multi project security exception reports - oracle primavera p6 collaborate 14

REMINDER

Check in on the COLLABORATE mobile app

Multi-Project Security Exception Reports

Prepared by: Robert C Monks, PMP President & CEO Monks Project Solutions

Keeping Your Users Happy and Your Data Safe

Session ID#: 15463

Abstract

■ Managing project security permissions in PCM can be a daunting task, and the software doesn't make it any easier. This presentation shows how custom reports can be used to audit user security, if you administer a PCM solution. Solutions will be demonstrated using both InfoMaker and BI Publisher making the content valuable to a wide audience of PCM administrators. Participants will be offered the opportunity to receive the reports demonstrated.

Presenting Today

■ Robert Monks ▪ Project Management Institute, Project Management Professional ▪ Oracle University Certified P6 and PCM Instructor ▪ Oracle Certified P6 Implementation Consultant ▪ Oracle Certified PCM Implementation Consultant ▪ FAA Certificated Commercial Pilot, Instrument Airplane ▪ FAA Certificated Instrument Flight Instructor ▪ Father of two amazing daughters (Mary, 24 and Emily, 22) ▪ Husband of an amazing wife of 25 years (Cate) ▪ President & CEO of Monks Project Solutions

Monks Project Solutions

■ Oracle Gold Partner ■ Established in 1985 ■ Primavera Partner since 1987 ■ Located in Denver, Colorado ■ Providing value driven, sustainable organizational change

▪ Aligning people, process and technology

Security in Primavera Contract Management

Security Overview

■ Access Templates ■ User Settings ■ Project Assignments

PCM Security

PCM Security

PCM Security

PCM Security

Access Templates

■ Contain permissions for modules ■ Process permissions ■ Approval authority and monetary limits

User Accounts

■ Are assigned a company abbreviation and initials ■ Are assigned user level access privileges ■ Are assigned access templates ■ Are assigned projects using an associated access template

Projects

■ Have a project administrator assigned ■ Have users with access rights from an access template ■ Can have user access permissions which differ from the

applied access template ■ Can further restrict a user’s access by company abbreviation

What Could Possibly Go Wrong?

Project Security Exposure Points

■ Incorrect access template assigned to project ■ Project access rights not aligned with access template

▪ Access template changed, but not reapplied to all project assignments

▪ Access rights subsequently modified for a user on one or more individual projects

■ Failure to assign company restrictions after assigning project and template in PCM Administration module

■ Mismatch between company abbreviation in user account and company restriction assigned at project

■ Project administrators gone wild

Requirements to Manage Project Security

■ We need to know what users are assigned to what projects and which access templates users are assigned

■ We need to know what privileges each access template confers upon a user

■ We need to know which project access privileges differ from the assigned privileges from the access template

Security Exception Reports

Standard Security Reports Available in PCM

■ Details Security Report (r_sec_login_group_report_01) ■ Security Access Report (r_sec_access_report_01)

Standard Security Reports Available in PCM (cont.) ■ Details Security Report (r_sec_login_group_report_01)

▪ Accessed from the PCM Administration module ▪ Reports on all projects assigned to a user ▪ Does NOT show the access template used ▪ Shows NOTHING about the access granted to the project

Existing Details Security Report r_sec_login_group_report_01

Standard Security Reports Available in PCM (cont.) ■ Security Access Report (r_sec_access_report_01)

▪ Accessed from the PCM Projects module ▪ Reports on all rights granted to each user on a project ▪ Prints one page per user per project ▪ Single Project Report therefore, must be run for each project ▪ Provides no easy way to compare project rights versus access

template rights

Existing Security Access Report (r_sec_access_report_01)

Existing Security Access Report (r_sec_access_report_01)

So How Did We Improve These Reports?

Improved Details Security Report ■ Modified existing report’s Data Model to include

▪ Security table ▪ User_Projects table

■ Added group_name field to SELECT statement ▪ aliased as template_name

■ Added template_name to existing report body

Improved Details Security Report with linked access template shown

What Did We Change?

