Assign permissions to support TFS-Project Server integration
Assigning permissions is the first step in configuring Team Foundation Server and Project Server to support data synchronization. You must grant permissions to several accounts—administrators, service accounts, and team members. You must also make sure that specific service accounts have access as a Shared Services Provider (SSP) for the server that hosts SharePoint Products for Project Server.
You should grant permissions after you have installed Team Foundation Server Extensions for Project Server Integration. For more information, see System and setup requirements to support TFS-Project Server integration.
Before you begin
Before you begin, you’ll want to know which PWA instances and TFS team project collections will participate in data synchronization. You’ll also want to have answers to the following questions.
Do you have all the permissions you need to assign permissions?
Make sure you belong to the following groups:
Team Foundation Administrators group, required to grant TFS permissions. You must also have access to the Team Foundation Administration Console. Set administrator permissions for Team Foundation Server.
Administrator for Project Web App for each instance of Project Web Access or Project Web App (PWA), required to grant Project Server permissions. You must also have access to Project Server through PWA.
Administrators security group for the SQL Server databases for Project Server, required to grant permissions to the PWA Reporting and Publishing databases.
Farm Administrators group, the administrators group for the Web application that supports Project Server, or the SharePoint Administration group, required to grant SSP permissions. Group membership will depend on the security architecture of your deployment.
Administrator on the local computer, required to use stsadm.exe.
Is the authentication mode set correctly for your version of Project Server?
For Project Server 2010:
The SharePoint web application for the instance of PWA must be set to Classic Mode Authentication. Classic Mode Authentication uses Windows authentication. User accounts are treated by SharePoint Server 2010 as Active Directory Domain Services (AD DS) accounts.
You will not be able to register the PWA if its authentication is set to Claims Based Authentication. If you’re not sure which authentication mode is set, or you need to switch authentication modes, jump to this section.
For Project Server 2013:
Two permissions are supported: SharePoint Permission mode and Project Permission mode. Both these modes use Claims Based authorization. The permissions that you need to assign differ, depending on the permission mode that is set.
SharePoint permissions mode creates SharePoint groups that directly correspond to the default security groups found in Project Server permission mode. These groups are used to grant users varying levels of access to projects and Project Server functionality. SharePoint permission mode is new for Project Server 2013.
New Project Web App instances use the SharePoint permission mode by default. In an on-premises installation, the mode can be changed for a given instance of Project Web App by using the Set-SPProjectPermissionModeWindows PowerShell cmdlet.
Project Server permission mode provides a set of customizable security groups and other functionality that is distinct from SharePoint groups. This security platform operates independent from the SharePoint permissions in the farm and allows you to fine tune the permission levels for Project Web App users. This is the same permission mode that was available in Project Server 2010.
For a comparison of features supported in each security mode, see Plan user access in Project Server 2013.
If you’re not sure which Permission mode is set, or you need to switch Permission modes, jump to this section.
Have you created Windows groups to effectively manage user accounts?
To minimize manually adding users to TFS and Project Server, create Windows or Active Directory groups. You can then add these groups to TFS groups, Project Server, and SharePoint sites which have pre-defined permissions. Also, you can synchronize resources with Active Directory across multiple domains and forests.
For more information, see Manage security group synchronization with Active Directory in Project Server 2013.
1. Identify all the service and user accounts that you need to assign permissions to
Identify the service accounts, user accounts, or Active Directory groups that have been configured and will need access to the resources that support data synchronization between TFS and Project Server.
Service accounts
Identify the following service accounts:
Service account for TFS
Open the Team Foundation Administration console. If a Network Service account is used, change it to a domain account.
Service account for the Project Server Event Handler
On the machine where Project Server is installed, open Computer>Manage Services and find Microsoft Project Server Events Service.
Service account(s) that run the Project server web application pool(s)
There might be more than one service account, depending on the number of PWA instances that will participate in TFS data synchronization. You need to identify both the SharePoint appPool hosting PWA and the PSI service appPool. A GUID appPool name could be associated with the PSI service appPool.
Open SharePoint Central Site Administration, Application Management, Manage Service Application, Project Server Application.
Find the SharePoint site that hosts the PWA instance. Make a note of the number. It might be under one or more ports, for example, SharePoint 80, or SharePoint web app.
Open IIS manager, expand sites, and find the SharePoint websites that correspond to the PWA that you identified.
For Project Server 2010: Open Advanced settings for the application Pool and you’ll find the account identity for the AppPool.
For Project Server 2013: Expand SharePoint web services and expand each GUID until you find the one that contains project PSI service. In Advanced settings, identify the Application Pool, which is a GUID pool name.
.png "Find GUID of PSI app pools")
Under IIS, AppPools, find the account used to run this GUID application pool.
