Yesterday I posted a response to a question on the MS Project Server Newsgroup regarding Project Server security, and I thought that perhaps it might be helpful to re-post my explanation here... for those who either (a) don’t know about the newsgroup, or (b) can’t possibly read every posting out there.
Project Server security can be a confusing animal... especially for someone like myself who didn't have much experience with Microsoft networking and security before working with Project Server. It took me quite a while to "get my head around" the relationship between Groups and Categories in Project Server. I sometimes explain it like this...
Project Server Groups: consist of people / users
Project Server Categories: consist of system permissions that are available
From an administrator's standpoint, it's a good idea to avoid granting system permissions directly to users; rather, create groupings of users (Groups) and groupings of permissions (Categories), then tie them together in the middle.
I usually place users into Groups by role, such as "Executives", "Project Managers", "Resource Managers", "Team Members", "Administrators", then I determine which permissions each of those roles will need in the system. For example, "Executives" often need to view all project and resource data, but they don't need to edit anything. whereas "Team Members" need to only view projects to which they are assigned, and "Administrators" need to view and edit all data.
After I've identified what "Executives", "Project Managers", etc. will need to do in the system, then I'll create a permission Category which aligns with each of the user Groups that I've created. These permission Categories will specify which data can be viewed / edited, which functions will be available, etc. For example, I might create a permission Category named "My Organization" which will specify the permissions needed for "Executives", a Category named "My Projects" which will specify the permissions needed for "Project Managers", or a Category named "My Tasks" which will specify the permissions needed for "Team Members".
Finally, I'll associate each of the user Groups with each of the permission Categories that I created. For example, I'll associate the "Executives" user Group with the "My Organization" permission Category and the "Team Members" user Group with the "My Tasks" permission Category.
Why create user Groups and permission Categories like this? It's not necessary, but it makes life a lot easier for the Project Server Administrator when people move from one role to another (simply add and remove them from the user Groups) or when they want to enable / disable features in the system (simply add and remove permissions from the Categories).
Every business environment is different, and this is a very simplistic explanation of Groups and Categories. In the real world, however, people often have unique requirements which require a more complicated security configuration. Hopefully this helps, though.