Assign Permissions to Support Integration of Project Server and Team Foundation Server

Before you can configure the integration of or synchronize data between Visual Studio Team Foundation Server 2012 and Microsoft Project Server, you must grant permissions to several accounts—administrators, service accounts, and team members. You must also make sure that specific service accounts have access as a Shared Services Provider (SSP) for the server that hosts SharePoint Products for Project Server.

Note

You should grant permissions after you have installed Team Foundation Server Extensions for Project Server Integration. For more information, see System and Setup Requirements to Support Integration of Team Foundation Server and Project Server.

To minimize manually adding users and groups to Team Foundation and Project Server users, you can synchronize users and resources with the users in the Active Directory directory service across multiple domains and forests. For more information, see the following page on the Microsoft website: Manage security group synchronization with Active Directory in Project Server 2013.

Before you assign permissions, you might want to review information on the following pages of the Microsoft website:

Project Server 2007	Project Server 2010	Microsoft Project Server 2013
Plan for administrative and service accounts (Project Server) Plan groups, categories, and RBS in Project Server 2007 Manage Active Directory synchronization in Project Server 2007 Manage security in Project Server 2007 Microsoft Office Project Server 2007 global permissions Microsoft Office Project Server 2007 default group and template permissions Add resources to the enterprise resource pool	Manage users in Project Server 2010 Plan for administrative and service accounts (Project Server 2010) Plan groups, categories, and RBS in Project Server 2010 Manage security groups in Project Server 2010 Project Server 2010 global permissions Project Server 2010 default group permissions Add resources to the enterprise resource pool Active Directory Resource Pool Synchronization (Project Server 2010 settings)	Plan user access in Project Server 2013 Plan for administrative and service accounts (Project Server 2013) Plan groups, categories, and RBS in Project Server 2013 Manage security groups in Project Server 2013 Manage security group synchronization with Active Directory in Project Server 2013 Manage users in Project Server 2013 Manage Active Directory Resource Pool synchronization in Project Server 2013 Default group permissions in Project Server 2013

In this topic

• Permissions that Are Required to Configure Integration and Support Data Synchronization

• Grant Team Foundation Server Permissions

• Grant Project Server Permissions

• Grant SharePoint Server Permissions

• Grant Project Server database permissions

Requirements

You must belong to the following groups or have the following permissions:

• To grant Team Foundation permissions: Team Foundation Administrators group or your View instance-level information and Edit instance-level information permissions must be set to Allow. You must also have access to the Team Foundation Administration Console or the Group Membership dialog box for a team project collection by using Team Explorer.

• To grant Project Server permissions: Manage users and groups global permission for an instance of Project Web Access or Project Web App (PWA). You must also have access to Project Server through PWA.

• To grant Project Server 2010 permissions for the Reporting database: member of the Administrators security group for the SQL Server databases for Project Server.

• To grant SSP permissions: the Farm Administrators group, the administrators group for the Web application that supports Project Server, or the SharePoint Administration group. Group membership will depend on the security architecture of your deployment.

• To use stsadm.exe: you must be an administrator on the local computer.

Permissions Required to Configure Integration and Support Data Synchronization

You must grant permissions to the user who performs configuration tasks by using the TfsAdmin ProjectServer command-line tool, which is installed on the same client machine as Visual Studio 2012. To allow project managers to manage the associations of their enterprise project plans with team projects, you must grant them the Administer Project Server integration permission for those collections that host the team projects that their plans will synchronize with.

Also, you must make sure that specific service accounts are granted administrative permissions to the instances of PWA and access to Shared Services Providers. The requirements differ slightly between Project Server 2007 and Project Server 2010. In addition, you must add Team Foundation users or distribution groups in Active Directory that contain user accounts for team members to the Team Members group in Project Server so that those users can submit updates to Project Server.

Note

You must grant all service accounts for Project Server and SharePoint Products permission to log on to the computer on which the service is running.

The following two sections summarize the permissions that you must grant based on the version of Project Server that you are integrating with.

Note

The service account for Team Foundation Server also runs the Team Foundation Background Job Agent Service. All TfsAdmin command options are run under this service account, except for the /RegisterPWA and /UnregisterPWA options, which are run under the user who runs the commands. This agent manages data synchronization processes. This account requires permissions to access each instance of PWA that has been mapped and permissions to call Project Server Integration (PSI) services.