■ Original Data Model SELECT LOGIN_NAME,

SECURITY_VIEW.GROUP_NAME,

SECURITY_VIEW.PROJECT_NAME,

GROUP_PROJECTS.PROJECT_TITLE

FROM SECURITY_VIEW,

GROUP_PROJECTS

WHERE SECURITY_VIEW.USER_NAME = :USER_NAME

AND GROUP_PROJECTS.project_name = SECURITY_VIEW.PROJECT_NAME

ORDER BY LOGIN_NAME

What Did We Change?

■ Revised Data Model SELECT V.LOGIN_NAME, V.GROUP_NAME, V.PROJECT_NAME, G.PROJECT_TITLE,

s.group_name AS template_name

FROM SECURITY_VIEW as V, GROUP_PROJECTS as G,

SECURITY as s,

USER_PROJECTS as u

WHERE V.USER_NAME = ‘:USER_NAME AND G.project_name = V.PROJECT_NAME

AND G.group_name = V.group_name

AND u.group_project_key = v.group_name + '_' + v.project_name

AND u.user_name = v.user_name

AND u.template_key = s.master_key

ORDER BY V.LOGIN_NAME

New Template Access Report r_template_access_report_01 ■ Modeled from Security Access Report

▪ Copied Report and Data Model ▪ Changed Data Model to select Template rows, not Project rows

■ Original Report used SECURITY_VIEW ■ Revised Report uses SECURITY ■ Original Report was project specific and linked users to

projects ■ Revised report selects

▪ WHERE is_template = 1

New Details Security Report for Templates

New Template Project Differences Report ■ New report, entirely build from scratch ■ Links each user’s project permissions back to the current

template definition assigned to that project and reports any discrepancies ▪ Checks every module’s permissions ▪ Checks every processes permission ▪ Checks approval permissions and monetary limits

■ Reports any assignment whose template begins with “Ext-” and doesn’t have a company restriction ▪ This implements a “Best Practice” for beginning all templates for

external users with “Ext-” and all templates for internal users with an “Int-”

▪ May be disabled if this isn’t applicable to your situation

New Template Project Differences Report (cont.) ■ Does not attempt to identify the discrepancy—merely reports

on it.

Use Cases for the New Template Project Differences Report ■ Useful for identifying cases where an access template has

been modified and needs to be pushed out to users ▪ This is the Update Users feature in PCM 14.x ▪ Must be accomplished manually in PCM 13.1

■ Useful for identifying cases where a user’s assignment has been modified subsequently so that it no longer matches the standard template

■ Useful for identifying cases where a user (by virtue of his access template) should be restricted by company, but isn’t

■ Useful for identifying a disconnect between the user’s company abbreviation in his or her user account and the company restriction abbreviation in an individual project security assignment

Template/Project Security Differences Report

Template/Project Security Differences Report (cont.) ■ Multi-Project Report ■ Does NOT observe PCM Project Security

▪ Will report on project exceptions—even if the user doesn’t have rights to see those projects

▪ This seems a minor security risk, but judge for yourself

Have We Satisfied Our Defined Requirements to Manage Project Security? ☑ We need to know what

users are assigned to what projects and which access templates users are assigned

☑ We need to know what privileges each access template confers upon a user

☑ We need to know which project access privileges differ from the assigned privileges from the access template

Applying this Concept to Other Areas of PCM

Can We Apply to Other Areas of PCM?

■ Consistency and uniformity are desirable in database applications

■ Exception reports help identify deviations from standards ▪ Non-standard data ▪ Missing data

Create Multi-Project Exception Reports

■ Companies missing ▪ A Key Contact ▪ A Tax ID Number

■ Contacts missing ▪ Email address ▪ Mobile phone number ▪ Address information

■ Unapproved ▪ Budgeted Contracts ▪ Committed Contracts ▪ Purchase Orders ▪ Change Orders

■ Malformed Cost Codes

Questions?

■ Robert Monks ■ Rmonks@monks.com ■ 303-860-8870

Contact Information

Please complete the session evaluation We appreciate your feedback and insight

Session ID#: 15463

You may complete the session evaluation either on paper or online via the mobile app