Walkthrough: Creating and Using Custom Project Server Permissions

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft Office Project Server 2007 does not have a built-in mechanism for third parties to add custom permissions to the default list of security permissions. However, developers can add custom global and category permissions to provide deeper integration with Project Server. For example, you can add a link within the Quick Launch in Project Web Access and secure the link with a custom permission. (The content of this article was contributed by Phil Smail, Microsoft Corporation.)

Project Server permissions are defined in the Published database. This article shows how to add custom permissions and how to add a link to the Quick Launch that appears only to Project Web Access users who have the custom permission. For example, a link to a customized help page that is visible only to Project Server administrators can explain organization-specific procedures and make the learning curve for Project Server 2007 easier.

Creating custom permissions and secure links are the only cases in the Project 2007 SDK that require you to modify tables in the Published database.

Important noteImportant

When you directly modify the Project Server Published database to create custom permissions and secure links, take care to retain security information when you are creating permissions. It is also possible that applying Project Server updates or service packs can overwrite your custom permissions. Keep a record of your custom permissions and be prepared to recreate them after installing a Project Server update.

This article includes the following procedures to create and use a custom permission:

  1. Getting the Security Permission Headers

  2. Adding a Global Permission with a Localized Name

  3. Setting the Permission in Project Server

  4. Adding the Permission to a Security Template

  5. Adding a Category Permission

  6. Adding a Secure Link in the Quick Launch

Getting the Security Permission Headers

Creating custom permissions involves directly accessing and modifying four of the security tables in the Published database. Table 1 lists the tables you need.

Table 1. Security tables in the Published database to use for custom permissions

Table Name

Description

MSP_WEB_SECURITY_FEATURES_ACTIONS

Contains the permission definitions.

MSP_WEB_CONVERSIONS

Contains the locale-specific names of the permissions.

MSP_WEB_SECURITY_ORG_PERMISSIONS

The permissions for the entire instance of Project Server. The WSEC_ALLOW, WSEC_DENY, and WSEC_ACCESS fields control all users.

MSP_WEB_SECURITY_TEMPLATE_PERMISSIONS

The permissions for specific templates.

Each permission has a parent. Project Server uses the permission parent to group permissions within the Project Web Access Permissions page.

Procedure 1. To get the security permission headers:

  1. Using SQL Query Analyzer, select the Published database of the Project Web Access instance you want; for example, select ProjectServer_Published.

  2. To get a list of all headers for the security permissions, run the following query.

    -- Gets the list of permission headers and names
    -- 946E9CC0-ED95-4F6F-877F-9A9ADAB57929 is a permission string type
    SELECT f.WSEC_FEA_ACT_UID, c.CONV_STRING AS WSEC_FEA_ACT_NAME
    FROM dbo.MSP_WEB_SECURITY_FEATURES_ACTIONS AS f
    INNER JOIN dbo.MSP_WEB_CONVERSIONS AS c ON f.WSEC_FEA_ACT_NAME_ID = c.CONV_VALUE
    WHERE c.LANG_ID = 1033
    AND c.STRING_TYPE_UID = {guid '946E9CC0-ED95-4F6F-877F-9A9ADAB57929'}
    AND f.WSEC_IS_ACTION = 0
    ORDER BY c.CONV_STRING
    

    In this case the LANG_ID is 1033 for the English names of the headers. The STRING_TYPE_UID is a GUID that represents the header. The query returns the following result from a default Project Server instance.

    WSEC_FEA_ACT_UID                     WSEC_FEA_ACT_NAME
    ------------------------------------ -------------------------
    72E6A92E-4ED5-4106-9A6C-4C9AEAB02E8B Admin
    3AEB94A1-1F19-4440-B82D-EABD5B7CEDF6 General
    0000B7E3-566E-49E7-B73D-E8623F41E6DA Project
    0000B708-D985-43B2-BDBF-E822EBB86C6A Resource
    3ABE6FFC-EADD-4AC4-8199-C9700D063D0A Status Reports
    00007526-2310-466E-AD87-C2C36316F5C4 Time and Task Management
    6E0A750D-034D-40F3-AD17-3E92A316BCFC Views
    
    (7 row(s) affected)
    

Adding a Global Permission with a Localized Name

The example adds a global permission with the Admin header parent, which has the GUID {72E6A92E-4ED5-4106-9A6C-4C9AEAB02E8B}. Table 2 shows the field parameters in the query to create a custom global permission.

