Export (0) Print
Expand All

Assign permissions to support TFS-Project Server integration

Before you can configure the integration of or synchronize data between Visual Studio Team Foundation Server and Microsoft Project Server, you must grant permissions to several accounts—administrators, service accounts, and team members. You must also make sure that specific service accounts have access as a Shared Services Provider (SSP) for the server that hosts SharePoint Products for Project Server.

You should grant permissions after you have installed Team Foundation Server Extensions for Project Server Integration. For more information, see System and setup requirements to support TFS-Project Server integration.

To minimize manually adding users and groups to Team Foundation and Project Server users, you can synchronize users and resources with the users in the Active Directory directory service across multiple domains and forests. For more information, see the following page on the Microsoft website: Manage security group synchronization with Active Directory in Project Server 2013.

Before you assign permissions, you might want to review information on the following pages of the Microsoft website:

In this topic

Requirements

You must belong to the following groups or have the following permissions:

  • To grant Team Foundation permissions: Team Foundation Administrators group or your View instance-level information and Edit instance-level information permissions must be set to Allow. You must also have access to the Team Foundation Administration Console or the Group Membership dialog box for a team project collection by using Team Explorer.

  • To grant Project Server permissions: Manage users and groups global permission for an instance of Project Web Access or Project Web App (PWA). You must also have access to Project Server through PWA.

  • To grant Project Server 2010 permissions for the Reporting database: member of the Administrators security group for the SQL Server databases for Project Server.

  • To grant SSP permissions: the Farm Administrators group, the administrators group for the Web application that supports Project Server, or the SharePoint Administration group. Group membership will depend on the security architecture of your deployment.

  • To use stsadm.exe: you must be an administrator on the local computer.

You must grant permissions to the user who performs configuration tasks by using the TfsAdmin ProjectServer command-line tool, which is installed on the same client machine as Visual Studio 2012. To allow project managers to manage the associations of their enterprise project plans with team projects, you must grant them the Administer Project Server integration permission for those collections that host the team projects that their plans will synchronize with.

Also, you must make sure that specific service accounts are granted administrative permissions to the instances of PWA and access to Shared Services Providers. In addition, you must add Team Foundation users or distribution groups in Active Directory that contain user accounts for team members to the Team Members group in Project Server so that those users can submit updates to Project Server.

Note Note

You must grant all service accounts for Project Server and SharePoint Products permission to log on to the computer on which the service is running.

The following two sections summarize the permissions that you must grant based on the version of Project Server that you are integrating with.

Note Note

The service account for Team Foundation Server also runs the Team Foundation Background Job Agent Service. All TfsAdmin command options are run under this service account, except for the /RegisterPWA and /UnregisterPWA options, which are run under the user who runs the commands. This agent manages data synchronization processes. This account requires permissions to access each instance of PWA that has been mapped and permissions to call Project Server Integration (PSI) services.

Account

Team Foundation permissions

Project Server 2010 permissions

Service account for Team Foundation Server.

Not applicable.

Grant the following Global and Category permissions to the service account for Team Foundation Server:

  • Global -Admin: Manage Enterprise Custom Fields, Manage Server Events, Manage Site Services, and Manage Users and Groups.

  • Global -General: Log On, New Task Assignment, and Reassign Task.

  • Global -Project: Build Team on New Project.

  • Global -Views: View Approvals, View Project Center, View Resource Center, and View Task Center.

  • Category – Project: Open Project and View Project Site.

  • Category – Resource: View Enterprise Resource Data.

For more information, see Grant Project Server Permissions later in this topic.

Grant Full Control permissions to start the Project Server Service Application. For more information, see Add a Service Account to the Project Server Service Application for Project Server 2010.

Service account for the Project Server web application pool.

Not applicable.

Grant the service account for the Project Server web application pool the following SQL Server permissions for the PWA Reporting database:

  • Alter any Schema

  • Create Table

  • Delete

  • Execute

  • Insert

  • Select

  • Update

For the PWA Publish database, grant the Select permission.

For more information, see Grant Project Server database permissions later in this topic.

Service account for the Project Server Event Handler.

Not applicable.

Full Control permissions to the Project Server Service Application. For more information, see Add a Service Account to the Project Server Service Application for Project Server 2010.

Accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands.

Add these users to the Team Foundation Administrators group.

Add these users to the Administrators group for each instance of PWA that you will register with TFS.

Accounts of users who configure the integration by running TfsAdmin ProjectServer commands but who do not register or unregister instances of PWA.

Grant the Administer Project Server integration permission to these users.

Not applicable.

User accounts assigned as resources in the project plan or to the Assigned To field for a work item. These users submit status updates that flow into the status queue for the project manager.

Add accounts of team members to the Contributor group for the team project.

Add team members to the Team Members group for PWA, or grant them the Open Project and View Project Site permissions in Project. For more information, see To add Team Foundation members to the Team Members group later in this topic.

You must also add these accounts to the enterprise project pool and to the resource pool for the project plan.

Accounts of users of Project Professional.

Grant View Project-level information or assign them as members of the project Reader group.

Add these accounts to the Project Manager group on Project Server.

SharePoint Permission Mode, the default mode for managing security in Project Server 2013, creates a set of SharePoint security groups that are associated with Project Server 2013. These groups are used to grant users varying levels of access to projects and Project Server functionality. For a comparison of features between SharePoint and Project Server permission mode, see Plan user access in Project Server 2013 .

Both permission modes use Claims Based Authentication. To change to Project Server Permission mode, see Set-SPProjectPermissionMode.

Account

Team Foundation permissions

Project Server Permission mode

SharePoint Permission mode

Service account for Team Foundation Server.

Not applicable.

Grant the following Global and Category permissions to the service account for Team Foundation Server:

  • Global -Admin: Manage Enterprise Custom Fields, Manage Server Events, Manage Site Services, and Manage Users and Groups.

  • Global -General: Log On, New Task Assignment, and Reassign Task.

  • Global -Project: Build Team on New Project.

  • Global -Views: View Approvals, View Project Center, View Resource Center, and View Task Center.

  • Category – Project: Open Project and View Project Site.

  • Category – Resource: View Enterprise Resource Data.

For more information, see Grant Project Server database permissions later in this topic.

Full Control permissions to start the Project Server Service Application. For more information, see Add a Service Account to the Project Server Service Application for Project Server 2010.

Add the service account for Team Foundation Server to the Site Collection Administrators for SharePoint and the Administrators for PWA groups for each instance of PWA.

See Add service accounts to the Site Collection Administrators group for Project Server 2013, and To add a user account or a group to Project Server 2013.

Service account for the Project Server web application pool.

Not applicable.

Add the service account to the Administrators for PWA group.

Grant the service account for the Project Server web application pool the following SQL Server permissions for each instance of PWA database:

  • Alter any Schema

  • Create Table

  • Delete

  • Execute

  • Insert

  • Select

  • Update

See Grant Project Server database permissions later in this topic.

Add the service account for the Project Server web application pool to the Administrators for PWA group.

Grant the same database permissions as for Project Server Permission mode.

Service account for the Project Server Event Handler.

Not applicable.

Grant Full Control permissions to the Project Server Service Application.

Add the service account for the Project Server Event Handler as a member of the Administrators for PWA group.

Accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands.

Add these users to the Team Foundation Administrators group.

Add these users to the Administrators group for each instance of PWA that you will register with TFS.

Add these users to the Site Collection Administrators for SharePoint and the Administrators for PWA groups for each instance of PWA.

See Add service accounts to the Site Collection Administrators group for Project Server 2013.

Accounts of users who configure the integration by running TfsAdmin ProjectServer commands but who do not register or unregister instances of PWA.

Grant the Administer Project Server integration permission to these users.

Not applicable.

Not applicable.

User accounts assigned as resources in the project plan or to the Assigned To field for a work item. These users submit status updates that flow into the status queue for the project manager.

Add team members to the Contributor group for the team project.

Add team members to the Team Members group for PWA, or grant them the Open Project and View Project Site permissions in Project. For more information, see To add Team Foundation members to the Team Members group later in this topic.

You must also add these accounts to the enterprise project pool and to the resource pool for the project plan.

Add team members to the Team Members for Project Web App group for each instance of PWA. See To add a user account or a group to Project Server 2013.

Accounts of users of Project Professional.

