I recently had a few customers request a support session to fix timesheets that could not be edited as well as changes to the Home Page and various web parts. The Administrators were not performing the changes. In 2013 for both on premise and Project Online, users can edit the web parts in PWA and this not a permission you can turn off in Server Settings.
One user had added the My Tasks web part to her timesheet page. This modified the timesheet page for everyone. Adding the My Tasks web part also locks the timesheets for editing! Naturally this occurred on a Friday so everyone was trying to save and send their timesheets. Those of you that are familiar with editing pages in PWA are probably thinking no big deal just delete the web part. Well, that’s where things got buggy. Clicking on the drop down arrow in the web part did not open the menu.
So we changed the Compatibility View Settings and added the site. Still could not open the menu. After what seemed to be a million clicks the menu finally opened and we were able to delete the My Tasks web part from the timesheet page. Everyone was now able to edit their timesheet.
Integent strongly recommends enforcing a business rule that only Administrators can modify web parts in PWA.
The only way to prevent scenarios such as this is to modify the site permissions. If you are going to do this Integent recommends you copy an existing group and modify the permissions. Leave the default groups alone!
Select a permission group such as contribute in Permission Levels and scroll down and click Copy Permission Level.
Deselect those permissions you do not wish users to have and click Save.
From Site Settings | Site Permissions click Create Group to create a new SharePoint group and assign it the permission level you just created. Give it a unique name and click Save.
To prevent these permissions from returning to the default when the daily sync occurs you must disable the Enable Project Web App Sync in Server Settings |User Sync Settings.
Test the results in dev before applying to production and remember you now have to manually manage permissions for this new group.