Assigning Permissions to Support Integration of Project Server and Team Foundation Server
Before you can configure the integration of or synchronize data between Visual Studio Team Foundation Server 2010 and Microsoft Project Server 2007 with Service Pack 2 (SP2) or Project Server 2010, you must grant permissions to several accounts. You must grant permissions to administrators, service accounts, and team members. You must also make sure that specific service accounts have access as a Shared Services Provider (SSP) for the server that hosts SharePoint Products for Project Server.
Note
You should grant permissions after you have installed the service pack for Team Foundation Server 2010 and the feature pack for Team Foundation Server and Project Server Integration. For more information, see System and Setup Requirements to Support Integration of Team Foundation Server and Project Server.
To minimize manually adding users and groups to Team Foundation and Project Server users, you can synchronize users and resources with the users in the Active Directory directory service across multiple domains and forests. For more information, see the following page on the Microsoft website: Manage Active Directory synchronization in Project Server 2007.
Before you assign permissions, you may want to review information on the following pages of the Microsoft website:
For Project Server 2007:
For Project Server 2010:
In this topic
Permissions that Are Required to Configure Integration and Support Data Synchronization
Grant Administrative Permissions to Team Foundation
Grant Project Server Permissions
Add the Service Account for Team Foundation Server to the Shared Services Provider for Project Server 2007
Add the Service Account for Team Foundation Server to the Project Server Service Application for Project Server 2010
Grant Permissions to PWA Databases to the Service Account for the Web Application Pool for Project Server 2010
Required Permissions
To perform the procedures in this topic, you must belong to the following groups or have the following permissions:
To grant Team Foundation permissions: Team Foundation Administrators group or your View instance-level information and Edit instance-level information permissions must be set to Allow. You must also have access to the Team Foundation Administration Console or the Group Membership dialog box for a team project collection by using Team Explorer.
To grant Project Server permissions: Manage users and groups global permission for an instance of Project Web Access or Project Web App (PWA). You must also have access to Project Server through PWA.
To grant Project Server 2010 permissions for the Reporting database: member of the Administrators security group for the SQL Server databases for Project Server.
To grant SSP permissions: the Farm Administrators group, the administrators group for the Web application that supports Project Server, or the SharePoint Administration group. Group membership will depend on the security architecture of your deployment.
To use stsadm.exe: you must be an administrator on the local computer.
Permissions Required to Configure Integration and Support Data Synchronization
To configure the integration of the two server products and to synchronize data, you must grant several sets of permissions. You must grant permissions to the user who performs configuration tasks by using the TfsAdmin ProjectServer command-line tool, which is installed on the same client machine as Visual Studio 2010 SP1. To allow project managers to manage the associations of their enterprise project plans with team projects, you must grant them the Administer Project Server integration permission for those collections that host the team projects that their plans will synchronize with.
Also, you must make sure that specific service accounts are granted administrative permissions to the instances of PWA and access to Shared Services Providers. The requirements differ slightly between Project Server 2007 and Project Server 2010. In addition, you must add Team Foundation users or distribution groups in Active Directory that contain user accounts for team members to the Team Members group in Project Server so that those users can submit updates to Project Server.
Note
You must grant all service accounts for Project Server and SharePoint Products permission to log on to the computer on which the service is running.
The following table summarizes the permissions that you must grant.
Note
The service account for Team Foundation Server also runs the Team Foundation Background Job Agent Service. All TfsAdmin command options are run under this service account, except for the /RegisterPWA and /UnregisterPWA options, which are run under the user who runs the commands. This agent manages data synchronization processes. This account requires permissions to access each instance of PWA that has been mapped and permissions to call Project Server Integration (PSI) services.
Account |
Team Foundation permissions |
Project Server 2007 with SP2 permissions |
Project Server 2010 permissions |
---|---|---|---|
Service account for Team Foundation Server. |
Not applicable. |
You must grant the following Global and Category permissions to the service account for Team Foundation Server:
For more information, see Grant Project Server Permissions later in this topic. You must grant access to the SSP. For more information, see Grant Service Account to Shared Services Provider for Project Server 2007 later in this topic. |
You must grant the following Global and Category permissions to the service account for Team Foundation Server:
For more information, see Grant Project Server Permissions later in this topic. Full Control permissions to start the Project Server Service Application. For more information, see Add a Service Account to the Project Server Service Application for Project Server 2010. |
Service account for the Project Server web application pool. |
Not applicable. |
Not applicable. |
You must grant the service account for the Project Server web application pool the following SQL Server permissions for the PWA Reporting database:
For the PWA Publish database, you must also grant the Select permission. For more information, see Grant Permissions to PWA Databases to the Service Account for the Web Application Pool for Project Server 2010 later in this topic. |
Service account for the Project Server Event Handler. |
Not applicable. |
Not applicable. |
Full Control permissions to the Project Server Service Application. For more information, see Add a Service Account to the Project Server Service Application for Project Server 2010. |
Accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands. |
You must add these users to the Team Foundation Administrators group. |
You must add these users to the Administrators group for each instance of PWA that you will register with Team Foundation Server. |
You must add these users to the Administrators group for each instance of PWA that you will register with Team Foundation Server. |
Accounts of users who configure the integration by runningTfsAdmin ProjectServer commands but who do not register or unregister instances of PWA. |
You must grant the Administer Project Server integration permission to these users. |
Not applicable. |
Not applicable. |
User accounts assigned as resources in the project plan or to the Assigned To field for a work item. These users submit status updates that flow into the status queue for the project manager. |
You must grant Contributor permissions to team members for the team project. |
You must add team members to the Team Members group for PWA, or you must grant them the Open Project and View Project Site in Project. For more information, see To add Team Foundation users to the Team Members group later in this topic. You must also add these accounts to the enterprise project pool and to the project plan resource pool.