Grant View Project-level information or assign them as members of the project Reader group.

Add these accounts to the Project Manager group on Project Server.

Add accounts to the Team Members for Project Web App group for each instance of PWA. See To add a user account or a group to Project Server 2013.

You can set Team Foundation permissions in Team Explorer or in the Team Foundation Administration Console.

To configure the integration of Team Foundation Server and Project Server, you must have permissions to administer Team Foundation Server or a team project collection. For both configuration and synchronization, you must also grant permission to Administer Project Server integration to the user who will configure the integration of the two server products.

Note Note

For the purposes of configuring the two server products, you can ignore the permissions that are required to administer SharePoint Products and SQL Server Reporting Services.

To grant permissions to administer Team Foundation Server or a team project collection, see Set administrator permissions for Team Foundation Server and Set administrator permissions for team project collections.

To grant permissions to Administer Project Server Integration

  1. Open the administration console for Team Foundation Server.

    For more information, see Open the Team Foundation Administration Console.

  2. Expand the server, chooseTeam Project Collections, choose a collection, and then chooseAdminister Security.

  3. In the Global Security window, choose[Collection]\Project Collection Service Accounts.

  4. Under Permissions for the Administer Project Server integration, select the Allow check box.

  5. Choose Close to close the Global Security window.

You must grant Project Server permissions to the following accounts:

  • To the Administrators group, add the account of the user who will register an instance of PWA to Team Foundation Server.

  • To the Administrators group, either add the service account for Team Foundation Server or grant that account the minimum set of Global and Category permissions as Permissions Required to Configure Integration and Support Data Synchronization described earlier in this topic.

  • To the Team Members group, add the accounts of any Team Foundation members who will submit status updates to Project Server.

To add an account to Project Server and assign to the Administrators Group for Project Server 2010

  1. From the PWA home page, in the Quick Launch area, choose Server Settings.

  2. On the Server Settings page, choose Manage Users.

  3. On the Manage Users page, choose New User.

  4. On the New User page, type the required information in each field. Note the following:

    1. Clear the check box for User can be assigned as a resource if the account is a service account.

    2. For User Authentication, type the account name of the user or service account.

    3. Clear the check box for Resource can be leveled if the account is an administrator or a service account.

    4. To add the account to the Administrators group, for Security Groups, choose Administrators and then choose Add.

  5. Choose Save.

For more information, see Add a user account in Project Server 2010.

To grant the minimum Global permissions to the service account for Team Foundation Server

  1. On the PWA page, in the Quick Launch area, choose Server Settings.

  2. On the Server Settings page, choose Manage Users.

  3. On the Manage Users page, choose New User.

  4. On the New User page, type the required information in each field. Note the following:

    1. Clear the check box for User can be assigned as a resource because the account is a service account.

    2. For User Authentication, type the account name of the service account.

    3. To assign Global Permissions, select the Allow check box for each permission that you want to set, and as specified earlier in this topic.

  5. Choose Save.

To grant Category permissions to the service account

  1. From the home page for PWA, in the Quick Launch area, choose Server Settings.

  2. On the Server Settings page, choose Manage Categories.

  3. On the Manage Categories page, choose New Category.

  4. On the Add or Edit Category page, type a name for the service account category. For example, type Servicing Account.

  5. Under Available Users, choose the name of the service account for Team Foundation Server, and then choose Add.

  6. Under Projects, choose All current and future projects in Project Server database.

  7. Choose Save.

To add Team Foundation members to the Team Members group

  1. From the home page for PWA, in the Quick Launch area, choose Server Settings.

  2. On the Server Settings page, in the Security section, chooseManage Groups.

  3. On the Manage Groups page, choose Team Members.

  4. On the Add or Edit Group page, -hold down the SHIFT key, choose the users whom you want to add from the Available Users, and then choose Add.

  5. Under Categories, verify or add My Tasks from Available Categories to Selected Categories.

For more information, see the following page on the Microsoft website: Manage security groups in Project Server 2010.

To add a user account or a group to Project Server 2013

  1. From the PWA home page, open Site settings from the gear icon.

    Open site settings for PWA (PS 2013)
  2. On the Site Settings page, choose People and groups.