Required permissions to support integration with Project Server 2007 or Project Server 2010

Account	Team Foundation permissions	Project Server 2007 permissions	Project Server 2010 permissions
Service account for Team Foundation Server.	Not applicable.	Grant the following Global and Category permissions to the service account for Team Foundation Server: Global - Admin: Manage Enterprise Custom Fields, Manage Server Events, and Manage Users and Groups. Global - General: Log On, New Task Assignment, and Reassign Task. Global - Project: Build Team on New Project, Global - Views: View Approvals, View Project Center, View Resource Center, and View Task Center. Category – Project: Open Project and View Project Site. Category – Resource: View Enterprise Resource Data. For more information, see Grant Project Server Permissions later in this topic. You must grant access to the SSP. For more information, see Grant Service Account to Shared Services Provider for Project Server 2007 later in this topic.	Grant the following Global and Category permissions to the service account for Team Foundation Server: Global -Admin: Manage Enterprise Custom Fields, Manage Server Events, Manage Site Services, and Manage Users and Groups. Global -General: Log On, New Task Assignment, and Reassign Task. Global -Project: Build Team on New Project. Global -Views: View Approvals, View Project Center, View Resource Center, and View Task Center. Category – Project: Open Project and View Project Site. Category – Resource: View Enterprise Resource Data. For more information, see Grant Project Server Permissions later in this topic. Grant Full Control permissions to start the Project Server Service Application. For more information, see Add a Service Account to the Project Server Service Application for Project Server 2010.
Service account for the Project Server web application pool.	Not applicable.	Not applicable.	Grant the service account for the Project Server web application pool the following SQL Server permissions for the PWA Reporting database: Alter any Schema Create Table Delete Execute Insert Select Update For the PWA Publish database, grant the Select permission. For more information, see Grant Project Server database permissions later in this topic.
Service account for the Project Server Event Handler.	Not applicable.	Not applicable.	Full Control permissions to the Project Server Service Application. For more information, see Add a Service Account to the Project Server Service Application for Project Server 2010.
Accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands.	Add these users to the Team Foundation Administrators group.	Add these users to the Administrators group for each instance of PWA that you will register with TFS.	Add these users to the Administrators group for each instance of PWA that you will register with TFS.
Accounts of users who configure the integration by running TfsAdmin ProjectServer commands but who do not register or unregister instances of PWA.	Grant the Administer Project Server integration permission to these users.	Not applicable.	Not applicable.
User accounts assigned as resources in the project plan or to the Assigned To field for a work item. These users submit status updates that flow into the status queue for the project manager.	Add accounts of team members to the Contributor group for the team project.	Add team members to the Team Members group for PWA, or grant them the Open Project and View Project Site permissions in Project. For more information, see To add Team Foundation users to the Team Members group later in this topic. You must also add these accounts to the enterprise project pool and to the project plan resource pool.	Add team members to the Team Members group for PWA, or grant them the Open Project and View Project Site permissions in Project. For more information, see To add Team Foundation members to the Team Members group later in this topic. You must also add these accounts to the enterprise project pool and to the resource pool for the project plan.
Accounts of users of Project Professional.	Grant View Project-level information or assign them as members of the project Reader group.	Add these accounts to the Project Manager group on Project Server.	Add these accounts to the Project Manager group on Project Server.

Required permissions to support integration with Project Server 2013

SharePoint Permission Mode, the default mode for managing security in Project Server 2013, creates a set of SharePoint security groups that are associated with Project Server 2013. These groups are used to grant users varying levels of access to projects and Project Server functionality. For a comparison of features between SharePoint and Project Server permission mode, see Plan user access in Project Server 2013.

Both permission modes use Claims Based Authentication. To change to Project Server Permission mode, see Set-SPProjectPermissionMode.

