Managing Security in Project Server Part II – RBS vs Categories

So as as i was going through the managing security in my last post and left the subject of RBS for next post, so starting here with RBS vs Security Category, so when should you be really using RBS

Though the topic is quite subjective and requires discussion but trying to make it somewhat objective you will find many other view points so here is one of mine

Also i wouldn’t be going in details on configurations and other aspect of RBS as there are so many great posts out there which already gives what you would need

When should you Consider RBS 

Only if you want to limit access to Project and Resource data based on your organization hierarchy or to be more specific say reporting hierarchy then you should go with RBS, where in any resource would be able to see data at his peer level or below

But what if someone would want to see data above there level ? you might end up mixing RBS with Category & groups and this has what has caused problems with security my personal recommendation try avoiding mixing RBS and security categories & groups as much as possible (not that it shouldnt be done, its just my experience), else at times there are unintentional circular relationships built and it becomes difficult to trouble shoot security issues on who is assigned where and what RBS is doing / restricting and where category is playing the role

Many a times it has been asked how to handle/accommodate vendor resources within RBS, hence thought this reference might be useful in getting better insight & understanding

http://blogs.msdn.com/b/project/archive/2007/05/25/how-to-setting-up-rbs-security-for-vendor-resources.aspx

When you should consider Security Categories instead

If security is required to be role based, rather than hierarchy  example PM needs edit access to his own project which in any case he will have, but as a fact of transparency need read access to all other projects (Cross business unit products )

In my opinion using Role based security model i.e. Categories is more flexible & manageable than RBS and with project server 2010 onward having Dept as another filtering mechanism you can make use of the combination and derive what you want easily than ever before

but as pointed out in last post managing security categories are not always easy & often leads to manual overhead but customizing it might be a good option for managing overhead

28.635308 77.224960

Read Full Post »

Excel Services vs. SSRS Considerations

Lot of times i have seen users asking when should i be creating a report in Excel Services or should i be using SSRS, in my future post i will be covering around performance point reports as well but for now i would be just giving you high level objective guidance on when to use Excel Services vs when to use SSRS

Note: this is my personal experience and would be applicable generally but exceptions are everywhere

Excel Services When to consider

• Interactive Filtering : As we all know with excel services you can still filter data even when the data has been rendered within the sheet, but for SSRS report you need to predefined filters in form of parameters, once the data is rendered you need to reapply the filter and refresh in order to render the report, hence consider excel services wherein interactive data filtering would be required  
• Conditional / Interactive Formatting : Conditional / Interactive  formatting is something which is easily available and can be done within excel but with SSRS though conditional formatting might take some effort to develop but interactive formatting might not be available at all
• Pivot table Layout : So one of the things excel does the best is Pivoting of data, it’s not that SSRS can’t do that, with matrix & query combination it can be achieved to a degree but considering the effort i would suggest use Excel services than to be using SSRS
• Quick Report : Another aspect to decide how quickly you need  the report, with excel services you might be up & running within few minutes than SSRS taking more time to design & develop the report, hence  for rapid report development, often i use term RRD to as an acronym, use Excel services
• Usability : From usability standpoint since still more than 90% of the people use Excel as their reporting tool, hence people love to see their report in Excel, so it also depends upon audience what sort of audience you have

SSRS Reports when to consider

• Tabular layout : If you are developing reports with tabular layout, personal recommendation would be to use SSRS than Excel services specifically if there are external data ranges, though even pivot table data can be shown as tabular format in excel but in my personal experience i have had problems with tabular reports, hence i recommend SSRS for the same
• Dynamic parametrized query : Though some of them can be achieved by using query filter webpart and by passing parameter or Using UDF in combination but needs additional effort, also excel loads all the data at once and can only be filtered wherein all data might not be required upfront, also increased load time of report, whereas SSRS renders limited set of data as per parametrize filter 
• External Images / 3D Charts : If you are using external linked images SSRS would be the way to go, also you would notice that charts within excel services renders flat rather than three-dimensional, also have experienced issues with colors being plotted on excel services as when hosted have experienced color disorientation
• User Specific Permissions :  This can still be done in Excel services but at times is a security overhead which needs to be managed but can easily be done with SSRS report 
• Multiple Export Options : There are multiple report export options available within SSRS whereas with Excel services you can only export as excel
• Subscriptions : One of the best advantages is see is automated subscriptions from SSRS which is not available out of box with excel services though the same can be achieved using customizations but as always an additional overhead

Hope this helps clarifying and narrowing down options for reports

 

28.635308 77.224960

Read Full Post »

Managing Security in Project Server Part I

Often we have seen that out of box securities are not enough to handle the security requirements within an organization, so we start looking for options for managing security, often we end up creating multiple groups & categories, though there is another security model that can be worked out using RBS but as per my experience RBS has its own constraints which in itself is another topic of discussion, hence leaving it to be explained as part of next post, so as said we often end up creating multiple categories in order to segregate projects, it remains good as long as there are few but often down the line it starts getting complex and hence adding manual overhead to maintain it, now there are several things options we could pursue

I won’t be talking about managing security categories & groups manually as we all know that’s the option typically used other methods but would definitely recommend plan early for all your security needs as if you are planning customized automated security implementation you may need to start discussions early in the phase of implementation you will know why i am saying so as as you read down

• Using Project Permission :: Let the project owner decide & manage the security, this is also applicable in cases where there are some people who are not on project team or project task neither overseeing a project but need permission to see the project, for eg an Audit group which is not related directly to project but as an individual department needs to audit few projects, so this could be achieved using Project Permission which an owner can manage by himself, refer to the link for more details on how to use it, Advantage of using this method is you don’t need to create additional categories or groups to manage permission every time such a request comes, disadvantage is there are predefined permissions that you can but still doesn’t makes an overhead for your administrators, but be cautioned as this method gives flexibility it also adds another level of risk and needs monitoring on a regular basis as to when the permission needs to be removed once the work is done

• Using Automated methods which essentially involves customization :: So when you think security management would be an overhead for administrators and you don’t want to call upon an administrator every time a project is created to get the project added to a specific category, you may want to get some customization done where in using code you get your projects automatically added to a specific category as soon as the project is created, for eg based on an enterprise project type and some other project level metadata you would want to add the project automatically to the category, so for this you would need to get some PSI code working and hence in this post below you will find the code base for achieving the same

Now remember above i said you should start planning / discussion early on your security automation and the reason was now so you have the code base available which can automatically add the projects to categories but to implement the code there are several possible solutions one of them being the custom workflow, so if your custom workflow is in development you may want to embed the code within your workflow and so you need it early, there isn’t any hard or fast rule why you should be doing it the first time but from my experience would recommend to get it done earlier as no of times you redeploy your workflow you lose workflow history as you need to reattach all your projects to the workflow and need to move them into appropriate stages

Hence there are 2 possible ways you could get your code deployed as below

1. Embed the code base within your custom workflow

2. Add the code base as server-side event handler (Recommended)

In my opinion i would recommend using the second approach as it removes the dependency of workflow and if in worst case anything appears to be causing trouble with the code it can be easily redeployed and would not cause any trouble to workflow, but adding to workflow has its own advantages 🙂

Now having talked too much would just post my code below, remember it’s based on WCF & i am using compiled ProjectServerServices.DLL & Project Server Library DLL as reference hence please remember to add & other referenced them before you start using it

 

private void CreateCategory_Click(object sender, EventArgs e)

{

pwaUrl = @”http://ServerName/pwa/”;

pwaUri = new Uri(pwaUrl);

const int MAXSIZE = 500000000;

const string svcRouter = “_vti_bin/PSI/ProjectServer.svc”;

pwaUrl = pwaUri.Scheme + Uri.SchemeDelimiter + pwaUri.Host + “:” + pwaUri.Port + pwaUri.AbsolutePath;

// Create a binding for HTTP.

BasicHttpBinding binding = null;

if (pwaUri.Scheme.Equals(Uri.UriSchemeHttps))

{

// Create binding for HTTPS.

binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);

}

else

{

// Create binding for HTTP.

binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);

}

binding.Name = “basicHttpConf”;

binding.SendTimeout = TimeSpan.MaxValue;

Console.WriteLine(“SendTimeout value:\n\t{0} days,\n\t{1} hours,\n\t{2} minutes,\n\t{3} seconds”,

binding.SendTimeout.Days.ToString(), binding.SendTimeout.Hours.ToString(),

binding.SendTimeout.Minutes.ToString(), binding.SendTimeout.Seconds.ToString());

binding.MaxReceivedMessageSize = MAXSIZE;

binding.ReaderQuotas.MaxNameTableCharCount = MAXSIZE;

binding.MessageEncoding = WSMessageEncoding.Text;

binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;

// The endpoint address is the ProjectServer.svc router for all public PSI calls.

EndpointAddress address = new EndpointAddress(pwaUrl + svcRouter);

#region UID

ICredentials credentials = new NetworkCredential(“UserName”, “Password”, “Domain”);

#endregion

SvcSecurity.SecurityClient SecClient = new SvcSecurity.SecurityClient(binding,address);

SecClient.ClientCredentials.Windows.ClientCredential = (NetworkCredential)credentials;

SecClient.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

SecClient.ChannelFactory.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;

SecClient.ChannelFactory.Credentials.Windows.AllowNtlm = true;

SecClient.Endpoint.Address = new EndpointAddress(pwaUrl + “_vti_bin/PSI/ProjectServer.svc”);

using (OperationContextScope scope = new OperationContextScope(SecClient.InnerChannel))

{

// Disable Forms/ADFS authentication, to enable Windows authentication.

//WebOperationContext.Current.OutgoingRequest.Headers.Remove(“X-FORMS_BASED_AUTH_ACCEPTED”);

//WebOperationContext.Current.OutgoingRequest.Headers.Add(“X-FORMS_BASED_AUTH_ACCEPTED”, “f”);

try

{

Guid NewCustomCatID = Guid.NewGuid();

SvcSecurity.SecurityCategoriesDataSet CatDS = new SvcSecurity.SecurityCategoriesDataSet();

SvcSecurity.SecurityCategoriesDataSet.SecurityCategoriesRow NewCatRow = CatDS.SecurityCategories.NewSecurityCategoriesRow();

NewCatRow.WSEC_CAT_UID = NewCustomCatID;

NewCatRow.WSEC_CAT_NAME = “Test Category from Code “;

NewCatRow.WSEC_CAT_DESC = “This is test category 1.”;

CatDS.SecurityCategories.AddSecurityCategoriesRow(NewCatRow);

#region Optional operations which can be performed

////////////////////////Examples OF Other Functions that can be perofrmed (Optional)/////////////////////////////////////

// Add a user to New category.

SvcSecurity.SecurityCategoriesDataSet.UserRelationsRow userRelationsRow = CatDS.UserRelations.NewUserRelationsRow();

userRelationsRow.WSEC_CAT_UID = NewCustomCatID;

// Pass a resource GUID.

Guid existingResUid = new Guid(“xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”);

userRelationsRow.RES_UID = existingResUid;

CatDS.UserRelations.AddUserRelationsRow(userRelationsRow);

// Specify the permissions for the user on new Category.

SvcSecurity.SecurityCategoriesDataSet.UserPermissionsRow userPermRow = CatDS.UserPermissions.NewUserPermissionsRow();

userPermRow.WSEC_CAT_UID = NewCustomCatID;

userPermRow.RES_UID = existingResUid;

userPermRow.WSEC_ALLOW = true;

// Add an object (project or resource) to new category

SvcSecurity.SecurityCategoriesDataSet.SecurityCategoryObjectsRow category2ObjectRow = CatDS.SecurityCategoryObjects.NewSecurityCategoryObjectsRow();

category2ObjectRow.WSEC_CAT_UID = NewCustomCatID;

category2ObjectRow.WSEC_OBJ_TYPE_UID = PSLibrary.PSSecurityObjectType.Project;

category2ObjectRow.WSEC_OBJ_UID = new Guid(“xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”); // Pass Project UID to be added to the category

CatDS.SecurityCategoryObjects.AddSecurityCategoryObjectsRow(category2ObjectRow);

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

#endregion

SecClient.CreateCategories(CatDS);

}

catch (System.ServiceModel.FaultException fault)

{

string errAttributeName;

string errAttribute;

string errOut;

string errMess = “”.PadRight(30, ‘=’) + “\r\n”

+ “Error details: ” + “\r\n”;

PSLibrary.PSClientError error = GetPSClientError(fault, out errOut);

errMess += errOut;

PSLibrary.PSErrorInfo[] errors = error.GetAllErrors();

PSLibrary.PSErrorInfo thisError;

for (int i = 0; i < errors.Length; i++)

{

thisError = errors[i];

errMess += “\r\n”.PadRight(30, ‘=’) + “\r\nPSClientError output:\r\n”;

errMess += thisError.ErrId.ToString() + “\n”;

for (int j = 0; j < thisError.ErrorAttributes.Length; j++)

{

errAttributeName = thisError.ErrorAttributeNames()[j];

errAttribute = thisError.ErrorAttributes[j];

errMess += “\r\n\t” + errAttributeName

+ “: ” + errAttribute;

}

}

MessageBox.Show(errMess);

}

}

}

28.635308 77.224960

Read Full Post »

Why Resources shouldn’t be assigned on a Summary Task

Resources should never be assigned on Summary Tasks as per the Best Scheduling Techniques in MS Project. It could leads to project corruptions (in few cases while publising), duplication of Work Hours when same resource is again assigned on sub-tasks, resource overallocation and mis-calculations of Work hours while honoring the dependencies.

Duplication of Work

1) Assigned resource “John” on Summary Task and again assigned him on another sub-task. Which will duplicate his Work hours. Look at the image below, Work rolls-up to 200 hrs.

2) Now I deleted “John” from Summary Task, which eliminated his Work from Summary Task by 9d X 8 hrs/d -> 72 hrs. So now total Work reduced by 72 hrs. to 128 hrs. Look at the image below.

Mis-calculation of Work hours to honor dependencies while a resource is assigned on a Summary Task

3) Resource “John” assigned on Summary Task and a sub-task below, Work hours roll-ups to 184 hrs. See the snapshot below.Refer to point 1 above it was 200 hrs. when all tasks were FS linked, but 184 hrs. when Task 2 and 4 are starting together. So, in this case due to different dependency type or absence of any link calculation is different than point 1.

4) Now after deleting John from Summary Task hrs. come to 128 hrs.So, if you refer to point 2 calculation remains intact.

If you would notice in Pic 1 and Pic 3 they are showing John as over-allocated which is due to duplication of efforts, which logically is not correct. In Pic 4 John is shown over-allocated which in fact is correct, as 2 tasks are starting in parallel.

So, to avoid all such mis-calculations and wrong estimations we should not assign resources on Summary tasks, even if it means that same resources are working on all sub-tasks, they should be assigned individually.

Read Full Post »