    Open People and Groups for PWA  (PS 2013)
  3. Choose the group to which you want to add accounts.

    Choose the group in PWA to add accounts (PS 2013)
    • To add team members, choose Team Members for Project Web App.

    • To add service accounts or administrator accounts, choose Administrators for Project Web App.

    • To add project management accounts, choose More, and then choose Project Managers for Project Web App.

    Tip Tip

    To view all the default groups, choose More. To view permissions assigned to each group, choose Settings, View Group Permissions. To learn more, see Plan user access in Project Server 2013 .

  4. On the group page, choose New, Add users.

  5. Type the name of each account or Active Directory group to add to the selected group.

    Add accounts to a group for PWA (PS 2013)
    • To the Administrators for PWA group, add the service accounts for Team Foundation Server, the Project Server web application pool, and Project Server Event Handler. Also, add the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands.

    • For Team Members for Project Web App, add the user accounts assigned as resources in the project plan or to the Assigned To field for a work item. Or, add the Active Directory group used to manage these resources.

    • For Project Managers for Project Web App, add the accounts of users of Project Professional.

  6. Choose Share.

The permissions you must grant in SharePoint differ depending on the version of Project Server that you are integrating with TFS.

To support status update processing by the synchronization engine for integration with Project Server 2010, you must add the service account for Team Foundation Server to the Project Server Service Application. You can perform this procedure by using SharePoint Central Administration or Windows PowerShell. For more information, see the following page on the Microsoft website: Restrict or enable access to a service application (SharePoint Server 2010).

Important note Important

The SharePoint web application for the instance of PWA must be set to Classic Mode Authentication. You will not be able to register the instance of PWA if it is set to Claims Based Authentication.

To add a service account to a service application by using SharePoint Central Administration (2010)

  1. Open the SharePoint Central Administration page for Project Server.

  2. Under Application Management, choose Manage service applications.

  3. On the Manage Service Applications page, highlight the row for Project Server Service Application by clicking within the row but not the name of the application.

    The ribbon becomes available.

  4. In the ribbon, choose Permissions.

  5. In the Connection Permissions for Project Server Service Application dialog box, type the name of the service account, and then choose Add.

  6. In the middle pane, make sure that the name of the newly added service account is highlighted.

  7. In the bottom pane, select the Full Control check box, and then choose OK.

Back to top

Add required user and service accounts to the SharePoint Site Collection Administrators group.

  1. Log on to the SharePoint server for Project Server.

  2. Choose Start, Microsoft SharePoint 2013 Products, Sharepoint 2013 Central Administration.

  3. Choose Site settings from the gear icon.

    Open SharePoint Site Settings for PS 2013
  4. Choose Site collection administrators.

    Open Site Collection Administrators for PS 2013
  5. Type the names of the service account for Team Foundation Serverand the accounts of users who register or unregister instances of PWA (by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands).

  6. Choose OK when done.

To support data synchronization, you must grant permissions to the service account for the web application pool to update two SQL Server databases for each instance of PWA. This applies to both Project Server 2010 and Project Server 2013.

To grant permissions to a database for an instance of PWA

  1. Log on to the data-tier server for Project Server.

  2. Choose Start, All Programs, Microsoft SQL Server 2008 or Microsoft SQL Server 2012, SQL Server Management Studio.

    The Connect to Server dialog box opens.

  3. In the Server type list, select Database Engine.

  4. In Server name, type the name of the server that hosts the databases for Project Server, and then choose Connect.

    Note Note

    If SQL Server is installed on a cluster, type the name of the cluster, not the computer name. If you have specified a named instance, type the server and instance name in the following format: DatabaseServer\InstanceName.

    SQL Server Management Studio opens.

  5. Expand Databases, open the context menu for the database for the instance of PWA (for example, PWA_Reporting), and then choose Properties.

  6. Under Select a page, choose Permissions.

  7. Add the service account of the web application pool for Project Server, and grant the required permissions. For example, the following permissions for the Reporting database are required: Alter any Schema, Create Table, Delete , Execute, Insert, Select, and Update.

    For the Publishing database, grant the Select permission.

  8. Repeat steps 5 through 7 for each instance of PWA that will participate in data synchronization with Team Foundation Server.

Show:
© 2014 Microsoft