.png "Find service accounts of PSI app pools")
User accounts
Identify the following user accounts or groups:
User account(s) who will run the TFSProjectServer registerPWA command
User account(s) who will map components to support TFS-Project Server integration, but not register PWAs
Users of Project Professional
Users assigned as project resources or have TFS work items assigned to them
These users submit status updates that flow into the status queue for the project manager
Depending on the role, you grant permissions to each PWA instance that participates in data synchronization to the SharePoint server, to the enterprise resource pool, and to TFS.
2. Grant permissions to access each PWA instance
Do the following tasks, based on the version and permission mode used in your deployment. You must add accounts for each PWA instance that you will register and map to a team project.
Task |
Set for these configuration: |
|---|---|
2-1. Grant Global permissions to the TFS Service account |
|
2-2. Grant Category permissions to the TFS Service account |
|
2-3. Add accounts to a PWA security group:
|
|
2-4. Add accounts to a PWA security group (SharePoint mode)
|
|
2-5. Add user accounts to the Active Directory Enterprise Resource Pool |
|
2-1 Grant Global permissions
Required for:.png "Project Server 2010 Classic Mode")
and .png "Project Server 2013 Permission Mode")
From the PWA Settings page, open Manage Users, and then New User.
Add the TFS service account.
Type the required information in each field. Note the following:
Clear the check box for User can be assigned as a resource because the account is a service account.
For User Authentication, type the name of the service account for TFS.
Assign the following Global permissions:
Admin: Manage Enterprise Custom Fields, Manage Server Events, Manage Site Services, and Manage Users and Groups.
General: Log On, New Task Assignment, and Reassign Task.
Project: Build Team on New Project.
Views: View Approvals, View Project Center, View Resource Center, and View Task Center.
Save your changes.
2-2 Grant Category permissions
Required for: and
From the home page for PWA, in the Quick Launch area, choose Server Settings.
Next, choose Manage Categories and then New Category.
Type a name for the service account category, for example, type Servicing Account.
Under Available Users, choose the name of the service account for Team Foundation Server, and then choose Add.
.png "Create TFS Service account category")
Under Projects, choose All current and future projects in Project Server database, and then click Save.
Add the TFS service account and select the checkboxes for these Category permissions:
Project: Open Project and View Project Site
Resource: View Enterprise Resource Data
.png "Category permissions for TFS service account")
2-3 Add accounts to a PWA security group
Required for: and
From the PWA Settings page, open Manage Users, New User, and then type the required information in each field:
Clear the check box for User can be assigned as a resource if the account is a service account.
For User Authentication, type the account name of the user or service account for TFS.
Clear the check box for Resource can be leveled if the account is an administrator or a service account.
For Security Groups, add the account or group to one of the default groups:
Administrators: TFS service account and the accounts of users who configure the integration, ones who register or unregister PWAs.
Project Managers: users who work with Project Professional and PWA.
Team Members: users who are assigned as a resource and who are assigned to TFS work items.
If you have customized Category permissions, verify that team members have the following Security Categories: Create New Task or Assignment, Create Object Links, Open Project, View Project Site, and View Project Schedule in Project Web App(Project Server 2010).
.png "Security categories, My Projects for team members")
For Project Server 2013, Permission mode, select: Open Project, View Project Site, and View Project Schedule in Project Web App.
To modify the category permissions for a selected user in a category, select the category in the Selected Categories list, and then select Allow for the permissions that you want to allow.
Save your changes.
For more information, see Add a user account in Project Server 2010 or Plan user access in Project Server 2013..
2-4 Add accounts to a PWA security group (SharePoint mode)
Required for: .png "Project Server 2013 SharePoint Mode")
From the PWA home page, open Site settings from the gear icon.
.png "Open site settings for PWA (PS 2013)")
Open Site Collection Administrators and add the TFS service account.
Open People and groups.
.png "Open People and Groups for PWA (PS 2013)")
Choose the group to which you want to add accounts.
.png "Choose the group in PWA to add accounts (PS 2013)")
Team Members for Project Web App: accounts assigned as resources in the project plan or to the Assigned To field for a work item. Or, add the Active Directory group used to manage these resources.
Administrators for Project Web App: the service accounts for Team Foundation Server, the Project Server web application pool, and Project Server Event Handler. Also, add the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands
PWA Site Collection Administrators : the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands
Project Managers for Project Web App: accounts of users of Project Professional.
Tip
To view all the default groups, choose More. To view permissions assigned to each group, choose Settings, View Group Permissions. To learn more, see Plan user access in Project Server 2013.
On the group page, choose New, Add users.
Type the name of each account or Active Directory group to add to the selected group.
