Show All

Hide All

• Overview

• Advantages of using Active Directory

• Understanding key security concepts

• Methods of using Active Directory with Project Server

• Security groups in Project Server

• Adding users automatically to Project Server by using Active Directory

• Automate adding new users to the enterprise resource pool

• Automating the synchronization of Active Directory security groups

• What happens during synchronization of the Project Managers group?

Overview

Active Directory® directory service plays many roles, from being the backbone of distributed security to being the central repository for information for your entire infrastructure. It vastly simplifies user and computer management and provides superior access to networked resources. It is the main switchboard of a networked operating system (operating system: The software that controls the allocation and usage of hardware resources such as memory, central processing unit (CPU) time, disk space, and peripheral devices. The operating system is the foundation on which programs are built.).

When used with Project Server 2003, Active Directory provides a central service for administrators (administrator: Sets up and manages user accounts, assigns permissions, and helps users with network or server access issues. This person can also manage and customize various elements in Project Professional and in Project Server.) to organize enterprise resources (enterprise resources: Resources that are part of an organization's entire list of resources. Enterprise resources can be shared across projects.) and Project Server users. Organizations in a position to take advantage of Active Directory can greatly simplify the security and resource management aspects of Project Server.

The Active Directory directory connector in Project Server facilitates synchronization (synchronization: The process of comparing files that have been replicated from a Web server to another computer, for the purpose of keeping the files updated.) of users and groups from Active Directory to Project Server. Active Directory is included as a standard available feature of Microsoft Windows® 2000 Server or Windows Server™ 2003 that can be enabled after installation. A new feature of Project Server is the ability to synchronize security groups, distribution groups, and organization units in Active Directory with security groups in Project Server. In addition, the enterprise resource pool in Project Server can be populated based on the users who belong to a mapped group in Active Directory.

As an increasing number of distributed applications (application: A computer program that is used for a particular kind of work, such as managing projects or word processing. This term application is used interchangeably with program.) like Project Server take advantage of Active Directory, you can benefit by not having to implement and manage application-specific directory services. The result is that you save administrative and hardware costs.

 Top of Page

Advantages of using Active Directory

Managing user accounts is often a great burden because all of the requisite information is rarely in one place, at the right time. Active Directory solves this so you can realize some time-saving benefits:

• When a new person is hired by an organization, he or she will be added automatically to the enterprise resource pool instead of having to be added manually. This alone can save you many hours of managing new users and searching for new people to add to projects.
• When a person leaves the organization, he or she is deactivated automatically within Project Server.

   Note   Deactivating a user does not delete the user from the Project Server database (database: A file format such as Microsoft Project Database (.mpd), SQL Server, or Oracle that is used to store all project information in a central location for cross-project analysis, reporting, security, backup, and recovery purposes.). A record of that user’s work on project tasks (task: An activity that has a beginning and an end. Project plans are made up of tasks.), including any actual work (actual work: The amount of work that has been performed on a task or assignment. When you enter actual work on a task, the remaining work is calculated using this formula: Remaining Work = Work - Actual Work. Actual work is often referred to as "actuals.") hours, is retained after deactivation.

• If a person’s name changes or any other key attributes about the person change, this change will automatically occur within Project Server and will appear in any other projects to which the person is assigned.

 Top of Page

Understanding key security concepts

Security roles are often difficult concepts, so it is important to have a good understanding of the security concepts inherent in Project Server and Active Directory.

The illustration and information that follow define and review the relationships among the security concepts discussed later in this paper.

A Security principal includes users and groups, and a security object includes categories (category: A mapping, within Project Server, of users to projects and views. Each category has a name and allows users in that category to access specific projects through a specific set of views.) and organizations (organization: A collection of projects, users, and data that has a one-to-one relationship with Project Server.).

The following list provides definitions of the concepts discussed.

• Domain   A collection of computers that share a common database and security policy. Each domain has a unique name.
• Directory object   A distinct, named set of attributes that represents something concrete, such as a user, printer, or application. Attributes of a user might include the user's name or e-mail address. The attributes hold data describing the subject that the directory object identifies.
• Security Principal   An object that can be authenticated and granted permissions on a security object. Active Directory and Project Server share the idea that a security principal can be either a user or a group.

