SOLVED

Prevent Team Members having permission to edit projects they are not part off

Copper Contributor

Hi, The Project Online configurations are set up with Project permission mode and built-in groups are mapped to AD security groups. The Categories and Global Permissions are left as OOB default settings. Checked SharePoint groups and there are no members included in those groups either and every setting of those groups are left as OOB default.

Yet, when the administrator impersonates a user who is part of the Team members group, they are able to edit a project where this user is not part of the project team. My understanding is that Team members are able to view projects but to be able to edit a project they should be part of the project team. Is that understanding incorrect? Kindly advice on how to prevent a team member who is not part of a specific project, from editing the project. Thank you!

7 Replies
best response confirmed by jenyalex (Copper Contributor)
Solution

Hello @jenyalex ,

The default permission group and categories for Team Members does prevent those users from editing projects, if the user is only a Team Member they will only be able to view those projects where they are added to the project team. The default Team Member group has just the My Tasks category added. The Team Member group category permissions for My Tasks doesn't allow edit access:

PaulMather_0-1636407052259.png

You mentioned you are testing with a admin user who is impersonating, there are certain differences in what is / isn't displayed when using the delegation feature when the admin user is a global admin or site collection admin. Have you tried logging in and testing directly as a Team Member user rather than via delegation?

Paul

 

No, it didnt occur to us to try logging in as the user itself. But yes for Team Members the default Category is My Tasks and we have left it as OOB and looks exactly like your screenshot. This is why it was strange to us as to why the impersonated user could edit the project. Thanks Paul, I will try and let you know. Btw the Administrator does have site collection admin permission.
jenyalex --

If the person using the Delegation feature is a site collection administrator, then the Delegation features DOES NOT work as designed. The system applies site collection administrator permissions during the delegation session, and not the permission for the person being impersonated. That would explain why you are seeing the problem. Hope this additional information helps.
Oh that sure helps Dale! Thank you, now that makes sense! I will report back in a bit.

Hey @Dale Howard ,

This happens if the user is a global admin or site collection admin (I mentioned that in my reply :smile:).

Paul

@paul & @Dale thank you! We tested with users who are actual team members & was able to see only the projects they supposed to see! Thank you very much!
1 best response

Accepted Solutions
best response confirmed by jenyalex (Copper Contributor)
Solution

Hello @jenyalex ,

The default permission group and categories for Team Members does prevent those users from editing projects, if the user is only a Team Member they will only be able to view those projects where they are added to the project team. The default Team Member group has just the My Tasks category added. The Team Member group category permissions for My Tasks doesn't allow edit access:

PaulMather_0-1636407052259.png

You mentioned you are testing with a admin user who is impersonating, there are certain differences in what is / isn't displayed when using the delegation feature when the admin user is a global admin or site collection admin. Have you tried logging in and testing directly as a Team Member user rather than via delegation?

Paul

 

View solution in original post