locked
Permit user to administrate Model AND have read-only attributes RRS feed

  • Question

  • This issue concerns SQL Server Master Data Services 2012

    I have a scenario where the same user is handling data and doing version management. Now I want to make one attribute in one specific entity read-only as I want to make sure the attribute is never changed.

    The problem is, as soon as I set the read-only privilege on the attribute, the user loses all administrative rights on the entire model. This, of course, includes version management.

    I've tried working around the issue by making sure the user has explicit update permissions on both the model and the entity (and all attributes except the one I need read-only). But the result is the same. 

    Does anyone know a workaround?

    Friday, April 10, 2015 1:45 PM

Answers

  • Anytime a user gets non Update permission below the model level he looses the Model Admin permission.

    If a user Model Admin is decided based on if he has Update permission at model level and no other overwriting non Update permission below. In your case the read permission to a Attribute is taking away the Admin privilege.


    -Nithesh Shetty Software Engineer, C & E -> IMML -> MDS, Microsoft.

    Wednesday, April 15, 2015 12:48 AM

All replies

  • Hi,

    Thank you for your question. 

    I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated. 

    Thank you for your understanding and support.

    Regards,


    Charlie Liao
    TechNet Community Support

    Monday, April 13, 2015 7:14 AM
  • Hi,

    I think if you explicitly grant the update permissions, it should work. According to the MSDN doc. Could you please check if the user belongs to other hierarchy?

    When a member belongs to multiple hierarchies

    Two or more hierarchies can contain the same member.

    •If one hierarchy node is assigned Update permission and another is assigned Read-only, then the members in the node are Read-only.


    •If one hierarchy node is assigned Update or Read-only permission and another node is assigned Deny, then the members in the node are not displayed.

    Hierarchy Member Permissions (Master Data Services)
    https://technet.microsoft.com/en-us/library/ee633750(v=sql.110).aspx

    Model Object Permissions (Master Data Services)
    https://technet.microsoft.com/en-us/library/ee633764(v=sql.110).aspx

    Regards,

    Doris Ji

    Tuesday, April 14, 2015 7:37 AM
  • Hi Doris and thanks for your reply.

    The issue isn't related to entity members or member security.

    I've tested the issue with the simplest case: one entity with two custom attributes. No actual members in the entity and no hierarchies. 

    The user is given update permission on the model, update permission on the entity and update permission on one of the attributes. On the second attribute, the user is given readonly permission. In both cases the user can no longer perform any administrative task on the model - no version management possible.




    Tuesday, April 14, 2015 1:02 PM
  • Anytime a user gets non Update permission below the model level he looses the Model Admin permission.

    If a user Model Admin is decided based on if he has Update permission at model level and no other overwriting non Update permission below. In your case the read permission to a Attribute is taking away the Admin privilege.


    -Nithesh Shetty Software Engineer, C & E -> IMML -> MDS, Microsoft.

    Wednesday, April 15, 2015 12:48 AM
  • Hi Nithesh and thanks for your reply.

    Yeah I figured as much, thank you for confirming my suspicions.

    I can understand the thinking behind it but it brings a certain level of bluntness to the security management of MDS, especially since it affects all administrative tasks on the entire model.

    Do you know (and can you divulge) any upcoming changes or improvements to the MDS security model in a future release? 

    Wednesday, April 15, 2015 8:50 AM
  • Yes. In the upcoming release this is going to change and will have a clear and simpler way to assign Model Administrator permission.

    -Nithesh Shetty Software Engineer, C & E -> IMML -> MDS, Microsoft.

    Wednesday, April 15, 2015 6:47 PM