  Active Directory security principals are automatically assigned a security identifier (SID), which is used for access to securable objects, and a globally unique identifier (GUID) for unique identification.

  Active Directory users can be added to groups. Security groups in Project Server can also be mapped (map: A format that's used to transfer information between programs when importing or exporting data. A map helps ensure that information is placed into the proper fields in the destination file.) and synchronized with groups in Active Directory.

• User Principal Name (UPN)   A "friendly name" that Security Principals (users and groups) have that is easy to remember, for example, FirstName LastName. The UPN is composed of an abbreviated name for the user and the Domain Name Service (DNS) name of the domain tree where the user object resides. For example, user FirstName LastName in the microsoft.com tree might have a UPN of name@microsoft.com.
• Groups   Users can be combined into a single security principal, enabling each person to be granted the same rights and permissions on an object. Each group typically represents a collection of users with a common set of access needs. By defining a small number of groups, granting those groups permissions on objects, and then assigning users to groups, you can manage a small number of groups instead of a large number of users.
• Security Rules   These rules enable data access to be granted based on team member, project manager, or resource breakdown structure (RBS) (RBS: The structure that describes an organization's hierarchy. The RBS code defines the hierarchical position that a resource holds in the organization.) relationships.
• Security Identifier (SID)   A data structure of variable length that identifies user, group, and computer accounts. Every account on an Active Directory domain is issued a unique SID and GUID when the account is first created. Microsoft Windows refer to an account's SID rather than to the account's user or group name.
• Globally Unique Identifier (GUID)   A GUID is a 128-bit number assigned to an object when the object is created. This identifier never changes, even if the object is moved or renamed. Applications can store and use an object's GUID, thus ensuring that they will be able to find the object no matter what the current distinguished name (DN) is. Project Server tracks an object’s GUID as a series of AD_GUID fields (field: A location in a sheet, form, or chart that contains a specific kind of information about a task, resource, or assignment. For example, in a sheet, each column is a field. In a form, a field is a named box or a place in a column.) populated in the Project Server database. The UPN for a security principal is associated with that object’s globally unique identifier.

  An object has only one name, the DN, which uniquely identifies the object and contains information that a client uses to retrieve the object from the directory. Because DNs change and can be difficult to remember (due to their length), Active Directory supports finding objects based on their UPN, which is much shorter and easier to remember than the object’s DN.

• Group Security Identifier   Like user and computer accounts, groups are Windows 2000 Server or Windows Server 2003 security principals; they are directory objects to which an SID is assigned at creation. You can nest groups; that is, you can add a group as a member of another group the same way that you would add a user to a group. Planning group strategies is an essential part of deploying Active Directory and using it with Project Server.
• Active Directory connector   The Active Directory connector in Project Server facilitates synchronization of users and groups from Active Directory to Project Server. This new component makes calls to the Project Data Service (PDS) so that Active Directory data is written to the enterprise resource pool and to the security group membership information in the Project Server database based on the presence and status of users in Active Directory compared to the presence and status of users and groups in mapped security groups or users in the enterprise resource pool.

 Top of Page

Methods of using Active Directory with Project Server

Any organization that is already using or planning to use Active Directory for network security and Project Server as its primary project management application can take advantage of the Active Directory synchronization feature.

The first step is critical: determining what types of users will use Project Server. Typically, this process involves a thorough analysis of how the organization plans to use Project Server and requires an understanding of how to create the security groups in Active Directory and Project Server, as well as how to best manage this synchronization.

 Note   Active Directory connector works only with Active Directory, and not with other network directory services.

 Top of Page

Security groups in Project Server

Project Server includes a number of default (default: A predefined setting. You can accept the default option settings, or you can change them to suit your own preferences.) user groups that you can use. Users and groups are the security principals in Project Server.

You should first define groups according to Project Server security policies and then determine the best way to organize users in Project Server into these groups. You can use the default groups included with Project Server, or you can create custom groups to represent the security and access needs for users within your organization.

