Assign permissions to support TFS-Project Server integration

Assigning permissions is the first step in configuring Team Foundation Server and Project Server to support data synchronization. You must grant permissions to several accounts—administrators, service accounts, and team members. You must also make sure that specific service accounts have access as a Shared Services Provider (SSP) for the server that hosts SharePoint Products for Project Server.

You should grant permissions after you have installed Team Foundation Server Extensions for Project Server Integration. For more information, see System and setup requirements to support TFS-Project Server integration.

Before you begin, you’ll want to know which PWA instances and TFS team project collections will participate in data synchronization. You’ll also want to have answers to the following questions.

Make sure you belong to the following groups:

  • Team Foundation Administrators group, required to grant TFS permissions. You must also have access to the Team Foundation Administration Console. Set administrator permissions for Team Foundation Server.

  • Administrator for Project Web App for each instance of Project Web Access or Project Web App (PWA), required to grant Project Server permissions. You must also have access to Project Server through PWA.

  • Administrators security group for the SQL Server databases for Project Server, required to grant permissions to the PWA Reporting and Publishing databases.

  • Farm Administrators group, the administrators group for the Web application that supports Project Server, or the SharePoint Administration group, required to grant SSP permissions. Group membership will depend on the security architecture of your deployment.

  • Administrator on the local computer, required to use stsadm.exe.

  • For Project Server 2010:

    The SharePoint web application for the instance of PWA must be set to Classic Mode Authentication. Classic Mode Authentication uses Windows authentication. User accounts are treated by SharePoint Server 2010 as Active Directory Domain Services (AD DS) accounts.

    You will not be able to register the PWA if its authentication is set to Claims Based Authentication. If you’re not sure which authentication mode is set, or you need to switch authentication modes, jump to this section.

  • For Project Server 2013:

    Two permissions are supported: SharePoint Permission mode and Project Permission mode. Both these modes use Claims Based authorization. The permissions that you need to assign differ, depending on the permission mode that is set.

    SharePoint permissions mode creates SharePoint groups that directly correspond to the default security groups found in Project Server permission mode. These groups are used to grant users varying levels of access to projects and Project Server functionality. SharePoint permission mode is new for Project Server 2013.

    New Project Web App instances use the SharePoint permission mode by default. In an on-premises installation, the mode can be changed for a given instance of Project Web App by using the Set-SPProjectPermissionModeWindows PowerShell cmdlet.

    Project Server permission mode provides a set of customizable security groups and other functionality that is distinct from SharePoint groups. This security platform operates independent from the SharePoint permissions in the farm and allows you to fine tune the permission levels for Project Web App users. This is the same permission mode that was available in Project Server 2010.

    For a comparison of features supported in each security mode, see Plan user access in Project Server 2013.

    If you’re not sure which Permission mode is set, or you need to switch Permission modes, jump to this section.

To minimize manually adding users to TFS and Project Server, create Windows or Active Directory groups. You can then add these groups to TFS groups, Project Server, and SharePoint sites which have pre-defined permissions. Also, you can synchronize resources with Active Directory across multiple domains and forests.

For more information, see Manage security group synchronization with Active Directory in Project Server 2013.

Identify the following service accounts, user accounts, or Active Directory groups that have been configured and will need access to the resources that support data synchronization between TFS and Project Server.

You must assign permissions to three service accounts. To each PWA instance that participates in data synchronization, grant permissions to the SharePoint server. To the Reporting and Publishing databases for each PWA instance, grant these permissions, using the following applications: PWA site, SharePoint Central Site Administration, and using SQL Server Management Studio. Before you grant permissions, make sure that you have identified all the service accounts that are used in your deployment.

Details for each permission to be granted are provided in the numbered sections.

Account or group of users

Grant these permissions

To determine this account

Service account for TFS

1. Grant permissions to access each PWA instance

2. Grant SharePoint Server permissions

3. Grant Project Server database permissions

Open the Team Foundation Administration console. If a Network Service account is used, change it to a domain account.