Account	Team Foundation permissions	Project Server Permission mode	SharePoint Permission mode
Service account for Team Foundation Server.	Not applicable.	Grant the following Global and Category permissions to the service account for Team Foundation Server: Global -Admin: Manage Enterprise Custom Fields, Manage Server Events, Manage Site Services, and Manage Users and Groups. Global -General: Log On, New Task Assignment, and Reassign Task. Global -Project: Build Team on New Project. Global -Views: View Approvals, View Project Center, View Resource Center, and View Task Center. Category – Project: Open Project and View Project Site. Category – Resource: View Enterprise Resource Data. For more information, see Grant Project Server database permissions later in this topic. Full Control permissions to start the Project Server Service Application. For more information, see Add a Service Account to the Project Server Service Application for Project Server 2010.	Add the service account for Team Foundation Server to the Site Collection Administrators for SharePoint and the Administrators for PWA groups for each instance of PWA. See Add service accounts to the Site Collection Administrators group for Project Server 2013, and To add a user account or a group to Project Server 2013.
Service account for the Project Server web application pool.	Not applicable.	Add the service account to the Administrators for PWA group. Grant the service account for the Project Server web application pool the following SQL Server permissions for each instance of PWA database: Alter any Schema Create Table Delete Execute Insert Select Update See Grant Project Server database permissions later in this topic.	Add the service account for the Project Server web application pool to the Administrators for PWA group. See To add a user account or a group to Project Server 2013. Grant the same database permissions as for Project Server Permission mode.
Service account for the Project Server Event Handler.	Not applicable.	Grant Full Control permissions to the Project Server Service Application.	Add the service account for the Project Server Event Handler as a member of the Administrators for PWA group. See To add a user account or a group to Project Server 2013.
Accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands.	Add these users to the Team Foundation Administrators group.	Add these users to the Administrators group for each instance of PWA that you will register with TFS.	Add these users to the Site Collection Administrators for SharePoint and the Administrators for PWA groups for each instance of PWA. See Add service accounts to the Site Collection Administrators group for Project Server 2013, and To add a user account or a group to Project Server 2013.
Accounts of users who configure the integration by running TfsAdmin ProjectServer commands but who do not register or unregister instances of PWA.	Grant the Administer Project Server integration permission to these users.	Not applicable.	Not applicable.
User accounts assigned as resources in the project plan or to the Assigned To field for a work item. These users submit status updates that flow into the status queue for the project manager.	Add team members to the Contributor group for the team project.	Add team members to the Team Members group for PWA, or grant them the Open Project and View Project Site permissions in Project. For more information, see To add Team Foundation members to the Team Members group later in this topic. You must also add these accounts to the enterprise project pool and to the resource pool for the project plan.	Add team members to the Team Members for Project Web App group for each instance of PWA. See To add a user account or a group to Project Server 2013.
Accounts of users of Project Professional.	Grant View Project-level information or assign them as members of the project Reader group.	Add these accounts to the Project Manager group on Project Server.	Add accounts to the Team Members for Project Web App group for each instance of PWA. See To add a user account or a group to Project Server 2013.

Back to top

Grant Team Foundation Server Permissions

You can set Team Foundation permissions in Team Explorer or in the Team Foundation Administration Console.

To configure the integration of Team Foundation Server and Project Server, you must have permissions to administer Team Foundation Server or a team project collection. For both configuration and synchronization, you must also grant permission to Administer Project Server integration to the user who will configure the integration of the two server products.

Note

For the purposes of configuring the two server products, you can ignore the permissions that are required to administer SharePoint Products and SQL Server Reporting Services.

To grant permissions to administer Team Foundation Server or a team project collection, see Set Administrator Permissions for Team Foundation Server and Set Administrator Permissions for Team Project Collections.

To grant permissions to Administer Project Server Integration

1. Open the administration console for Team Foundation Server.

   For more information, see Open the Team Foundation Administration Console.

2. Expand the server, choose Team Project Collections, choose a collection, and then chooseAdminister Security.

3. In the Global Security window, choose**[Collection]\Project Collection Service Accounts**.

4. Under Permissions for the Administer Project Server integration, select the Allow check box.

5. Choose Close to close the Global Security window.

Back to top

Grant Project Server Permissions

You must grant Project Server permissions to the following accounts:

• To the Administrators group, add the account of the user who will register an instance of PWA to Team Foundation Server.