.png "Add accounts to a group for PWA (PS 2013)")
Choose Share.
2-5 Add user accounts to the Active Directory Enterprise Resource Pool
Required for: , , and
From the PWA settings page, under Operational policies, choose Active Directory resource pool synchronization.
.png "Open Active Directory Resource Pool Sync")
Add the Active Directory group of TFS team members to the enterprise resource pool.
.png "Active Directory Enterprise Resource Pool")
3. Grant SharePoint Server permissions
Grant the specified permissions using SharePoint Central Administration. Or, you can use Windows PowerShell.
Task |
Set for these configurations: |
|---|---|
3-1. Grant Full Control Connect permissions to start the Project Server Service Application
|
|
3-2. Add TFS service account to the Site Collection Administrators for the SharePoint site |
|
3-1 Grant Full Control Connect permissions to start the Project Server Service Application
Required for: and
On to the SharePoint server for Project Server, open SharePoint Central Administration, and under Application Management, choose Manage service applications.
.png "Choose Manage service applications")
Highlight the row for Project Server Service Application by clicking within the row but not the name of the application. In the ribbon, choose Permissions.
.png "Select permissions")
Type the name of the service account for TFS, and then choose Add.
Make sure that the name of the newly added service account is highlighted, and then select the Full Control check box. Choose OK.
.png "Connection permissions full control")
Repeat steps 3 and 4, this time add the service account for Service account for the Project Server Event Handler. If there is more than one service account, make sure you add it.
For more information, see Restrict or enable access to a service application.
3-2. Add TFS service account to the Site Collection Administrators group
Required for:
On to the SharePoint server for Project Server, open SharePoint 2013 Central Administration, and choose Site settings from the gear icon.
.png "Open SharePoint Site Settings for PS 2013")
Choose Site collection administrators.
.png "Open Site Collection Administrators for PS 2013")
Type the name of the TFS service account, and choose OK when done.
4. Grant Project Server database permissions
Required for: , , and
Grant permissions to both the service account for TFS and the service account for the Project Server web application pool to update the database or databases for each PWA instance. This step is required for all deployments, both Project Server 2010 and Project Server 2013.
On the data-tier server for Project Server, open SQL Server Management Studio.
In the Server type list, select Database Engine.
In Server name, type the name of the server that hosts the databases for Project Server, and then choose Connect.
Note
If SQL Server is installed on a cluster, type the name of the cluster, not the computer name. If you have specified a named instance, type the server and instance name in the following format: DatabaseServer\InstanceName.
SQL Server Management Studio opens.
Expand Databases, right-click or open the context menu for the database for the instance of PWA, and then choose Properties:
For Project Server 2010: PWA_Reporting or PWA_Publishing
For Project Server 2013: ProjectWebApp
On the Permissions page. add the service account for TFS, (required for Project Server 2010 and Project Server 2013, Permission mode).
For SQL Server 2008: Choose Add to add an account.
For SQL Server 2012: Choose Search to add an account.
.png "Add user (SQL Server 2012)")
Grant these permissions based on the database you’ve selected:
For Project Server 2010: PWA_Reporting: Alter any Schema, Create Table, Delete , Execute, Insert, Select, and Update.
For Project Server 2010: PWA_Publishing: Select
For Project Server 2013: ProjectWebAppAlter any Schema, Create Table, Delete , Execute, Insert, Select, and Update.
.png "Check permissions")
Repeat steps 5 through 6, this time add the service account of the Project Server web application pool. This is required for all deployments.
Repeat steps 4 through 7 for each instance of PWA that will participate in data synchronization with TFS.
5. Add user accounts to Team Foundation Administrators group
Required for: , , and
On the application-tier server, open the Team Foundation Administration Console, and open Group Membership.
.png "Application tier, choose Group Membership")
Open Team Foundation Administrators.
Choose Windows User or Group and then choose Add.
.png "Add Windows account")
Enter the name of the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands.
.png "Check name")
6. Grant Administer Project Server integration permissions
Required for: , , and
Accounts of users who configure the TFS-Project Server integration require Administer Project Server Integration permission set to allow. Set this for each project collection that you map to a PWA.
From the Security page for the project collection, either open the permissions for a user account or a Windows account that you’ve added to TFS for administering project server integration. Set the permissions for Administer Project Server Integration to Allow.
.png "Set Administer Project Server Integration perm")
7. Add accounts to Team Foundation groups
Required for: , , and
Accounts of users who work in Project Professional or TFS require permissions to view or contribute to TFS.
From the TWA administration Security page for the team project, you can add accounts to either the project collection or each team project. Add accounts or the Active Directory groups to the appropriate roles.
