Project Server 2013: Project now controls the Visitors group on Project Sites

We are seeing a few customers finding that a change we introduced in November is causing some users on project sites to lose access.  The change came about in the November Cumulative Update (CU) and the bug is described in the KB – 2899547 as:

  • You create a security group in PWA and add a user to the group.
  • You set the same Resource Breakdown Structure (RBS) value for the user and a project manager.
  • You create a new category and select the The Project Owner has the same RBS value as the User check box.
  • You add the newly created security group to this category and select the View Project Site check box.
  • The project manager creates a new Enterprise project and publishes the project.

In this scenario, the user is added into the Team Member SharePoint security group in the SharePoint site of this project, which is unexpected. This gives the user contributor rights to the content in the project site instead of reader rights.

Going back to 2010 we used a ‘Readers’ group for this level of access, but in 2013, before this fix, similar users would get added to the Team Members (Project Web App Synchronized) group.  This meant that we were giving a higher level of access which gave contributor rights – not what the Project Manager intended when the user was configured as per the above scenario.

Based on customer demand, a fix was made to address the problem.  However, the implementation has caused a challenge with some customers.  Rather than put these users in the Team Members group we are now adding them to the Visitors group so they have a level of access similar to the 2010 behavior.  As you may already know from previous experience with the groups that Project Server manages – you cannot also add other users to these groups manually – as we will just remove them on the next synchronization of users to that project site.  This means that prior to this fix the Visitors group could be treated like any other non-managed group and customers could add their own users without fear that they would be kicked out – but with this fix in place we now control this group – so customers will need to create another custom SharePoint group with similar rights and then they can add users that new group and we will not touch them.

For Project Online it looks like this same fix will eventually roll through too – sometime in the Spring of 2015.  I’ll try and remember to update nearer the time.