Table 2. Parameters required for a custom global permission

Field Parameter

Description

WSEC_FEA_ACT_UID

GUID of the permission.

WSEC_FEA_ACT_NAME_ID

The ID number for the permission in the MSP_WEB_CONVERSIONS table. All instances of the locale-specific permission name in MSP_WEB_CONVERSIONS must use the same ID number. Any value above 100000 should be safe from being overwritten by Project Server updates.

WSEC_FEA_ACT_PARENT

GUID of the parent object. In the example the GUID is the Admin header.

WSEC_IS_ACTION

Set the value to 0 if you are creating a header, or to 1 if you are creating a permission.

WSEC_ON_OBJECT

Specifies whether the permission is for an object (project or resource). In the example, the value is 0 because a global permission does not secure any objects.

WSEC_OBJ_TYPE_UID

The GUID for the type of object you are securing. In the example, the value is NULL for a global permission.

Procedure 2. To add a global permission with a localized name:

  1. With the same Published database selected in Procedure 1, run the following query in SQL Query Analyzer to create a global permission with an Admin header parent in the MSP_WEB_SECURITY_FEATURES_ACTIONS table.

    --WSEC_OBJ_TYPE_UID
    --NULL = Global Permission
    --14bb576a-1a64-4393-a196-4414527dbbca = Resource category permission
    --1771b1c0-6e26-4fb3-a480-c798ab506e82 = Project category permission
    INSERT INTO MSP_WEB_SECURITY_FEATURES_ACTIONS
    (WSEC_FEA_ACT_UID, WSEC_FEA_ACT_NAME_ID, WSEC_FEA_ACT_PARENT, WSEC_IS_ACTION, WSEC_ON_OBJECT, WSEC_OBJ_TYPE_UID)
    VALUES ('{04DA7D9C-3DAC-4ddc-A974-826002E4389C}', 100001, '{72E6A92E-4ED5-4106-9A6C-4C9AEAB02E8B}', 1, 0, NULL)
    

    The query returns the result (1 row(s) affected).

  2. Add an entry to the MSP_WEB_CONVERSIONS table with the following query. The language is English in the example.

    --   946E9CC0-ED95-4F6F-877F-9A9ADAB57929 is a permission string type
    -- Put the localized name for the new permission in the string table
    INSERT INTO dbo.MSP_WEB_CONVERSIONS
    (STRING_TYPE_UID, CONV_VALUE, LANG_ID, CONV_STRING)
    VALUES ('{946E9CC0-ED95-4F6F-877F-9A9ADAB57929}', 100001, 1033, 'Hello Project Server Security')
    

    The query returns the result (1 row(s) affected).

Setting the Permission in Project Server

To enable Project Server administrators to allow or deny the new permission across the entire Project Server instance, add an entry to the MSP_WEB_SECURITY_ORG_PERMISSIONS table. Table 3 lists the required field parameters in the query.

Table 3. Parameters for setting the custom permission in Project Server

Field Parameter

Description

WSEC_FEA_ACT_UID

GUID of the new permission.

WSEC_ALLOW

Specifies whether the permission can be allowed.

WSEC_DENY

Specifies whether the permission can be denied.

WSEC_ACCESS

This field is not used, but setting it to 1 is consistent with WSEC_ALLOW.

WSEC_PAID

This field is not used, but setting it to 1 is consistent with WSEC_ALLOW.

Procedure 3. To set the permission in Project Server:

  • With the same Published database selected in Procedure 1, run the following query in SQL Query Analyzer to enable the new global permission to be set in Project Server, and set the permission to Allow.

    -- Enable the permission to be set across the entire server.
    -- Set the permission to Allow.
    INSERT INTO dbo.MSP_WEB_SECURITY_ORG_PERMISSIONS
    (WSEC_FEA_ACT_UID, WSEC_ALLOW, WSEC_DENY, WSEC_ACCESS, WSEC_PAID)
    VALUES ('{04DA7D9C-3DAC-4ddc-A974-826002E4389C}', 1, 0, 1, 1)
    

    The query returns the result (1 row(s) affected).