After you create the groups, assign those groups permissions to categories and views (view: The combination of one or more views [Gantt Chart, Resource Sheet, and so on] and if applicable, a table and a filter. Use views to work with information in a variety of formats. There are three types of views: Charts or graphs, Sheets, and Forms.). In Project Server, users would then be added to the groups and would inherit the group’s permission to the specified categories and views.

The predefined groups for Project Server are:

• Team Members   By default, the server adds all new resources (resources: The people, equipment, and material that are used to complete tasks in a project.) to the Team Members group. The Team Members group is generally able to view data but not edit it. The Team Members account is granted automatically a number of global permissions that allow use of the Microsoft Office Project Web Access 2003 timesheet (timesheet: In Project Web Access, the timesheet is a page where resources can record their progress on tasks and send updates to the project manager.), status reports (status report: A description of the status of a member's project work and related work. Status reports are requested, filled out, and reviewed in Project Server and cannot be used to automatically update project information in Project.), and to do list (to-do list: A list of tasks that are not associated with a project schedule.) features.
• Project Managers   Team members are added automatically to the Project Managers group when a Project Professional 2003 user publishes a project to the Project Server and when he or she creates a project manager account by clicking the Collaborate tab in the Options dialog box. The Project Managers group is automatically granted permissions on all projects that a project manager has saved or published to the server, as well as all assignments in those projects.
• Executives   Users who require high-level, broad visibility of projects and resources in an organization can be added to the Executives group. This group can view any project and any resource saved or published to the server. Administrators must manually create user accounts for executives or allow the Active Directory synchronization to create executive accounts, as explained later in this paper.
• Team Leads and Resource Managers   These groups are useful for users who need a limited ability to view and edit project information but do not manage projects.
• Portfolio Managers   Users who manage the enterprise global template (enterprise global template: A collection of default settings, such as views, tables, and fields, that are used by all projects across the organization. These settings exist within a special project in Project Server.) and enterprise resources in an organization can be added to the Portfolio Managers group. These users have the broad ability to create and edit data but cannot perform server administrative tasks (for example, they cannot add users or groups).
• Administrators   The Administrators group is automatically granted all available permissions on Project Server.

  In addition, there are two security objects that the preceding groups can have permissions on:

• Categories   A category is a collection of projects, resources, views, and models. Object (object: In OLE, shared information, such as a chart, among different documents and different programs. The program used to create the object and the object type determines the programs that can be used to edit the object, as well as how it can be edited.) permissions are defined on categories. You cannot directly grant permissions on projects, resources, views, or models. Instead, you add objects to a category and then grant users or groups permission to access the information that is defined by that category. When a user is granted permission on a category, the user is granted permission to all applicable objects in that category. For example, if a category contains two projects, granting a user Open Project and Save Project permissions on the category allows that user to open and save both projects.
• Views   Views are a collection of fields, groups, filters (filter: Specifies which task or resource information should be displayed or highlighted in a view. For example, when you apply the Critical filter, only critical tasks are displayed.), and charts (chart: A view or part of a view that represents project information graphically. For example, the Gantt Chart view consists of a sheet and a chart pane where tasks are represented as horizontal bars.). To provide users or groups access to a view, you define the view as a category and then grant permissions on the category to the users or groups. You can define views for the Project Center, Resource Center, and Portfolio Analyzer pages, plus specify task views and filters for views.

 Top of Page

Adding users automatically to Project Server by using Active Directory

Adding and updating new users from Active Directory to the Project Server involves two separate processes. During the first process, the enterprise resource pool is updated with new users from Active Directory by using the Server Configuration pages of Project Web Access. New members added this way are automatically added to the Team Members group.

During the second process, new and current users who have been added to other Active Directory groups are synchronized with their corresponding security groups within Project Server. These groups typically include Project Managers, Portfolio Managers, Executives, Resource Managers, Team Leads, and Administrators. Members of these groups are not automatically added to the enterprise resource pool; you add them as Project Server users only if needed.

The following illustrations show a typical scenario in which members in Active Directory groups are synchronized with their corresponding groups within Project Server.

 Note   The synchronization steps can be automated to occur at specific intervals. Typically the synchronization of Active Directory security groups should happen after the synchronization of the enterprise resource pool.

