Testing User Roles with Delegation

Delegation in Project Server 2010 is one of those features that I’ve been vaguely exposed to but have never really played with in detail.  I always felt that the feature was designed for one user to cover for another user – a nice idea, but a function that I never saw a major need for (although my supported user base is starting to convince me otherwise).

Lately though I‘ve seen the feature mentioned in a different perspective – as an administrative aid.  Those discussions were percolating in the back of my head until a client asked me how they could test specific security and views from various perspectives.  That’s when delegation finally clicked for me.  I played with it, and yes indeed, delegation is a fantastic tool to test Project Server from multiple user roles.

This functionality doesn’t quite replace setting up a couple of dummy accounts to test with, which was the typical practice with the 2007 version of the tool.  As long as you stick with Project Server functionality, delegation’s pretty good.  Once you start testing BI Center or PDP security though, delegation won’t work, and you’ll have to go back to use dummy accounts.

I also must point out that this is not a very original posting.  In fact, when I started looking for documentation on this feature, I found this great one from Alex Burton dated way back in December 2009.  So consider this post to be the blog equivalent of the digital bump in the distribution list. 

This post may be a little different in that it’s written from the perspective of an administrator testing the system.  My goal is not to roll delegation out to everyone in the organization, but merely to turn on just enough of it to allow the administrator to become a delegate to anyone in the resource pool.

Security Settings

Heather O’Cull wrote a great write up of the security settings in her post from March 2010.  The key to turning on delegation is to turn on three of the four security toggles in the Project Web App Permissions:

  • Manage Resource Delegates – this toggle turns on the feature and allows you to use it.
  • Can Be Delegate – this allows you to become a delegate.
  • Manage My Resource Delegates – this allows you to assign yourself as the delegate for another user.

image

Last but not least, we have the fourth security setting…

  • Manage My Delegates – this security setting is not strictly required in this scenario as it allows you as administrator to assign someone else to be your delegate.  You could turn it on, but if we use the principle of least permissions, I would leave this one off.

Group Security Settings

Each of those security settings has a corresponding setting in the Global Permissions section of the User Group.  I would make sure that everyone but the Administrators group have these permissions checked off, i.e. a soft deny.  The Administrator should have all permissions checked to “allow.”

image

Note that the Administrator Group:My Organization Category also has a Manage Resource Delegate option that is on by default – but off by default for the other groups.

Testing Specific Roles

Once the security has been configured, you merely have to navigate to the Personal Settings option on the Quick Launch menu.

image

Once there, select the option to Manage Delegates.

image

Save the configuration.  When you wish to test the role, simply go back to Personal Settings and choose the option to Act as a Delegate.

image

You now see Project Server through the same perspective as the user selected in the delegation configuration screen.  Click on the yellow bar to stop the delegation process and return to your normal permission level.

Additional Resources

One of the other reasons that I wasn’t so keen on delegation when I was first introduced to it was that there didn’t appear to be much of an audit trail based on who was doing what on whose behalf.  When doing research for this post, I turned up on old posting from Christophe Fiessinger where he provided a tool to capture when delegation was turned on and for which users.

Migrating from 2007?  Check out Brian Smith’s blog on delegation in migrated environments

And finally, it’s all documented on Technet.

Advertisements
Testing User Roles with Delegation

3 thoughts on “Testing User Roles with Delegation

  1. nice article.
    i have experienced some great deal of usage of delegation at one of my clients side, and i do think that the abcense of audit log is a major lacking in project server. particularly for the banking organizations or the organzation emphaises alot on the user or network security, the query has been thrown to me quite a lot of times during the pre-sales sessions. I know that it can be built, but then there is time-money constainst jumps from the client side, where all of them want the project to be finished within no time and no money 🙂

  2. Couple more things about Delegation:

    Heather’s post mentions that Delegation is the replacement for ‘Surrogate Timesheets’ from 2007, but Delegation cannot be used with ‘resources’, like surrogate timesheets was used …This is an issue where you were putting in time for external resources that not in the system..

    However, we recently discovered that 2010 allows ‘dummy’ user accounts.. not sure if it is a bug yet.. so I guess this could be used as a work-around…

  3. Is it inevitably the case that a user with ‘Manage Resource Delegates’ permissions will always be able to act as an Administrator because they can set up a delegation for themselves to a user belonging to the Administrators group?

    I find that removing the ‘Manage my Delegates’ permission from an administrator will prevent the user herself from delegating her administrative permissions to others, but another user with ‘Manage Resource Delegates’ permissions will still be able to delegate her administrative permissions to others — not least to themselves.

    The context is that I would like to enable a colleague to access the Timesheets of any others that she chooses, but I do not want her to have full administrative permissions on the system.
    As far as I know this is not possible – but I would love to hear otherwise!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s