• To the Administrators group, either add the service account for Team Foundation Server or grant that account the minimum set of Global and Category permissions as Permissions Required to Configure Integration and Support Data Synchronization described earlier in this topic.

• To the Team Members group, add the accounts of any Team Foundation members who will submit status updates to Project Server.

To add an account to Project Server and assign to the Administrators Group for Project Server 2007 or Project Server 2010

1. From the PWA home page, in the Quick Launch area, choose Server Settings.

2. On the Server Settings page, choose Manage Users.

3. On the Manage Users page, choose New User.

4. On the New User page, type the required information in each field. Note the following:

   1. Clear the check box for User can be assigned as a resource if the account is a service account.

   2. For User Authentication, type the account name of the user or service account.

   3. Clear the check box for Resource can be leveled if the account is an administrator or a service account.

   4. To add the account to the Administrators group, for Security Groups, choose Administrators and then choose Add.

5. Choose Save.

For more information, see the following pages on the Microsoft website:

• Add a user account in Project Server 2007

• Add a user account in Project Server 2010

To grant the minimum Global permissions to the service account for Team Foundation Server

1. On the PWA page, in the Quick Launch area, choose Server Settings.

2. On the Server Settings page, choose Manage Users.

3. On the Manage Users page, choose New User.

4. On the New User page, type the required information in each field. Note the following:

   1. Clear the check box for User can be assigned as a resource because the account is a service account.

   2. For User Authentication, type the account name of the service account.

   3. To assign Global Permissions, select the Allow check box for each permission that you want to set, and as specified earlier in this topic.

5. Choose Save.

To grant Category permissions to the service account

1. From the home page for PWA, in the Quick Launch area, choose Server Settings.

2. On the Server Settings page, choose Manage Categories.

3. On the Manage Categories page, choose New Category.

4. On the Add or Edit Category page, type a name for the service account category. For example, type Servicing Account.

5. Under Available Users, choose the name of the service account for Team Foundation Server, and then choose Add.

6. Under Projects, choose All current and future projects in Project Server database.

7. Choose Save.

To add Team Foundation members to the Team Members group

1. From the home page for PWA, in the Quick Launch area, choose Server Settings.

2. On the Server Settings page, in the Security section, chooseManage Groups.

3. On the Manage Groups page, choose Team Members.

4. On the Add or Edit Group page, -hold down the SHIFT key, choose the users whom you want to add from the Available Users, and then choose Add.

5. Under Categories, verify or add My Tasks from Available Categories to Selected Categories.

For more information, see the following page on the Microsoft website: Manage security groups in Project Server 2010.

To add a user account or a group to Project Server 2013

1. From the PWA home page, open Site settings from the gear icon.

   

2. On the Site Settings page, choose People and groups.

   

3. Choose the group to which you want to add accounts.

   

   • To add team members, choose Team Members for Project Web App.

   • To add service accounts or administrator accounts, choose Administrators for Project Web App.

   • To add project management accounts, choose More, and then choose Project Managers for Project Web App.

   Tip

   To view all the default groups, choose More. To view permissions assigned to each group, choose Settings, View Group Permissions. To learn more, see Plan user access in Project Server 2013.

4. On the group page, choose New, Add users.

5. Type the name of each account or Active Directory group to add to the selected group.

   

   • To the Administrators for PWA group, add the service accounts for Team Foundation Server, the Project Server web application pool, and Project Server Event Handler. Also, add the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands.

   • For Team Members for Project Web App, add the user accounts assigned as resources in the project plan or to the Assigned To field for a work item. Or, add the Active Directory group used to manage these resources.

   • For Project Managers for Project Web App, add the accounts of users of Project Professional.

6. Choose Share.

Back to top

Grant SharePoint Server permissions

The permissions you must grant in SharePoint differ depending on the version of Project Server that you are integrating with TFS.

• Add service account to the Shared Services Provider for Project Server 2007

• Add service accounts to the Project Server Service Application for Project Server 2010

• Add service accounts to the Site Collection Administrators group for Project Server 2013

Add service account to the Shared Services Provider for Project Server 2007

To support status update processing by the synchronization engine during integration with Project Server 2007, you must add the service account for Team Foundation Server to the Shared Services Provider for Project Server. You can perform this procedure by using the stsadm command-line tool, which can grant a non-administrator the rights to service an SSP. For more information, see the following page on the Microsoft website: Stsadm command-line tool (Office SharePoint Server).