Important
Each time that you add team members to the resources for the project plan, you must publish the project plan so that the synchronization engine will register the changes.
|
You must add team members to the Team Members group for PWA, or you must grant them the Open Project and View Project Site permissions in Project. For more information, see To add Team Foundation members to the Team Members group later in this topic. You must also add these accounts to the enterprise project pool and to the resource pool for the project plan.
Important
Each time that you add team members to the resources for the project plan, you must publish the project plan so that the synchronization engine will register the changes.
|
Accounts of users of Project Professional. |
You must grant View Project-level information or assign them as members of the project Reader group. |
You must add these accounts to the Project Manager group on Project Server. |
You must add these accounts to the Project Manager group on Project Server. |
You can set Team Foundation permissions in Team Explorer or in the Team Foundation Administration Console, as Grant Team Foundation Server Permissions describes later in this topic.
You grant Project Server permissions from the Server Settings page for an instance of Project Server. For more information, see Grant Project Server Permissions later in this topic.
Back to top
Grant Team Foundation Administrative Permissions
To configure the integration of Team Foundation Server and Project Server, you must have permissions to administer Team Foundation Server or a team project collection. For both configuration and synchronization, you must also grant permission to Administer Project Server integration to the user who will configure the integration of the two server products.
Note
For the purposes of configuring the two server products, you can ignore the permissions that are required to administer SharePoint Products and SQL Server Reporting Services.
To grant permissions to administer Team Foundation Server or a team project collection, see Set Administrator Permissions for Team Foundation Server and Set Administrator Permissions for Team Project Collections.
To grant permissions to Administer Project Server Integration
Open the administration console for Team Foundation Server.
For more information, see Open the Team Foundation Administration Console.
Expand the server, click Team Project Collections, click a collection, and then click Administer Security.
In the Global Security window, click [Collection]\Project Collection Service Accounts.
Under Permissions for the Administer Project Server integration, select the Allow check box.
Click Close to close the Global Security window.
Back to top
Grant Project Server Permissions
You must grant Project Server permissions to the following accounts:
You must add to the Administrators group the account of the user who that will register an instance of PWA to Team Foundation Server.
You must either add the service account for Team Foundation Server to the Administrators group, or you must grant that account the minimum set of Global and Category permissions as Permissions Required to Configure Integration and Support Data Synchronization described earlier in this topic.
You must add to the Team Members group the accounts of any Team Foundation members who will submit status updates to Project Server.
To add an account to Project Server and assign to the Administrators Group
From the PWA home page, in the Quick Launch area, click Server Settings.
On the Server Settings page, click Manage Users.
On the Manage Users page, click New User.
On the New User page, type the required information in each field. Note the following:
Clear the check box for User can be assigned as a resource if the account is a service account.
For User Authentication, type the account name of the user or service account.
Clear the check box for Resource can be leveled if the account is an administrator or a service account.
To add the account to the Administrators group, for Security Groups, click Administrators and then click Add.
Click Save.
For more information, see the following pages on the Microsoft website:
To grant the minimum Global permissions to the service account for Team Foundation Server
On the PWA page, in the Quick Launch area, click Server Settings.
On the Server Settings page, click Manage Users.
On the Manage Users page, click New User.
On the New User page, type the required information in each field. Note the following:
Clear the check box for User can be assigned as a resource because the account is a service account.
For User Authentication, type the account name of the service account.
To assign Global Permissions, click the Allow check box under for each permission that you want to set and as specified earlier in this topic.
Click Save.
To grant Category permissions to the service account
From the home page for PWA, in the Quick Launch area, click Server Settings.
On the Server Settings page, click Manage Categories.
On the Manage Categories page, click New Category.
On the Add or Edit Category page, type a name for the service account category. For example, type Servicing Account.
Under Available Users, click the name of the service account for Team Foundation Server, and then click Add.
Under Projects, click All current and future projects in Project Server database.
Click Save.
To add Team Foundation members to the Team Members group
From the home page for PWA, in the Quick Launch area, click Server Settings.