Change the service account or password for Team Foundation Server

Service account for the project server web application Pool

1. Grant permissions to access each PWA instance

2. Grant SharePoint Server permissions

3. Grant Project Server database permissions

Jump to this section, How do I determine all the accounts used as Service account for the Project Server Web Application Pool?

Service account for the Project Server Event Handler

1. Grant permissions to access each PWA instance

2. Grant SharePoint Server permissions

On the machine where Project Server is installed, open Computer>Manage Services and find Microsoft Project Server Events Service.

You assign permissions to the accounts of users who configure the integration between TFS and Project Server or who participate in the enterprise project plan, either as a manager or team member. Depending on the role, you grant permissions to each PWA instance that participates in data synchronization, to the SharePoint server, to the enterprise resource pool, and to TFS. Grant these permissions, using the following applications: PWA site, SharePoint Central Site Administration, and using the Team Foundation Administration Console, and Team Web Access.

Details for each permission are provided in the numbered sections.

Account or group of users

Add these account to the following groups or resource pools, or grant the indicated permissions

User account(s) who will run the TFSProjectServer registerPWA command

1. Grant permissions to access each PWA instance: Administrators for Project Web App

2. Grant SharePoint Server permissions [: PWA site collection admin (SharePoint permission mode only)

4. Add accounts to Team Foundation Administrators group

5. Grant Administer Project Server integration permissions

User account(s) who will map components to support TFS-Project Server integration, but not register PWAs

5. Grant Administer Project Server integration permissions

Users of Project Professional

1. Grant permissions to access each PWA instance: Project Manager group

6. Add accounts to the TFS Readers group

Users assigned as project resources or have TFS work items assigned to them

These users submit status updates that flow into the status queue for the project manager

1. Grant permissions to access each PWA instance:

  • PWA Team Members group (Project Server 2010)

  • Team Members for the PWA App group (Project Server 2013)

  • Enterprise project pool and to the project resource pool for the project plan

6. Add accounts to the TFS Contributors group

Find the version and permission mode used in your deployment, then follow the steps to grant permissions. You must add accounts for each PWA instance that you will register and map to a team project.

Task

Account

Project Server 2010 with Classic Authentication mode

Project Server 2013 with

Project Permission mode

Project Server 2013 with

SharePoint Permission mode

1-1. Grant Global permissions

1-2. Grant Category permissions

TFS Service account

check mark

check mark

check mark

1-3. Add accounts to a PWA security group (Administrators for PWA )

TFS Service account

Service account for the Project Server web application pool

User accounts that configure the integration

check mark

check mark

check mark

1-3. Add accounts to a PWA security group

Accounts of users of Project Professional: Project Manager or Portfolio Managers

User accounts assigned as resources in the project plan: Team Members

check mark

check mark

check mark

1-4. Add accounts to a PWA security group (SharePoint permission mode), (Administrators for PWA)

Service account for the Project Server Event Handler

check mark

check mark

1-4. Add accounts to a PWA security group (SharePoint permission mode), PWA Site Collection Administrators group

TFS Service account

User accounts that configure the integration

check mark

1-5. Add to the Active Directory Enterprise Resource Pool

User accounts assigned as resources in the project plan

check mark

check mark

check mark

1-1. Grant Global permissions

  1. From the PWA Settings page, open Manage Users, and then New User.

  2. Add the TFS service account.

  3. Type the required information in each field. Note the following:

    1. Clear the check box for User can be assigned as a resource because the account is a service account.

    2. For User Authentication, type the name of the service account for TFS.

    3. Assign the following Global permissions:

      • Admin: Manage Enterprise Custom Fields, Manage Server Events, Manage Site Services, and Manage Users and Groups.

      • General: Log On, New Task Assignment, and Reassign Task.

      • Project: Build Team on New Project.

      • Views: View Approvals, View Project Center, View Resource Center, and View Task Center.

  4. Save your changes.

1-2. Grant Category permissions

  1. From the home page for PWA, in the Quick Launch area, choose Server Settings.

  2. Next, choose Manage Categories and then New Category.

  3. Type a name for the service account category, for example, type Servicing Account.

  4. Under Available Users, choose the name of the service account for Team Foundation Server, and then choose Add.

    Create TFS Service account category
  5. Under Projects, choose All current and future projects in Project Server database, and then click Save.