.png "Choose the team project group and add members")
Verify that user accounts or groups have been added to the following TFS groups for each team project that will participate in data synchronization:
Contributor role: Team members who work in a TFS project that is integrated with Project Server. This includes all user accounts assigned as resources in the project plan or to the Assigned To field for a work item. These users submit status updates that flow into the status queue for the project manager.
Reader role: Users who modify enterprise project plans that are mapped to a team project.
For more info, see Add users to team projects.
Permission checklist
Use the following checklist to review that all permissions have been set according to your version and authentication mode. Remember that permissions must be granted to accounts for all PWA instances, team projects, and project collections that will participate in data synchronization between TFS and Project Server. If you customize a role or security categories for a role, you might inadvertently remove required permissions.
Account |
Permissions |
Project Server 2010 |
Project Server 2013 (Permission mode) |
Project Server 2013 (SharePoint mode) |
Application |
|---|---|---|---|---|---|
Service Account for TFS |
Global and Category permissions |
|
|
PWA |
|
Administrators for Project Web App group |
|
|
|
PWA |
|
Site Collection Administrators group |
|
SharePoint Central Administration |
|||
Connect permissions to the Project Server Service Application (Full Control) |
|
SharePoint Central Administration |
|||
PWA_Reporting and PWA_Publishing databases |
|
SQL Server Management Studio |
|||
ProjectWebApp database |
|
|
SQL Server Management Studio |
||
Service account for the Project Server web application pool (Note 1) |
Administrators for PWA group |
|
|
|
PWA |
PWA_Reporting and PWA_Publishing databases |
|
SQL Server Management Studio |
|||
ProjectWebApp database |
|
|
SQL Server Management Studio |
||
Service account for the Project Server Event Handler |
Connect permissions to the Project Server Service Application (Full Control) |
|
|
SharePoint Central Administration |
|
Administrators for PWA group |
|
|
PWA |
||
User accounts who will configure the integration and run the TFSProjectServer registerPWA command |
Administrators for PWA group |
|
|
|
PWA |
Site Collection Administrators group |
|
SharePoint Central Administration |
|||
Team Foundation Administrators group |
|
|
|
Team Foundation Administration Console |
|
Administer Project Server integration |
|
|
|
TWA |
|
User accounts who will map components to support TFS-Project Server integration, but not register PWAs |
Administer Project Server integration |
|
|
|
TWA |
Users of Project Professional |
Project Manager group for each PWA instance |
|
|
|
PWA |
TFS Readers group |
|
|
TWA |
||
Users assigned as project resources or have TFS work items assigned to them |
Team Members for the PWA App group |
|
|
|
PWA |
|
|
PWA |
|||
Enterprise project pool and to the project resource pool for the project plan |
|
|
|
PWA |
|
TFS Contributors group |
|
|
|
TWA |
Notes:
Some deployments might have more than one service account for the Project Server Web Application Pool. Go here to determine the service accounts for these application pools.
The Security Categories assigned to Team Members by default are sufficient; however, if these categories have been customized, then some permissions might have been removed. The following categories are required: Create New Task or Assignment, Create Object Links, Open Project, View Project Site, and View Project Schedule in Project Web App (Project Server 2010), and Open Project, View Project Site, and View Project Schedule in Project Web App (Project Server 2013, Project permission mode).
Q & A
Q: How do I determine or change the Authentication mode in SharePoint 2010?
A: From SharePoint 2010 Central Administration site, open Manage web applications from the Application Management section, and then open the PWA application.
Verify that Classic Mode Authentication is selected.
.png "PWA 2010 Authentication")
If it isn't, you'll need to create a new PWA instance that uses Windows-Classic authentication.
Q: How do I determine the Permission mode in SharePoint 2013?
A: From the PWA home page, use the gear icon to open PWA settings.
.png "PWA page, select PWA settings")
If SharePoint Permissions mode is set, you’ll see this page:
.png "PWA Settings when SharePoint Permission mode")
If Project Permissions mode is set, you’ll see this page, which includes a section titled Security. You’ll also see additional links:
.png "PWA Settings when Project Permission mode")
Q: How do I switch permission modes in Project Server 2013?
A: By default, PWA apps are created using SharePoint permission mode.
If you switch from SharePoint permission mode to classic Project Server permission mode, you have to manually configure your security permissions structure in Project Server 2013. Switching between SharePoint permission mode and Project Server permission mode deletes all security-related settings.
To switch permission mode, see Set-SPProjectPermissionMode.
Q: What other resources are available?
A: You might find answers to additional questions from the following resources:
Project Server 2010 |
Microsoft Project Server 2013 |
|---|---|
See Also
Tasks
ConfigureTFS-Project Server integration
Concepts
Synchronization process overview for TFS-Project Server integration
Administrate the integration of Team Foundation Server and Project Server