On the Server Settings page, in the Security section, click Manage Groups.
On the Manage Groups page, click Team Members.
On the Add or Edit Group page, - hold down SHIFT, click the users whom you want to add from the Available Users, and then click Add.
Under Categories, verify or add My Tasks from Available Categories to Selected Categories.
For more information, see Add Resources in Team Foundation Server to the Resource Pool for Project Server.
Back to top
Add the Service Account for Team Foundation Server to the Shared Services Provider for Project Server 2007
To support status update processing by the synchronization engine during integration with Project Server 2007, you must add the service account for Team Foundation Server to the Shared Services Provider for Project Server. You can perform this procedure by using the stsadm command-line tool, which can grant a non-administrator the rights to service an SSP. For more information, see the following page on the Microsoft website: Stsadm command-line tool (Office SharePoint Server).
Note
Even if you log on with administrative permissions, you must open an elevated Command Prompt window to run the stsadm command-line tool on a server that is running Windows Server 2008. To open an elevated Command Prompt window, click Start, right-click Command Prompt, and then click Run as Administrator. For more information, see the following page on the Microsoft website: User Access Control.
To grant a service account access to SSP
On every server that is part of the SharePoint Products farm that supports your deployment of Team Foundation Server, open a Command Prompt window, and change directories to Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\bin\.
Type the following command, where TFSServiceAccount is the service account for Team Foundation Server.
stsadm.exe -o editssp -title SharedServices -setaccounts <Existing Service Accounts>, TFSServiceAccount
Important
You must append TFSServiceAccount in the form domain\username to the existing list of service accounts.
Back to top
Add the Service Account for Team Foundation Server to the Project Server Service Application for Project Server 2010
To support status update processing by the synchronization engine for integration with Project Server 2010, you must add the service account for Team Foundation Server to the Project Server Service Application. You can perform this procedure by using SharePoint Central Administration or Windows PowerShell. For more information, see the following page on the Microsoft website: Restrict or enable access to a service application (SharePoint Server 2010).
Important
The SharePoint web application for the instance of PWA must be set to Classic Mode Authentication. You will not be able to register the instance of PWA if it is set to Claims Based Authentication.
To add a service account to a service application by using SharePoint Central Administration (2010)
Open the SharePoint Central Administration page for Project Server.
Under Application Management, click Manage service applications.
On the Manage Service Applications page, highlight the row for Project Server Service Application by clicking within the row but not the name of the application.
The ribbon becomes available.
In the ribbon, click Permissions.
In the Connection Permissions for Project Server Service Application dialog box, type the name of the service account, and then click Add.
In the middle pane, make sure that the name of the newly added service account is highlighted.
In the bottom pane, click the Full Control check box, and then click OK.
Back to top
Grant Permissions to PWA Databases to the Service Account for the Web Application Pool for Project Server 2010
To support data synchronization, you must grant permissions to the service account for the web application pool to update two SQL Server databases for Project Server 2010.
To grant permissions to a database for an instance of PWA
Log on to the data-tier server for Project Server.
Click Start, point to All Programs, point to Microsoft SQL Server 2008, and then click SQL Server Management Studio.
The Connect to Server dialog box opens.
In the Server type list, make sure that Database Engine is clicked.
In Server name, type the name of the server that hosts the databases for Project Server, and then click Connect.
Note
If SQL Server is installed on a cluster, type the name of the cluster, not the computer name. If you have specified a named instance, type the server and instance name in the following format: DatabaseServer\InstanceName.
SQL Server Management Studio opens.
Expand Databases, right-click the database for the instance of PWA (for example, PWA_Reporting), and then click Properties.
Under Select a page, click Permissions.
Add the service account of the web application pool for Project Server, and grant the required permissions. For example, the following permissions for the Reporting database are required: Alter any Schema, Create Table, Delete , Execute, Insert, Select, and Update.
For the Publishing database, grant the Select permission.
Repeat steps 5 through 7 for each instance of PWA that will participate in data synchronization with Team Foundation Server.
See Also
Tasks
Configuring the Integration of Team Foundation Server and Project Server
Concepts
Overview of the Synchronization Process for Team Foundation Server and Project Server Integration
Administering the Integration of Team Foundation Server and Project Server
Change History
Date |
History |
Reason |
---|---|---|
September 2011 |
Clarified the need to publish the project plan after you add team members to the resources for the project plan pool. |
Information enhancement. |
June 2011 |
Corrected the procedure for adding a service account to a service application by using SharePoint Central Administration (2010). Added a note that the SharePoint web application for the instance of PWA must be set to Classic Mode Authentication. |
Content bug fix. |
April 2011 |
Added links to topics that describe how to add resources to the enterprise resource pool in Project Server. Corrected information about the permissions that support the service account for the event handler of Project Server. Added information about permissions for the accounts of users who run the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands. |
Content bug fix. |