Thursday, July 23, 2015

Using target audience to prevent team members from accessing timesheet

Hi and welcome for this new blog post! 

The TechNet forums are a great source for improving our knowledge and experience since new concerns, ideas, workarounds or solutions always show up to enhance Project capabilities. Recently a user had a question about restricting timesheeting to a certain group of users. In other words, is it possible to prevent timesheet entry for a specific group? The first reply is "no", timesheet in Project Server and Project Online is a "all or none" feature as Dale Howard a fellow MVP said. A workaround I proposed subsequently consists in not enabling the "View Timesheets" global permission to a security group similar to the team member group. By the way, you can refer to this post for having all security references for Project Server versions. The description of the permission is "When this permission is denied, it prevents users from seeing the Timesheet Center link on the Project Web App Quick Launch menu". This permission does not lock down access to the Timesheet page and it is still possible for users to navigate to this page. But in addition, if you don't give access to the timesheet views to the associated category, it should prevent users in this group to submit timesheet. Well done! I've not tested it, but still, it is only a workaround, isn't it? I say workaround since it is a combination of configurations which are not intended to prevent users from doing timesheet. But put together, they more or less reach the same goal, with some weaknesses.

Then another person jumped in the thread and proposed to use the target audience. We are in a Project Server world, and evenif it is (more and more) part of the SharePoint ecosystem, we (or at least I) do not always instinctively think about exclusive SharePoint features for supporting our customer needs in terms of Project implementation.

So what is target audience and how does it work in a Project context (Project Online for my example)?

"Web Parts in Microsoft SharePoint Server can be targeted to appear only to people who are members of a particular group or audience. When you do this by editing the Web Part in the browser, SharePoint Server assigns the GUID that identifies the audience to the AuthorizationFilter property of the Web Part."

Basically you define groups (be aware that they are independant from the Project Server security groups) in the Central Admin or inthe O365 admin center. Then you edit the webpart and associate it with the given group.

Figure 1: access the O365 admin center
Once in the O365 admin center, you can access the groups section. In my Online demo tenant, I already have preconfigured groups which contain users and are gathered under distribution lists. Either you can use one of those if you already have groups or you can create a new groups.

Figure 2: edit or create group
Since I'm not a SharePoint expert, I will simply edit one the existing group and remove myself from the group (note that I have to declare another user as the group admin). Then go to the timesheet and edit the page. Select the timesheet webpart and open the properties.
Figure 3: edit the timesheet page and open the webpart settings
In the advanced settings, select your audience with authorized timesheet users, apply the change and close the page edition.
Figure 4: configure the target audience in the webpart advanced settings
Once done, if I come back to the timesheet page, here is what I got: just a blank page:
Figure 5: timesheet page for users not belonging to the authorized audiences
As an advice, I would suggest to make a combinaison of configuration for preventing a group of users from doint timesheet:
  1. Create a security group with the "View Timesheets" global permission not enabled,
  2. Configure a target audience for the timesheet webpart with authorized timesheet users.
Doing this, you ensure that the users cannot see the timesheet link in the timesheet, and in case they copy paste the timesheet page URL, they still cannot see the timesheet webpart. However note that it requires that you maintain Project Server groups AND the target audience groups, which might be tedious and increase the administrator workload.

Do you have other ways to prevent users from doing timesheet? I'll be glad to hear it, so please share your thoughts!

Share this article :

1 comment: