorization they have with a "Read"

Another thing is, that for Items I can give "Read" access in the portfolio and this is then inherited down through buckets to Items. So this gives users who did not create the Item, access to it with "Read" access. This is okay, but is this possible in any way with Projects as well. I know there's no hierarchy as such, but if there is any way I can give all users "Read" access to all Projects, this would help me a lot.

Best regards,

Morten

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-27-2014 1:52 PM
0 Kudos

Hi Morten,

I believe it is possible for you to delete the authorization of the user who created the item/project. However, you will have to manually go to each item and/or project and manually delete. I did a brief test in my system and I was allowed to delete the creator, however, I would suggest you do some detailed testing on this with multiple users.

To answer your second question,inherited authorizations do not sync via DFM. To overcome this what I have done is specified authorization in the project template. For example, in my system the requirement is all users should have read access to everything (which I think is your requirement as well). Therefore to overcome the fact that inherited authorizations are not synced, I have a role, lets say ZPPM_USER which is assigned to all users. This role is included in the ACL of the portfolio with read access and also in all template ACL's with read access. Of course, this solution assumes all projects are created from a project template.

In general, I strongly believe that ACO_SUPER auth object should not be included any business roles. It should be restricted to IT PPM admin roles. There maybe cases where ACO_SUPER is required in a business role, but more of an exception if there is no other choice. Just my opinion

Hope that helps. Feel free to let me know if any questions.

Lashan

Show replies
Show replies
Former Member
‎10-27-2014 3:24 PM
0 Kudos

Hi Lashan,

Thank you for the reply.

I found out that I could actually go in, as you mention, in every project and change the "admin" auth to "read" for the creators of the Items. This change would then synch via DFM to the cProject and problem would be solved. But I simply have too many projects for this to be a solution for me.

For the inheritance, I really do not see why the inherited auths are not synched as well. The solution you propose, I guess, is only valid if I create a new project after I have added "read" auth in the ACL of the Cproject template? All my projects are already created, so would this still have effect on these projects?

Br,

Morten

Former Member
‎10-27-2014 5:54 PM
0 Kudos

Yes, unfortunately it will not help for the existing projects. Your only option may be to write a custom program to update the authorization if it's worth the effort. I did have a situation as well where we had to overhaul the security design for PPM and it involved tedious manual effort to update authorization for all active projects/items.

Answers (0)

Ask a Question