locked
How to make a member in an Entity non editable ? RRS feed

  • Question

  • I have an Entity by name persons.  There are attributes like name, country , manager etc. There are few people who have edit access on this entity. I want these people to have access to edit all records except for the CEO record. I know the Code for the CEO record. I want to restrict Editing on the record have the CODE= CEO's ID. 

    I do not want to apply any business rule. Because , it the business rules are validated only after the update is made and saved. When the user clicks on Edit Member, nothing should happen/an alert message would be nice/the edit member page should open but all fields must be grayed out.

    Please let me know if there is such feasibility. Thanks in Advance!

    Tuesday, March 8, 2016 4:21 PM

Answers

  • In the MDS, you can use Derived Hierarchy and hierarchy security to control row level security.

    1. Create a hierarchy only contains the Entity, for example Employee. So the hierarchy view has two level, Root and Employee

    https://msdn.microsoft.com/en-us/library/ee633747.aspx

    2. Then use hierarchy member permissions

    A. Give user update permission on the entity, as you already did.

    B. Go to Hierarchy member permissions, choose the new hierarchy you created in 1, give user update permission on Root.

    C. Give user readonly permission on the CEO node.

    https://msdn.microsoft.com/en-us/library/ee633750.aspx

    Tuesday, March 8, 2016 7:24 PM

All replies

  • In the MDS, you can use Derived Hierarchy and hierarchy security to control row level security.

    1. Create a hierarchy only contains the Entity, for example Employee. So the hierarchy view has two level, Root and Employee

    https://msdn.microsoft.com/en-us/library/ee633747.aspx

    2. Then use hierarchy member permissions

    A. Give user update permission on the entity, as you already did.

    B. Go to Hierarchy member permissions, choose the new hierarchy you created in 1, give user update permission on Root.

    C. Give user readonly permission on the CEO node.

    https://msdn.microsoft.com/en-us/library/ee633750.aspx

    Tuesday, March 8, 2016 7:24 PM
  • Thanks Vincent. I have created the new hierarchy. My entity for employees is Persons. So i have added it. In preview i see the root and all the employees as children.

    I now went into user groups and permissions page, and selected the user i want to modify access. I moved to hierarchy member permissions page, selected the newly created hierarchy. I clicked edit, and right click on root and gave update permission on root. For C step, i dont actually see the CEO record , it shows only as more. So i am unable to give read only access on the CEO node. See below screenshot.

    Please suggest if i am missing something.

    Also in the persons entity, currently only some attributes have update access, some attributes are read only. I believe doing this does not give update access to all attributes for people other than CEO.

    Wednesday, March 9, 2016 9:17 PM
  • Hi Vincent , can you please see the screenshots and suggest, if im missing somthing.
    Tuesday, March 22, 2016 8:10 PM
  • I am able to repro this issue in SQL 2014 and I also checked it has been fixed in SQL 2016.

    If it is possible, can you try SQL 2016?

    If you want to stick with SQL 2014 or SQL 2012, then you need try Domain based attribute approach.

    1. Create a new entity called EmployeeType, Add two rows, CEO and Employee.

    2. Create a domain based attribute named Type on entity Employee.

    3. Update all employee rows Type to Employee to Employee, except CEO row to CEO.

    4. Create a Derived Hierarchy root is EmployeeType, next level is Employee.

    5. In the hierarchy member security page, give ReadOnly permission on CEO node for everyone except CEO.

    Wednesday, March 23, 2016 7:07 PM