I have an explicit hierarchy defined and have secured it, via AD Groups, so that users can only see the members under the consolidated members to which they have been granted access to. Additionally I have secured individual attributes on the entities,
some deny so they are not visible, and others read only.
This all appears to work fine but additionally I need to be able to disable the ability to create or delete the entity objects. We do not want them to create the members as we are interfacing all our entity members via SSIS and staging from our source
system, and we do not want users entering and assigning entity members incorrectly.
Right now I have the entity defined as Update for the AD Group and I have the node in the hierarchy set for Update. The other nodes in the hierachry are not set so they are implicitly denied.
I've also tried creating an attribute group and assigning it to the AD group, setting the entity to read only, and setting the consolidated member to read only. While this disables the Add functionality it won't allow any edits.
Has anyone found a combination that allows edits on hierarchy members but restricts the Add and Delete?