Note

Even if you log on with administrative permissions, you must open an elevated Command Prompt window to run the stsadm command-line tool on a server that is running Windows Server 2008. To open an elevated Command Prompt window, choose Start, open the context menu for Command Prompt, and then choose Run as Administrator. For more information, see the following page on the Microsoft website: User Access Control.

To grant a service account access to SSP

1. On every server that is part of the SharePoint Products farm that supports your deployment of Team Foundation Server, open a Command Prompt window, and change directories to Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\bin\.

2. Type the following command, where TFSServiceAccount is the service account for Team Foundation Server.

   stsadm.exe -o editssp -title SharedServices -setaccounts<Existing Service Accounts>, TFSServiceAccount

   Important

   You must append TFSServiceAccount in the form domain\username to the existing list of service accounts.

Back to top

Add service accounts to the Project Server Service Application for Project Server 2010

To support status update processing by the synchronization engine for integration with Project Server 2010, you must add the service account for Team Foundation Server to the Project Server Service Application. You can perform this procedure by using SharePoint Central Administration or Windows PowerShell. For more information, see the following page on the Microsoft website: Restrict or enable access to a service application (SharePoint Server 2010).

Important

The SharePoint web application for the instance of PWA must be set to Classic Mode Authentication. You will not be able to register the instance of PWA if it is set to Claims Based Authentication.

To add a service account to a service application by using SharePoint Central Administration (2010)

1. Open the SharePoint Central Administration page for Project Server.

2. Under Application Management, choose Manage service applications.

3. On the Manage Service Applications page, highlight the row for Project Server Service Application by clicking within the row but not the name of the application.

   The ribbon becomes available.

4. In the ribbon, choose Permissions.

5. In the Connection Permissions for Project Server Service Application dialog box, type the name of the service account, and then choose Add.

6. In the middle pane, make sure that the name of the newly added service account is highlighted.

7. In the bottom pane, select the Full Control check box, and then choose OK.

Back to top

Add service accounts to the Site Collection Administrators group for Project Server 2013

Add required user and service accounts to the SharePoint Site Collection Administrators group.

1. Log on to the SharePoint server for Project Server.

2. Choose Start, Microsoft SharePoint 2013 Products, Sharepoint 2013 Central Administration.

3. Choose Site settings from the gear icon.

   

4. Choose Site collection administrators.

   

5. Type the names of the service account for Team Foundation Serverand the accounts of users who register or unregister instances of PWA (by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands).

6. Choose OK when done.

Grant Project Server database permissions

To support data synchronization, you must grant permissions to the service account for the web application pool to update two SQL Server databases for each instance of PWA. This applies to both Project Server 2010 and Project Server 2013.

To grant permissions to a database for an instance of PWA

1. Log on to the data-tier server for Project Server.

2. Choose Start, All Programs, Microsoft SQL Server 2008 or Microsoft SQL Server 2012, SQL Server Management Studio.

   The Connect to Server dialog box opens.

3. In the Server type list, select Database Engine.

4. In Server name, type the name of the server that hosts the databases for Project Server, and then choose Connect.

   Note

   If SQL Server is installed on a cluster, type the name of the cluster, not the computer name. If you have specified a named instance, type the server and instance name in the following format: DatabaseServer\InstanceName.

   SQL Server Management Studio opens.

5. Expand Databases, open the context menu for the database for the instance of PWA (for example, PWA_Reporting), and then choose Properties.

6. Under Select a page, choose Permissions.

7. Add the service account of the web application pool for Project Server, and grant the required permissions. For example, the following permissions for the Reporting database are required: Alter any Schema, Create Table, Delete , Execute, Insert, Select, and Update.

   For the Publishing database, grant the Select permission.

8. Repeat steps 5 through 7 for each instance of PWA that will participate in data synchronization with Team Foundation Server.

See Also

Tasks

Configure the Integration of Team Foundation Server and Project Server

Concepts

Configuration Quick Reference

Overview of the Synchronization Process for Team Foundation Server and Project Server Integration

Administrate the Integration of Team Foundation Server and Project Server