Table of Contents

Security

Note

The default security roles cannot be modified. Note that if you replace the default security roles with your own custom security roles in an Altus deployment, the default Home Screen will not operate as intended and will need to be replaced with a customised version or disabled. The left side menus will still work as intended.

Security overview

The Security framework for the Altus Solution is modelled on the permission model employed by Project for the Web and leverages the capabilities of Dynamics 365 Roles.

To accommodate both everyday use of Altus and complex security requirements that customers may have, we provide security capabilities through a Basic Security Model as well as a Modular Security Model. The Roles provided in each model can be mixed and matched to suit requirements. In addition, custom roles can be created if required.

There are five Roles which are shipped as part of the Basic Security Model - each of which provides a layered approach to user access to the system.

Additional Roles are included with the Modular Security Model. These Roles provide access to specific functionality within Altus.

Altus leverages the use of Teams in Dynamics 365 to provide group level Ownership to Dataverse entities. We replicate the ownership behaviour of the records in Dataverse that relate to projects in Altus. For example, if a project is owned by a Team, that Team will also be attributed Ownership for any Risks, Issues, etc that relate to that project. This provides access to all records relating to the project to the entire project Team. This same behaviour is extended to portfolios and programs in Altus.

Note

Altus Strategy Functionality is only made available when an Altus Strategy license has been activated.

Basic security model

In the Basic Security Model each role builds upon the permission set of the underlying role. If using just the Basic Security model, users need only be a member of one Altus Role.

The Basic Security Model can be depicted as per the following diagram:

This image displays the way the security groups build on access of other groups

Altus Project User

The Altus Project User role is the base level role for a user of Altus. Users in this role have the required permissions to create, update and delete records that relate to Projects that they have created or have been provided access to via a project group/team.

Users who are in this role have access to the Altus app and can navigate the Altus Project and Altus Work areas within the app.

For a breakdown of this role’s access please click here.

Altus Project Executive

This role is intended for users who require access to all projects in Altus, but who do not require the Altus Portfolio functionality. Users in this role have the required permissions to create, update and delete records that relate to any/all Projects in the user's Business Unit.

Users who are in this role have access to the Altus app and can navigate the Altus Project and Altus Work areas within the app.

For a breakdown of this role’s access please click here.

Altus Portfolio User

This role is intended for Users who require access to Altus Portfolio functionality in the Altus app. This role provides users with access to create and manage portfolios and programs and with Read/Write visibility of all projects and registers in the user's Business Unit.

Users who are in this role have access to the Altus app and can navigate the Altus Portfolio, Altus Project and Altus Work areas within the app.

For a breakdown of this role’s access please click here.

Altus Strategy User

This role is intended for users who require access to Altus Strategy functionality in the Altus app. This role provides users with access to create and manage strategic functions, with visibility of all portfolios, programs, projects and registers within the user's Business Unit.

Users who are in this role have access to the Altus app and can navigate the Altus Strategy, Altus Portfolio, Altus Project and Altus Work areas within the app.

For a breakdown of this role’s access please click here.

Altus Admin User

This role provides administrator level access to all custom Tables relating to Altus including the ability to create, update and delete any Table records relating to the Solution. Admin access is provided across data for the entire Organisation (e.g. all Business Units). Admin Users are provided with access to all areas in the Altus app including Settings.

Modular security model

The Modular Security Model provides capability for more fine-grained controls of which users have access to what functionality within Altus. Depending on their requirements, a user may be granted more than one of the modular security roles. (The modular security roles could also be used in conjunction with the basic security roles to fulfil specific requirements).

Many roles within the Modular Security Model allow access to be determined by the owning Business Unit of records - giving flexibility for separation of access to data. If no separation of data is required, an organisation could choose to use only the root organisation Business Unit in Dynamics.

Note

Modular Security roles are not specifically designed to be functionally complete in isolation - usually they are applied as a combination with existing security roles.

Altus - Program Manager

Users in the Altus - Program Manager role have Read access to all projects, proposals, challenges, and ideas within their Business Unit, as well as Read/Write access to programs or projects where they are the sole owner or a member of the associated group/team.

Note:

  • A Program Manager will only have visibility of Programs within their own Business Unit if they are either the sole owner of that record or where they are a member of the Program Team/Group.
  • A Program Manager will not have visibility of programs or projects from other Business Units (unless they have specifically been granted access via the associated program or project group/team).

For a breakdown of this role’s access please click here.

Altus - Portfolio Manager

Users in the Altus - Portfolio Manager role have Read access to all projects, programs, proposals, challenges, and ideas within their Business Unit, as well as Read/Write access to portfolios, programs, or projects where they are the sole owner or a member of the associated group/team.