  6. Add the TFS service account and select the checkboxes for these Category permissions:

    • Project: Open Project and View Project Site

    • Resource: View Enterprise Resource Data

    Category permissions for TFS service account

1-3. Add accounts to a PWA security group (Project Server 2010, Project Server 2013-Permission mode)

  1. From the PWA Settings page, open Manage Users, New User, and then type the required information in each field:

    • Clear the check box for User can be assigned as a resource if the account is a service account.

    • For User Authentication, type the account name of the user or service account for TFS.

    • Clear the check box for Resource can be leveled if the account is an administrator or a service account.

  2. For Security Groups, add the account or group to one of the default groups:

    1. Administrators: TFS service account and the accounts of users who configure the integration, ones who register or unregister PWAs.

    2. Project Managers: users who work with Project Professional and PWA.

    3. Team Members: users who are assigned as a resource and who are assigned to TFS work items.

  3. If you have customized Category permissions, verify that team members have the following Security Categories: Create New Task or Assignment, Create Object Links, Open Project, View Project Site, and View Project Schedule in Project Web App(Project Server 2010).

    Security categories, My Projects for team members

    For Project Server 2013, Permission mode, select: Open Project, View Project Site, and View Project Schedule in Project Web App.

    To modify the category permissions for a selected user in a category, select the category in the Selected Categories list, and then select Allow for the permissions that you want to allow.

  4. Save your changes.

For more information, see Add a user account in Project Server 2010 or Plan user access in Project Server 2013 ..

1-4. Add accounts to a PWA security group (SharePoint permission mode, Project Server 2013)

  1. From the PWA home page, open Site settings from the gear icon.

    Open site settings for PWA (PS 2013)
  2. Open Site Collection Administrators and add the TFS service account.

  3. Open People and groups.

    Open People and Groups for PWA  (PS 2013)
  4. Choose the group to which you want to add accounts.

    Choose the group in PWA to add accounts (PS 2013)
    1. Team Members for Project Web App: accounts assigned as resources in the project plan or to the Assigned To field for a work item. Or, add the Active Directory group used to manage these resources.

    2. Administrators for Project Web App: the service accounts for Team Foundation Server, the Project Server web application pool, and Project Server Event Handler. Also, add the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands

    3. PWA Site Collection Administrators : the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands

    4. Project Managers for Project Web App: accounts of users of Project Professional.

    Tip Tip

    To view all the default groups, choose More. To view permissions assigned to each group, choose Settings, View Group Permissions. To learn more, see Plan user access in Project Server 2013 .

  5. On the group page, choose New, Add users.

  6. Type the name of each account or Active Directory group to add to the selected group.

    Add accounts to a group for PWA (PS 2013)
  7. Choose Share.

1-5. Add to the Active Directory Enterprise Resource Pool

  1. From the PWA settings page, under Operational policies, choose Active Directory resource pool synchronization.

    Open Active Directory Resource Pool Sync
  2. Add the Active Directory group of TFS team members to the enterprise resource pool.

    Active Directory Enterprise Resource Pool

To access the SharePoint site for Project Server, you have to grant several permissions. You can follow this procedure by using SharePoint Central Administration or Windows PowerShell.

Task

Account

Project Server 2010 permissions

Project Server 2013/Permission mode

Project Server 2013/SharePoint Permission mode

2-1. Grant Full Control Connect permissions to start the Project Server Service Application

TFS service account

check mark

check mark

2-1. Grant Full Control Connect permissions to start the Project Server Service Application

Service account for the Project Server Event Handler

check mark

check mark

2-2. Add to the Site Collection Administrators for the SharePoint site

TFS service account

check mark

2-1. Grant Full Control Connect permissions to start the Project Server Service Application

  1. On to the SharePoint server for Project Server, open SharePoint Central Administration, and under Application Management, choose Manage service applications.

    Choose Manage service applications
  2. Highlight the row for Project Server Service Application by clicking within the row but not the name of the application. In the ribbon, choose Permissions.

    Select permissions
  3. Type the name of the service account for TFS, and then choose Add.

