Nov 08 2021 07:21 AM
Hi, The Project Online configurations are set up with Project permission mode and built-in groups are mapped to AD security groups. The Categories and Global Permissions are left as OOB default settings. Checked SharePoint groups and there are no members included in those groups either and every setting of those groups are left as OOB default.
Yet, when the administrator impersonates a user who is part of the Team members group, they are able to edit a project where this user is not part of the project team. My understanding is that Team members are able to view projects but to be able to edit a project they should be part of the project team. Is that understanding incorrect? Kindly advice on how to prevent a team member who is not part of a specific project, from editing the project. Thank you!
Nov 08 2021 01:34 PM
SolutionHello @jenyalex ,
The default permission group and categories for Team Members does prevent those users from editing projects, if the user is only a Team Member they will only be able to view those projects where they are added to the project team. The default Team Member group has just the My Tasks category added. The Team Member group category permissions for My Tasks doesn't allow edit access:
You mentioned you are testing with a admin user who is impersonating, there are certain differences in what is / isn't displayed when using the delegation feature when the admin user is a global admin or site collection admin. Have you tried logging in and testing directly as a Team Member user rather than via delegation?
Paul
Nov 09 2021 04:47 AM
Nov 09 2021 06:37 AM
Nov 09 2021 06:47 AM
Nov 09 2021 09:58 AM
Hey @Dale Howard ,
This happens if the user is a global admin or site collection admin (I mentioned that in my reply ).
Paul
Nov 09 2021 11:07 AM
Nov 10 2021 02:52 AM
Great to hear @jenyalex
Nov 08 2021 01:34 PM
SolutionHello @jenyalex ,
The default permission group and categories for Team Members does prevent those users from editing projects, if the user is only a Team Member they will only be able to view those projects where they are added to the project team. The default Team Member group has just the My Tasks category added. The Team Member group category permissions for My Tasks doesn't allow edit access:
You mentioned you are testing with a admin user who is impersonating, there are certain differences in what is / isn't displayed when using the delegation feature when the admin user is a global admin or site collection admin. Have you tried logging in and testing directly as a Team Member user rather than via delegation?
Paul