Note:

  • A Portfolio Manager will only have visibility of portfolios within their own Business Unit if they are the sole owner of that record or where they are a member of the portfolio team/group.
  • A Portfolio Manager will not have visibility of portfolios, programs or projects from other Business Units (unless they have specifically been granted access via the associated portfolio, program or project group/team).

For a breakdown of this role’s access please click here.

Altus - Proposal Manager

Users in the Altus - Proposal Manager role have Read/Write access to all Proposals within their Business Unit.

Note:

  • Proposal Users will not be able to see Proposals that have been created in a different Business Unit unless those items have been specifically shared with them.
  • Proposal Users will not be able to see projects that have been created from a proposal unless they have been specifically granted access to that project through the project group/team.

For a breakdown of this role’s access please click here.

Altus - Idea User

Users in the Altus - Idea User role have Read access to all Challenges and Read/Write access to all Ideas within their Business Unit.

Note:

  • Idea Users will not have visibility of any Ideas or Challenges in different Business Units unless those items have been specifically shared with them.

For a breakdown of this role’s access please click here.

Altus - Challenge User

Users in the Altus - Challenge User role have Read/Write access to all Challenges and Ideas within their Business Unit, as well as Read access to all Strategic Themes in the organisation to associate a Challenge with a Strategic Theme.

Note:

  • Challenge Users will not have visibility of any Ideas or Challenges in different Business Units unless those items have been specifically shared with them.

For a breakdown of this role’s access please click here.

Altus - Strategy Executive

Users in the Altus - Strategy Executive role have Read access to all projects, programs, portfolios, proposals, challenges, and ideas across the entire organisation, as well as Read/Write access to all Strategic Themes, Strategic Goals, and Benefits.

Note:

  • Strategy Executive users have visibility of records across the entire Organisation, and access to all Areas in the Altus app except for Settings.

For a breakdown of this role’s access please click here.

Altus - PMO User

Users in the Altus - PMO User role have Read/Write access to all projects, programs, portfolios, proposals, challenges, ideas, Strategic Themes, Strategic Goals, Benefits, Resources, and Enterprise Calendars across the entire organisation.

Note:

  • PMO Users have Read/Write access to all Altus related records across the entire organisation, and access to all Areas in the Altus app except for Settings.

For a breakdown of this role’s access please click here.

Altus - Resource Manager

Users in the Altus - Resource Manager role have Read/Write access to all Resources, Enterprise Calendars, Resource Demand, and Timesheet Approvals across the entire organisation, as well as Read access to all projects and proposals.

Note:

  • Resource Managers have Read/Write access to all Altus related records in the Altus Resource area of the Altus app.

For a breakdown of this role’s access please click here.

Altus - Timesheet Manager

Users in the Altus - Timesheet Manager role have Read/Write access to Timesheet Approvals.

Users in the Timesheet Manager role will be granted:

  • Read/Write access to Timesheet Approvals.

For a breakdown of this role’s access please click here.

Special cases

Assigned To
In the instance where a user who has a Table record (e.g. a Risk or Action Item) assigned to them (by them being selected in the Assigned To Column) and where that user is not part of the project Team, that individual record will be shared with that User - providing them visibility of the Table record. Note that because only the individual item is shared with the User, that user will not have access to other artifacts associated with the project (including the project itself).

Altus - Resource Organizational Access
The default access level for Security Roles to the Bookable Resource Table is 'Business Unit' level access. This means that for example, an Altus Project User will have visibility of only those Bookable Resources in their own Business Unit. If the preferred behaviour is that an Altus Project User should have visibility of all Bookable Resources across the entire Organization, then the 'Altus - Resource Organizational Access' security role should be given to users in addition to whichever other Altus Roles they require. (Note: if all users are in the root org business unit, then this security role need not be applied as it would provide no change in functionality).

Permissions chart

For a full breakdown of roles and their access please click here.

'Team' Security Roles

There are two additional security roles not mentioned in the documentation above:

  • Altus - Portfolio Manager - Team
  • Altus - Program Manager - Team

These two roles are used to internally to represent the additional permissions allocated to a Dynamics Team that is created when a Program or Portfolio is assigned to an M365 group. This ensures that even if someone doesn't usually have access to Programs/Portfolios, if they are allocated as a M365 Group member of a Portfolio/Program they will have the appropriate permissions to collaborate on it.

It is not intended for users to be directly assigned to these security roles.

Business Unit model

In instances where a customer requires complete separation of data, Business Units can be created in Dynamics

Note

For Dynamics there is always an Org Business Unit which sits at the top of the Business Unit tree. (In an out of the box Dynamics environment, all users are part of that root Org Business Unit).