  4. Make sure that the name of the newly added service account is highlighted, and then select the Full Control check box. Choose OK.

    Connection permissions full control
  5. Repeat steps 3 and 4, this time add the service account for Service account for the Project Server Event Handler. If there is more than one service account, make sure you add it.

For more information, see Restrict or enable access to a service application.

2-2. Add TFS service account to the Site Collection Administrators group (Project Server 2013, SharePoint mode)

  1. On to the SharePoint server for Project Server, open SharePoint 2013 Central Administration, and choose Site settings from the gear icon.

    Open SharePoint Site Settings for PS 2013
  2. Choose Site collection administrators.

    Open Site Collection Administrators for PS 2013
  3. Type the name of the TFS service account, and choose OK when done.

Grant permissions to both the service account for TFS and the service account for the Project Server web application pool to update the database or databases for each PWA instance. This step is required for all deployments, both Project Server 2010 and Project Server 2013.

  1. On the data-tier server for Project Server, open SQL Server Management Studio.

  2. In the Server type list, select Database Engine.

  3. In Server name, type the name of the server that hosts the databases for Project Server, and then choose Connect.

    Note Note

    If SQL Server is installed on a cluster, type the name of the cluster, not the computer name. If you have specified a named instance, type the server and instance name in the following format: DatabaseServer\InstanceName.

    SQL Server Management Studio opens.

  4. Expand Databases, right-click or open the context menu for the database for the instance of PWA, and then choose Properties:

    • For Project Server 2010: PWA_Reporting or PWA_Publishing

    • For Project Server 2013: ProjectWebApp

  5. On the Permissions page. add the service account for TFS, (required for Project Server 2010 and Project Server 2013, Permission mode).

    For SQL Server 2008: Choose Add to add an account.

    For SQL Server 2012: Choose Search to add an account.

    Add user (SQL Server 2012)
  6. Grant these permissions based on the database you’ve selected:

    • For Project Server 2010: PWA_Reporting: Alter any Schema, Create Table, Delete , Execute, Insert, Select, and Update.

    • For Project Server 2010: PWA_Publishing: Select

    • For Project Server 2013: ProjectWebApp Alter any Schema, Create Table, Delete , Execute, Insert, Select, and Update.

    Check permissions
  7. Repeat steps 5 through 6, this time add the service account of the Project Server web application pool. This is required for all deployments.

  8. Repeat steps 4 through 7 for each instance of PWA that will participate in data synchronization with TFS.

  1. On the application-tier server, Open the Team Foundation Administration Console, and open Group Membership.

    Application tier, choose Group Membership
  2. Open Team Foundation Administrators.

  3. Choose Windows User or Group and then choose Add.

    Add Windows account
  4. Enter the name of the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands.

    Check name

Accounts of users who configure the TFS-Project Server integration require Administer Project Server Integration permission set to allow. Set this for each project collection that you map to a PWA.

From the Security page for the project collection, either open the permissions for a user account or a Windows account that you’ve added to TFS for administering project server integration. Set the permissions for Administer Project Server Integration to Allow.

Set Administer Project Server Integration perm

Accounts of users who work in Project Professional or TFS require permissions to view or contribute to TFS.

From the TWA administration Security page for the team project, you can add accounts to either the project collection or each team project. Add accounts or the Active Directory groups to the appropriate roles.

Choose the team project group and add members

Verify that user accounts or groups have been added to the following TFS groups:

  • Contributor role: Team members who work in a TFS project that is integrated with Project Server. This includes all user accounts assigned as resources in the project plan or to the Assigned To field for a work item. These users submit status updates that flow into the status queue for the project manager.

  • Reader role: Users who modify enterprise project plans that are mapped to a team project.

For more info, see Add users to team projects.

Use the following checklist to review that all permissions have been set according to your version and authentication mode.

