Hello All -- I am wondering if there is an Out Of The Box method to allow project_manager/it_project_manager role/access to a specific sub set of users ONLY when their project is a member of a certain portfolio, otherwise they only receive project_user access??

We have a specific project portfolio set up for a specific group, where these itil users (who normally would be project_users in addition to itil) can manage their own projects and utilize the capabilities of service now (project planning console to create tasks and dependencies, etc)...but we find that granting the project_manager/it_project_manager role/access gives access as a project_manager to ALL portfolios, without any additional configuration...as well as some undesired access to ideation, demand management, etc.

We would like to provision the ability to manage projects in a specific portfolio, but not provision any additional access beyond that - unable to progress ideas to demands and create projects that way, etc...as well as unable to manage projects (create tasks/dependencies/etc) which are not a part of the specific portfolio which has been set up, as per the previous paragraph.

Unfortunately, we have an instance which was from Istanbul and has been upgraded to Quebec and our PPM/ITBM implementation has been "custom/non-standard"...so we are potentially dealing with some unknown factors causing the symptoms that we are experiencing, influencing my solution already -- so I apologize if this is confusing.

One idea I have had to solve this, not knowing much about PPM/ITBM implementations, was to customize manually for when the portfolio is appropriate, have an ACL(s) give access to "project_user", wherever "project_manager" exists...but I'm very nervous about ACL customizations, as we have little governance in place right now and high demand for customizations...and that can be a recipe for disaster. I prefer OOTB methods and am very green to PPM beyond a basic understanding of what Idea Management, Demand Management, Project Management are and how they intersect with more "traditional" ITSM/ITIL principals like Service Catalog (Request Fulfillment), Incident Management and Change Management.

Right now, there is no need/requirement for Project Users to only have the ability to manage their own projects...just that they can manage projects which are in a specific portfolio. Making sure these users are "hands off" projects that they don't manage, is of secondary concern here...we are only concerned with them being able to use the "basic features" of ppm (creating tasks/projects/dependencies/editing dates/etc), which are not "normally available" to Project Users in any other portfolio -- where they would simply be assigned tasks for completion and not be responsible or able to modify project details like dependencies or dates.