Adding the Permission to a Security Template

You can set the global permission for specific security templates. For example, the Add or Edit Template page for the Administrator template in Project Web Access can show the custom permission with Allow selected in the Global Permissions section. The other security templates show the custom permission, but the Allow and Deny settings are not selected.

Procedure 4. To add the permission to a security template:

  1. Get the ID for the template from the MSP_WEB_SECURITY_TEMPLATES table. For example, the WSEC_TMPL_UID value for the Administrator template is {0A9227EF-77E7-4EA8-A68D-57A8441F7DEB}.

  2. Using the same Published database selected in Procedure 1, run the following query in SQL Query Analyzer to set the custom permission to Allow on the Administrator template.

    -- Add the permission to the Administrator template with a value of Allow.
    INSERT INTO dbo.MSP_WEB_SECURITY_TEMPLATE_PERMISSIONS 
           (WSEC_FEA_ACT_UID, WSEC_ALLOW, WSEC_DENY, WSEC_ACCESS, WSEC_TMPL_UID) 
    VALUES ('{04DA7D9C-3DAC-4ddc-A974-826002E4389C}', 1, 0, 1, '{0A9227EF-77E7-4EA8-A68D-57A8441F7DEB}')
    

    The query returns the result (1 row(s) affected).

Adding a Category Permission

The process for adding a category permission is similar to adding a global permission, with the following differences.

  • For project category permissions, specify the project parent header. For resource category permissions, specify the resource parent header.

  • For the permission values in the MSP_WEB_SECURITY_FEATURES_ACTIONS table, set the WSEC_OBJ_TYPE_UID value to the correct object GUID (resource or project category). Set the WSEC_ON_OBJECT value to 1.

Procedure 5. To add a category permission:

  1. Select the Published database for the Project Server instance you want in SQL Query Analyzer.

  2. Run the following query. The example adds a project category permission with an English name, enables the permission at the organization level, and sets it to Allow in the Administrator template.

    --WSEC_OBJ_TYPE_UID
    -- Global permission = NULL
    -- Resource category permission = 14bb576a-1a64-4393-a196-4414527dbbca 
    -- Project category permission = 1771b1c0-6e26-4fb3-a480-c798ab506e82
    INSERT INTO MSP_WEB_SECURITY_FEATURES_ACTIONS
    (WSEC_FEA_ACT_UID, WSEC_FEA_ACT_NAME_ID, WSEC_FEA_ACT_PARENT, WSEC_IS_ACTION, WSEC_ON_OBJECT, WSEC_OBJ_TYPE_UID)
    VALUES ('{895C0897-CE9E-4aef-ADF4-243DF2484B1A}', 100002, '{0000B7E3-566E-49E7-B73D-E8623F41E6DA}', 1, 1, '{1771b1c0-6e26-4fb3-a480-c798ab506e82}')
    
    -- 946E9CC0-ED95-4F6F-877F-9A9ADAB57929 is a permission string type.
    -- Put the localized name for the new permission in the string table.
    INSERT INTO dbo.MSP_WEB_CONVERSIONS
    (STRING_TYPE_UID, CONV_VALUE, LANG_ID, CONV_STRING)
    VALUES ('{946E9CC0-ED95-4F6F-877F-9A9ADAB57929}', 100002, 1033, 'Cool new Project Category permission')
    
    -- Enable the permission to be set at the organization level,
    -- and set it to Allow.
    INSERT INTO dbo.MSP_WEB_SECURITY_ORG_PERMISSIONS
    (WSEC_FEA_ACT_UID, WSEC_ALLOW, WSEC_DENY, WSEC_ACCESS, WSEC_PAID)
    VALUES ('{895C0897-CE9E-4aef-ADF4-243DF2484B1A}', 1, 0, 1, 1)
    
    -- Add the permission to the Administrator template with a value of Allow.
    INSERT INTO dbo.MSP_WEB_SECURITY_TEMPLATE_PERMISSIONS 
           (WSEC_FEA_ACT_UID, WSEC_ALLOW, WSEC_DENY, WSEC_ACCESS, WSEC_TMPL_UID) 
    VALUES ('{895C0897-CE9E-4aef-ADF4-243DF2484B1A}', 1, 0, 1, '{0A9227EF-77E7-4EA8-A68D-57A8441F7DEB}')
    

    There are queries for four different tables in the preceding code, so the results are four lines with (1 row(s) affected).