Account

Permissions

Project Server 2010

Project Server 2013, Permission Mode

Project Server 2013, SharePoint Mode

Application

Service Account for TFS

Global and Category permissions

check mark

check mark

PWA

Administrators for Project Web App group

check mark

check mark

check mark

PWA

Site Collection Administrators group

check mark

SharePoint Central Administration

Connect permissions to the Project Server Service Application (Full Control)

check mark

SharePoint Central Administration

PWA_Reporting database

PWA_Publishing database

check mark

SQL Server Management Studio

ProjectWebApp database

check mark

check mark

SQL Server Management Studio

Service account for the Project Server web application pool (Note 1)

Administrators for PWA group

check mark

check mark

check mark

SharePoint Central Administration

PWA_Reporting database

PWA_Publishing database

check mark

SQL Server Management Studio

ProjectWebApp database

check mark

check mark

SQL Server Management Studio

Service account for the Project Server Event Handler

Connect permissions to the Project Server Service Application (Full Control)

check mark

check mark

SharePoint Central Administration

Administrators for PWA group

check mark

check mark

SharePoint Central Administration

User accounts who will configure the integration and run the TFSProjectServer registerPWA command

Administrators for Project Web App

check mark

check mark

check mark

SharePoint Central Administration

PWA site collection admin

check mark

SharePoint Central Administration

Team Foundation Administrators group

check mark

check mark

check mark

Team Foundation Administration Console

Administer Project Server integration

check mark

check mark

check mark

TWA

User accounts who will map components to support TFS-Project Server integration, but not register PWAs

Administer Project Server integration

check mark

check mark

check mark

TWA

Users of Project Professional

Project Manager group for each PWA instance

check mark

check mark

check mark

PWA or SharePoint Central Administration

TFS Readers group

check mark

check mark

TWA

Users assigned as project resources or have TFS work items assigned to them

Team Members for the PWA App group

check mark

check mark

check mark

PWA or SharePoint Central Administration

Team Members, Security Categories (Note 2)

check mark

check mark

PWA

Enterprise project pool and to the project resource pool for the project plan

check mark

check mark

check mark

PWA

TFS Contributors group

check mark

check mark

check mark

TWA

Notes:

  1. Some deployments might have more than one service account for the Project Server Web Application Pool. Go here to determine the service accounts for these application pools.

  2. The Security Categories assigned to Team Members by default are sufficient; however, if these categories have been customized, then some permissions might have been removed. The following categories are required: Create New Task or Assignment, Create Object Links, Open Project, View Project Site, and View Project Schedule in Project Web App (Project Server 2010), and Open Project, View Project Site, and View Project Schedule in Project Web App (Project Server 2013, Project permission mode).

A: From SharePoint 2010 Central Administration site, open Manage web applications from the Application Management section, and then open the PWA application.

Verify that Classic Mode Authentication is selected.

PWA 2010 Authentication

If it isn't, you'll need to create a new PWA instance that uses Windows-Classic authentication.

A: From the PWA home page, use the gear icon to open PWA settings.

PWA page, select PWA settings

If SharePoint Permissions mode is set, you’ll see this page:

PWA Settings when SharePoint Permission mode

If Project Permissions mode is set, you’ll see this page, which includes a section titled Security. You’ll also see additional links:

PWA Settings when Project Permission mode

A: By default, PWA apps are created using SharePoint permission mode.

If you switch from SharePoint permission mode to classic Project Server permission mode, you have to manually configure your security permissions structure in Project Server 2013. Switching between SharePoint permission mode and Project Server permission mode deletes all security-related settings.

To switch permission mode, see Set-SPProjectPermissionMode.

A: You need to find all the GUIDs of the application pools that support the Project Server Application, and then find the service accounts assigned to those application pools.

For Project Server 2010: Open SharePoint Central Site Administration, Application Management, Manage Service Application, Project Server Application. (SharePoint 80 site and SharePoint web app)

Next, go to IIS manager, expand sites, and find the SharePoint websites that host the PWA. Open Advanced settings for the application Pool and you’ll find the identity for the AppPool.

For Project Server 2013: In IIS manager, expand sites, expand SharePoint web services, expand each GUID until you find the one that contains project PSI service. In Advanced settings, identify the Application Pool, which is a GUID pool name.

Find GUID of PSI app pools

Under IIS, AppPools, find the account used to run this GUID application pool.

Find service accounts of PSI app pools

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft