Microsoft Office Project Conference 2007 - Simple Effective Rights
I'm Phil Smail, one of the Program Managers from the Product Group. One of my presentations during the MOPC 2007 was one of security programmability. As part of that Presentation I demonstrated some code that I wanted to get onto this blog
This code is a Simple Effective Rights tool. It's essentially a cut down version of the View Effective Rights tool we shipped with the Project 2003 Project Resource Kit (and will be shipping soon in the Project 2007 Project Resource Kit)
It's a Winforms application that uses the PSI to brute force calculate why a user does/doesn't have the correct permissions. This version only does Project Permissions but could be very easily modified to handle Resource and Global permissions. It uses the PSI to work out the permissions
When you first start the application you'll get the following logon screen:
When you enter the URL you are presented with the main Form page:
There are three drop downs at the top of the page. One to select the User, the second to choose the relevant permission, and the third to choose the Project Name. One those details have been entered you just need to hit the 'EffectivizeName Possible my Rights' button. It then looks like the following:
The columns mean the following:
| Column Name | Possible Values | Purpose |
| Right | Allow/Deny | The right specified for the selected Permission |
| Object Present | True/False | Whether the object is explicitly added to the category. If not then it may be accessible through the Category rules |
| Category Name | N/A | The name of the category giving the user permissions |
| User/Group Name | User name or the Group name | If this is via the User then the User Name is displayed else we just display the name of the Group |
| Applicable Rules | · All current and future projects in Project Server database · Only the projects indicated · The User is the Project Owner or the User is the Status Manager on assignments within that Project · The User is on that project's Project Team, The Project Owner is a descendant of the User via RBS · A resource on the project's Project Team is a descendant of the User via RBS The Project Owner has the same RBS value as the User |
The rules specified by the Category that may be relevant to the effective Permission |
The rules specified by the Category that may be relevant to the effective Permission
As you can see in the case above the following can be understood from this:
· The effective right is Deny for this user, this permission on this project
· The user is denied in 4 categories, 3 directly on the user, one through a group
What it’s doing under the covers is going through the user object and working out what categories they have permissions on and whether the object exists and what permission the user has on those objects. It then goes through all the groups the user belongs to, works out what categories they have permissions on and calculates the same information. This will give the effective right the user has.
Why do we have to go through every item to work out the effective right of the user? Unfortunately there isn’t a PSI that tells us the effective permission of a user other than the logged on user.