none
Upgrading from SQL 2008 R2 to 2012 RTM - Security question

    Dotaz

  • Greetings folks,

    Has anyone had upgraded a 2008 MDS repository to 2012 with Group based security?

    After upgrading one of our 2008 repositories all previously existing attribute groups are not being displayed in explorer or in attribute group maintenance screens, although mdm.tblAttributeGroup is still populated.

    All of our model security was defined at Group level for the entities and attributes. No security was defined at Attribute Group level.

    Any suggestions would be welcomed.

    Thanks

    1. května 2012 7:13

Odpovědi

  • The attribute group security was changed in SQL2012, we no long assign real MDS App security to attribute group, there will only two status for attribute group: visible or invisible.

    The new attribute group visibility status is managed in System Administration->Manage->Attribute Group. You can add user or group to Users or Groups node under each attribute group to make this attribute group become visible to this user or group. Remove user or group will make the attribute group become invisible.

    If you cannot see attribute groups in System Administration->Manage->Attribute Group, most likely you are using an account which does not have model admin privilege. Model admin should be an user/group have upgrade permission on model level, and no other permission exists.

    -Yang


    Yang Wang (Microsoft SQL Server Master Data Services)

    2. května 2012 0:55
  • Thanks Yang,

    You are quite correct. I even read http://social.technet.microsoft.com/wiki/contents/articles/5648.whats-new-in-master-data-services-mds-in-sql-server-2012.aspx and it didn't quite click!

    "Attribute group permissions can no longer be assigned in the User and Group Permissions functional area. Instead, in the System Administration functional area where attribute groups are created, users and groups can be given Update permission to attribute groups. Read-only permission to attribute groups is no longer available."

    What do you mean by model admin and "upgrade" permission? The user I was using had the system administration function and had update permission on the model. That didn't seem to work. The only user which did show all the attribute groups so that you can manage attribute group security was user_id 1 which is repo owner.

    However I wrote a small script to populate attribute group security using udpSecurityPrivilegesSave.

    So all is well. Thanks for your comments.

    2. května 2012 4:56

Všechny reakce

  • The attribute group security was changed in SQL2012, we no long assign real MDS App security to attribute group, there will only two status for attribute group: visible or invisible.

    The new attribute group visibility status is managed in System Administration->Manage->Attribute Group. You can add user or group to Users or Groups node under each attribute group to make this attribute group become visible to this user or group. Remove user or group will make the attribute group become invisible.

    If you cannot see attribute groups in System Administration->Manage->Attribute Group, most likely you are using an account which does not have model admin privilege. Model admin should be an user/group have upgrade permission on model level, and no other permission exists.

    -Yang


    Yang Wang (Microsoft SQL Server Master Data Services)

    2. května 2012 0:55
  • Thanks Yang,

    You are quite correct. I even read http://social.technet.microsoft.com/wiki/contents/articles/5648.whats-new-in-master-data-services-mds-in-sql-server-2012.aspx and it didn't quite click!

    "Attribute group permissions can no longer be assigned in the User and Group Permissions functional area. Instead, in the System Administration functional area where attribute groups are created, users and groups can be given Update permission to attribute groups. Read-only permission to attribute groups is no longer available."

    What do you mean by model admin and "upgrade" permission? The user I was using had the system administration function and had update permission on the model. That didn't seem to work. The only user which did show all the attribute groups so that you can manage attribute group security was user_id 1 which is repo owner.

    However I wrote a small script to populate attribute group security using udpSecurityPrivilegesSave.

    So all is well. Thanks for your comments.

    2. května 2012 4:56
  • Sorry, typo, I meant 'Update'.

    It's good to hear that your problem got resolved. I will try to repro your scenario to see if there is an upgrade bug.

    Thanks,


    Yang Wang (Microsoft SQL Server Master Data Services)

    2. května 2012 18:34