Each User will need to be assigned to their appropriate Business Unit in Dynamics. As shown in the example below by the coloured icons next to each Business Unit.

Note

A User can only directly be associated to a single Business Unit.

Based on each Users assigned role different Read/Write access to portfolios, programs and projects within ones Business Unit will be given. Read/Write access if not part of the base role can either be gained through ownership or membership to a Microsoft 365 (M365) Group associated with a portfolio, program or project.

Note

Membership of an M365 Groups would allow for a User in one Business Unit to have access to say a Program in another Business Unit (because they have been explicitly added to that M365 Group).

Example

The image displays the users for Altus - Portfolio Manager Role and how the hierarchy of Altus access works for this role

The chart above indicates an organisation where there are two Business Units both of which have been configured as children of the root org Business Unit. There are Users (depicted with the coloured icons) which are each associated with a Business Unit and assigned the “Altus - Portfolio Manager”.

The “Altus - Portfolio Manager” role from Modular Security Model above has:

  • Read access to all programs and projects that are in the User’s Business Unit (Only)
  • Read/Write access to any portfolio, program or project where they are either the Owner, or where they are a member of the M365 Group that is the Owner of that record.

In the example the Blue, Green and Purple are assigned to the IT Business Unit and Red, Yellow are assigned to the HR Business Unit as indicated by the coloured person icon on the associated Business Unit. These Users have Read access to all portfolios, programs and projects within their Business Unit as indicated at top by the vertical box surrounding the Business Unit in its associated colour.

Read/Write access is indicated by coloured person icon next to a portfolio, program or project and is granted via Ownership within ones Business Unit or by explicit membership to the associated M365 Group.

Note

Once a User has been granted membership in a M365 Group that is an owner of a portfolio, program or project they will have read/write access to that Table record plus the artefacts (e.g. Risks) that are directly associated with that Table record.

In our example the table below the chart indicates the explicit assignment to M365 Groups per User. For each of these Users we will look at their permissions

IT Business Unit

  • This image is the blue user icon Blue User (Base Case) is assigned to no M365 Groups as shown in the table. As a result, this User has Read Only access to programs and projects within the IT Business Unit because Blue user is assigned to the IT Business Unit in the chart above.
    • Read access to all “IT Business Unit” programs and projects as assigned to the IT Business Unit
  • This image is the green user icon Green User (Standard Case) is assigned explicitly to two M365 Groups (IT Portfolio 2 and IT Program 3) as a result this User has Read/Write access as indicated in the chart with a Green User against both groups. It has Read Only access to all other programs and projects within the IT Business Unit as Green is also assigned to the IT Business Unit.
    • Read access to all “IT Business Unit” programs and projects as assigned to the IT Business Unit
    • Read/Write access to “IT Portfolio 2 and IT Program 3”
  • This image is the purple user icon Purple User (Special Case) is assigned explicitly to the “HR Portfolio 2” M365 Group in “HR Business Unit”. This is not standard practice within Business Units, however, is possible Providing Read/Write access explicitly to “HR Portfolio 2” Only within the “HR Business Unit”. No other portfolios, programs or projects from HR Business Unit are accessible. Purple also has Read/Write access to (IT Portfolio 2, IT Program 1 and IT Program 2) and Read Only access to all other programs and projects within the IT Business Unit.
    • Read access to all “IT Business Unit” programs and projects
    • Read/Write access to “IT Portfolios 2, IT Program 1, IT Program 2 and HR Portfolio 2”

HR Business Unit

  • This image is the yellow user icon Yellow User (Standard Case)
    • Read access to all “HR Business Unit” programs and projects as assigned to the HR Business Unit
    • Read/Write access to “HR Portfolio 2, HR Program 2 and HR Project 2”
  • This image is the red user icon Red User (Special Case)
    • Read access to all “HR Business Unit” programs and projects
    • Read/Write access to “HR Portfolio 1, HR Program 1, HR Program 3, HR Project 1 and IT Project 2”
Note

Changing the base role from “Altus - Portfolio Manager” would result in different Read/Write permissions.

Setting up AAD sync

It is possible to set up AAD sync of users from a M365 Group into a Dynamics Team. That Dynamics Team can then be granted Roles that give access to Altus (which would therefore facilitate membership of those Roles to be determined by membership in an M365 Group).