The synchronization steps are explored in further detail in the following section.

 Top of Page

Automate adding new users to the enterprise resource pool

You can synchronize the enterprise resource pool in Project Server with a group in Active Directory. This enables new additions in the Active Directory group to be added to the enterprise resource pool during the next synchronization. If resources exist in Active Directory that do not also exist in the enterprise resource pool in Project Server, the resources are added to the enterprise resource pool.

After synchronization with the enterprise resource pool is configured, it becomes automated. If a user exists in both Active Directory and the enterprise resource pool, the Active Directory connector for Project Server compares the user’s metadata (metadata: Data that describes other data. For example, the words in a document are data; the word count is an example of metadata.) properties based on the GUID. Whenever there is a mismatch, the Active Directory data is written to the enterprise resource pool entry for that user. For example, if someone’s e-mail address changes, this information is automatically updated in Project Server.

 Note   Users are added to Project Web Access security groups. When new users are added to the enterprise resource pool from Active Directory, they are automatically placed in the Team Members group. If one of these team members is actually a team lead, for example, the person must be added manually by using the Users pages of Project Web Access or automatically as explained in the “Adding users automatically to Project Server by using Active Directory” section above.

If the Active Directory connector for Project Server finds a user in Active Directory who is absent from the enterprise resource pool, Active Directory adds the user to the Team Members security group in Project Server. If a user is found in the enterprise resource pool who is not also in Active Directory, and the user has an Active Directory GUID, the user account is deactivated in the Project Server database. A user who doesn’t have an Active Directory GUID, such as a user who is added directly to Project Server through a Project assignment, is not deactivated.

 Note   Deactivating a user does not delete the user from the Project Server database. A record of that user’s work on project tasks, including any actual work hours, is retained after deactivation.

Administration for synchronizing the enterprise resource pool with Active Directory is done in Project Web Access by using the Security Configuration pages.

This synchronization feature is always turned on and cannot be turned off; however, if you have not specified any Active Directory matching, the process performs no work. If users are using only Project Server Authentication to authenticate users, Active Directory will not be used to manage user accounts, but it will still be active.

 Note   If you can don’t want Active Directory synchronization to occur automatically at a specific time, you can synchronize Active Directory groups manually. On the Server Configuration pages, click the Update Now button.

You can also synchronize the entire organization to the enterprise resource pool. To do this, you need to add the Active Directory groups to a larger group, which is then synchronized with the enterprise resource pool. After this, you synchronize the separate Active Directory groups with their matching Project Server security groups.

 Top of Page

Automating the synchronization of Active Directory security groups

Synchronizing Project Web Access security groups with Active Directory is typically a four-step process. First, you need to create custom groups in Active Directory that map directly to the default groups in Project Server. In general, this involves the following steps:

1. Create the Active Directory groups so that they match the Project Security user groups.
2. Add existing groups and users to the Active Directory groups you just created.
3. Within Project Web Access, map the Active Directory groups to the Project Server security groups, as explained in the section that follows.
4. Synchronize the two group structures.

Administration for synchronizing the Project Server security groups with Active Directory is done on the administration pages of Project Web Access under Manage users and groups.

 Top of Page

What happens during synchronization of the Project Managers group?

The Active Directory connector checks to determine whether each user listed in the security group in Active Directory that is mapped to the Project Managers security group in Project Server exists in the security group in Project Server. If yes, no action is taken. If the user does not exist in Project Server, the user is automatically created and added to the Project Managers group in Project Server. When the Active Directory connector identifies a user in the Project Managers group who is not also found in Active Directory, the Active Directory connector removes the user from the security group in Project Server if the user has an Active Directory GUID.

 Note   When groups are synchronized by using the Groups page, new users are not added to the enterprise resource pool automatically. Nor are users who have left the enterprise automatically deactivated. To automatically add new users to the enterprise resource pool, or to automatically have old users deactivated, synchronize Active Directory directly to the enterprise resource pool by using Server Configuration pages, as explained earlier in the “Automate adding new users to the enterprise resource pool” section.

 Top of Page