  3. Check the Add or Edit Template page for several security templates in Project Web Access. All of the security templates show Cool new Project Category permission under Project in the Category Permissions section. The permission is specified as Allow in the Administrator template.

You can add security around Quick Launch links to hide items from users who do not have a specified permission. The permission can be built-in or custom.

Note

The permission secures only the link, not the page itself. The page can do its own security checks using Security class methods in the PSI such as CheckUserGlobalPermission and CheckUserProjectPermissions.

Table 4 lists the site map tables you must change when you add links with custom security. Table 5 describes the fields you use for information about links in the MSP_SITEMAP table, and Table 6 lists the field parameters to set for securing a link with custom permissions.

Table 4. Tables for adding links with custom permissions

Table

Description

MSP_SITEMAP

Contains general information about the link, including the GUID, URL, and title.

MSP_SITEMAP_PERMISSIONS

Contains the GUID and global permission required to see the link.

Table 5. Fields to use for link information in MSP_SITEMAP

Field

Description

SM_UID

GUID of the Sitemap link.

SM_CUSTOM_URL

URL of the link (typed in the Project Web Access page when you created the link).

SM_CUSTOM TITLE

Title of the link (typed in the Project Web Access page when you created the link).

Table 6. Fields to set in MSP_SITEMAP_PERMISSIONS for securing a link

Field Parameter

Description

SM_UID

GUID of the Sitemap link.

SM_PERMISSION

GUID of the global permission that secures the link.

CREATED_REV_COUNTER

Not used; set to 0.

MOD_REV_COUNTER

Not used; set to 0.

There is no PSI method for adding custom links, so you must manually add them using Project Web Access. The following example secures a link with the global permission previously created named Hello Project Server Security.

  1. In Project Web Access, click Server Settings and then click Quick Launch in the Look and Feel section.

  2. Click New Link in the Set Menu Item Details section. On the Add or Edit Link page, type the link name and Web address. For example, type Project Developer Portal for the name and http://msdn.microsoft.com/office/program/project/ for the Web address. Select the My Work heading and select Yes for Display link in Quick Launch. Figure 1 shows the My Work section in the Quick Launch after you create the example link.

    Figure 1. Custom link in the Quick Launch in Project Web Access

    Custom link in the Quick Launch

  3. Select the Published database for the Project Server instance you want in SQL Query Analyzer.

  4. Create and run a query that sets the fields described in Table 6. For example, the field parameters in the following query set the Hello Project Server Security global permission for the Sitemap link you created in Step 2.

    NoteNote

    Get the correct GUID for the custom link from the SM_UID field in the MSP_SITEMAP table and the GUID for the global permission from the WSEC_FEA_ACT_UID field in the MSP_WEB_SECURITY_FEATURES_ACTIONS table.

    -- 946E9CC0-ED95-4F6F-877F-9A9ADAB57929 is a permission string type.
    INSERT INTO dbo.MSP_SITEMAP_PERMISSIONS
    (SM_UID, SM_PERMISSION, CREATED_REV_COUNTER, MOD_REV_COUNTER)
    VALUES ('{18C255EC-47AF-4429-819C-7806675EF2EC}', '{04DA7D9C-3DAC-4ddc-A974-826002E4389C}', 0, 0)
    

    The query returns the result (1 row(s) affected).

Project Web Access users who have Allow selected for the global permission can see the link. Users who do not have Allow selected, or who are in groups where Allow is not selected, cannot see the link. As always, Deny overrides Allow. If Deny is selected for that permission anywhere in the user settings—for the groups, or for the security template that affects the user—the user cannot see the link.

See Also

Concepts

Using Project Server Security