The steps to set this up are as follows:

  1. Create a M365 Group or identify an existing M365 Group that you wish to use for synchronisation.
  2. Identify the Object Id of this Group (this is visible from within Azure Active Directory). This image displays the Object id highlighted within M365 groups
  3. From the Dynamics Advanced settings portal, select Settings > Security This image displays the Settings, Security menu item
  4. Select Teams This image displays the Security, Teams menu item
  5. Select All AAD Office Group Teams This image displays the Teams drop-down list with All AAD Office Group Teams highlighted
  6. Select + NEW This image displays the All AAD Office Group Teams page with the New button highlighted
  7. Enter the Team Name (as you would like it to appear in Dynamics), select an Administrator, select AAD Office Group as the 'Team Type', and enter the Azure AD Object Id that you identified earlier, then press Save and Close. This image displays the New Teams screen
  8. Select your newly created Team This image displays the Teams list with created team highlighted
  9. Select MANAGE ROLES This image displays the Teams detail plage with he Manage roles button highlighted
  10. Select the Role(s) that you would like to automatically grant to members of the identified Microsoft 365 Group, then press OK. This image displays the Manage Team Roles role list to select from

Note that members of the M365 Group will not appear in the list of Team members in the Dynamics Team until the user next logs in to Dynamics/PowerApps. At that time their Role access will be automatically granted.

If an existing User is later removed from the M365 Group their Role access will also be removed.

Dynamics user sync process

When Dynamics Teams are created and linked to AAD Security groups or M365 teams, the membership of the Dynamics Team is not immediately updated. The membership of the Dynamics Team is updated when the user logs in, later via a synchronisation process.

This can sometimes be seen when creating a new Project to Group association. The following warning is issued when the Dynamics Team is not yet in sync with the linked M365 group:

This image displays the Dynamics user sync alert message

To resolve this problem, ask the users to log in to the PowerApp, or wait until the Microsoft sync process runs.

Delete Protection

By default, Altus adds additional Delete Protection on the following tables/entities:

  • Project
  • Program
  • Portfolio
  • Bookable Resource

The additional delete protection measures are in place for these items to ensure that they are not deleted accidentally - primarily because deletion is permanent and may impact reporting, timesheets, financials, etc.

When the Delete button is selected for any of those item types, the user is presented with a Delete Protection prompt. To successfully delete the item, the user must enter the name of the item they are deleting (as a measure to ensure that they understand exactly which item is about to be deleted permanently). This image displays the Delete Protection prompt

By default, Altus restricts deletion of these items to Altus Admin Users. This can, however, be configured per environment using the following Configuration Settings which appear in the Security category.

  • Prevent Project Delete by Non-Admins (preventSenseiProjectDelete)
  • Prevent Program Delete by Non-Admins (preventProgramDelete)
  • Prevent Portfolio Delete by Non-Admins (preventPortfolioDelete)
  • Prevent Bookable Resource Delete by Non-Admins (preventBookableResourceDelete)

Each of these settings is shipped with a value of true. If switched to false, then the Delete button and functionality will appear for any Altus user whose security role(s) provide them with the appropriate permissions to delete that item type.

For example, the Altus - Resource Manager security role provides delete permission for users with that role. If preventBookableResourceDelete is set to true, the user with the Altus - Resource Manager role would not see the delete button for a Bookable Resource because the behaviour has been restricted to just Altus Admin Users. With preventBookableResourceDelete set to false, the user with the Altus - Resource Manager role would see and can action the Delete functionality for a Bookable Resource. Users without delete permissions to the Bookable Resource table/entity would continue to not see the Delete button and cannot perform a delete action.

Group Owner Configuration Settings

Altus provides different Group Owner settings for specific entities:

  • Portfolio Group Owner
  • Program Group Owner
  • Project Group Owner

Each setting includes the following options:

Screenshot of Group Owner Configuration Settings

  • Create Groups: A toggle that allows an organisation to specify whether users can create their own groups or must use pre-existing groups.
  • Group Display Name Template: The default value {displayname} creates the group name to match the entity name (e.g., the project name). These default values can be customised.
  • Group Mail Nickname Template: The default value {displayname} creates the group mail nickname to match the entity name (e.g., the project name). These default values can be customised.
  • Security Role: This field allows the organisation to select which security role has access to these entities. If left blank, Altus defaults will be used:
    • Portfolio Group Owner = Altus - Portfolio User - Team
    • Program Group Owner = Altus - Program Manager - Team
    • Project Group Owner = Altus Project User

Customising Organisation Roles for Group Ownership

To use your organisation's roles instead of the default Altus roles for Group Ownership, follow these steps:

  1. Select the relevant group in the Security Role field within the configuration settings. Refer to the details above.
  2. Enable the Disable Role Propagation configuration setting in Altus by changing the Value to YES.

Screenshot of Disable Role Propagation Setting

Edit this page