Skip to Content
avatar image
Former Member

Project Management authorizations

Hi all,

I have a situation where I have a lot of users who created a lot of Item and Projects. I need to lock the system for all, and then I will give ACO_SUPER for some users to let them work with the projects again.

When the users have created the projects they automatically have "admin" rights and thus are not affected if I add all users to the portfolio authorizations with "Read" access.

Is it in any way possible to make sure that, even though users have created the Items and Projects, I can overwrite the "admin" authorization they have with a "Read"

Another thing is, that for Items I can give "Read" access in the portfolio and this is then inherited down through buckets to Items. So this gives users who did not create the Item, access to it with "Read" access. This is okay, but is this possible in any way with Projects as well. I know there's no hierarchy as such, but if there is any way I can give all users "Read" access to all Projects, this would help me a lot.

Best regards,


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Oct 27, 2014 at 01:52 PM

    Hi Morten,

    I believe it is possible for you to delete the authorization of the user who created the item/project. However, you will have to manually go to each item and/or project and manually delete. I did a brief test in my system and I was allowed to delete the creator, however, I would suggest you do some detailed testing on this with multiple users.

    To answer your second question,inherited authorizations do not sync via DFM. To overcome this what I have done is specified authorization in the project template. For example, in my system the requirement is all users should have read access to everything (which I think is your requirement as well). Therefore to overcome the fact that inherited authorizations are not synced, I have a role, lets say ZPPM_USER which is assigned to all users. This role is included in the ACL of the portfolio with read access and also in all template ACL's with read access. Of course, this solution assumes all projects are created from a project template.

    In general, I strongly believe that ACO_SUPER auth object should not be included any business roles. It should be restricted to IT PPM admin roles. There maybe cases where ACO_SUPER is required in a business role, but more of an exception if there is no other choice. Just my opinion 😊

    Hope that helps. Feel free to let me know if any questions.


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Yes, unfortunately it will not help for the existing projects. Your only option may be to write a custom program to update the authorization if it's worth the effort. I did have a situation as well where we had to overhaul the security design for PPM and it involved tedious manual effort to update authorization for all active projects/items.