THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Master Data Services Team

Blog for the Microsoft SQL Server Master Data Services (MDS) team. Blog posts are contributed by various team members.

Enabling Human Workflow – Part 2: Granting permission to your data

(this post was contributed by Brian Barnett, Senior Software Engineer on the MDS Team)

In Part 1 you made the necessary model changes. In this post we will continue with Step 6, making the security changes necessary to meet the requirements of our workflow scenario.

Step 6: Set up the proper security permissions for the groups

Based on our scenario, we want to send out email notifications to several different types of users based on the product line they work with and their responsibility with that product line. The best way to implement this is by creating groups, setting the group permissions, and then assigning users to these groups.

The security model within MDS allows you to create very general to very granular access permissions on groups and users. MDS uses Windows integrated security - local and/or domain principals can be used. Therefore, the creation of users, groups, and user-group assignments is done outside of MDS. This needs to be done in either Active Directory or Server Manager (Configuration | Local Users and Groups). Within MDS, you simply select the local or domain users and groups that you desire to give access.

In our scenario we will only be adding groups, since that is how we are going to be managing permissions. We will be setting up the following groups and permissions. You will need at least one user assigned to each group. Again, this user-group assignment must be done outside of MDS.

The Functions, Models, and Hierarchy Members bullet points below correlate to tabs on the Group security page.

  • Functions – What functional areas of MDS the user is allowed to access.
  • Models - What model metadata the user is allowed to see and maintain.
  • Hierarchy Members - What hierarchy members the user is allowed to see and maintain.

Group Security - Functions

Here are the five groups we will be adding.

MDS Product Administrator

  • Description – Members of this group have full access to the all products and have access to all functions.
  • Functions
    • Explorer, Version Management, Integration Management, System Administration, User and Group Permissions
  • Models
    • Model Product – Update
  • Hierarchy Members
    • No explicit permissions given, thus, has full access based on the update permission on the Product model.

MDS Accessories Inventory Dept

  • Description – Members of this group maintain the Inventory information of the Bike Accessories product line.
  • Functions
    • Explorer
  • Models
    • Model Product - Read only
    • Attribute group Product:Product:Leaf:Inventory - Update
  • Hierarchy Members
    • Derived: Product: Category 4{Accessories} - Update

MDS Accessories Dept Mgmt

  • Description – Members of this group manage the Bike Accessories product line.
  • Functions
    • Explorer, Version Management
  • Models
    • Model Product - Update
  • Hierarchy Members
    • Derived: Product: Category 4{Accessories} - Update

MDS Bikes Inventory Dept

  • Description – Members of this group maintain the Inventory information of the Bike product line.
  • Functions
    • Explorer
  • Models
    • Model Product - Read only
    • Attribute group Product:Product:Leaf:Inventory - Update
  • Hierarchy Members
    • Derived: Product: Category 1{Bikes} - Update

MDS Bikes Dept Mgmt

  • Description – Members of this group manage the Bike product line.
  • Functions
    • Explorer, Version Management
  • Models
    • Model Product - Update
  • Hierarchy Members
    • Derived: Product: Category 1{Bikes} - Update

I’ll walk through creating one group here and will leave the rest as an exercise for you. Before you begin, ensure the users and groups exist in Active Directory and/or your local server.

In Master Data Manager, click User and Group Permissions.

  1. On the Users page, from the menu bar click Manage Groups.
  2. Click the Add button.
  3. In the Groups field enter the domain\name of the groups, separated by a semi-colon.
  4. Optionally click the Check names button to verify the names exist.
  5. Click the OK button.

Now that the groups have been added to MDS, let’s walk through setting permissions for the MDS Bike Inventory Dept group .

  1. On the Groups page, click the context menu button (down arrow) next to the MDS Bike Inventory Dept group and select Edit | Functions.
  2. Click the Edit button.
  3. Move Explorer from the Available functions list to the Assigned functions list.
  4. Click the Save and continue button.
  5. On the Model Permissions page, click the Edit button.
  6. Right-click on the Product model node and select Read-only from the context menu.
  7. Now we need to expand a few levels down to set permissions on the Inventory attribute group.
  8. Expand the Product model node as follows: Product –> Entities –> Product –> Leaf –> Attribute groups.
  9. Click on the Inventory attribute group node and select Update from the context menu.
  10. Click the Save and continue button.
  11. On the Hierarchy Member Permissions page, in the Hierarchy list, select Derived: Category.
  12. Click the Edit button.
  13. Expand the hierarchy as follows: Root à 2{Retail}.
  14. Click on the 1{Bikes} node and select Update from the context menu.
  15. Click the Save button.

Below are what the Models and Hierarchy Members tabs should look like for the MDS Bikes Inventory Dept group.

Group Security - Models

Group Security - Hierarchy Members

Follow similar steps as above to set permissions for the other groups.

In Part 3 we will configure MDS to send out email notifications

*Update - This post references some features that are forthcoming in the future release of MDS and not available in the CTPs.  It gives you an early look at what is coming to help plan for workflow scenarios such as this.

Published Tuesday, February 16, 2010 8:09 AM by mattande
Filed under: ,

Comments

 

Master Data Services Team said:

(this post was contributed by Brian Barnett, Senior Software Engineer on the MDS Team) In Part 1 you

February 17, 2010 10:57 AM
 

Master Data Services Team said:

(this post was contributed by Brian Barnett, Senior Software Engineer on the MDS Team) Up until this

February 18, 2010 10:10 AM
 

Bidhya Shrestha said:

Is there a way to update the Model/ Entity permission ( Update to Read-only) using a script instead of web UI?

December 2, 2013 1:00 PM
 

Abhik Dalal said:

If a new model is added to the MDS, can individual user with Explorer functionality will see the new model or not

If not, how can we achieve it?

February 4, 2014 3:54 AM
New Comments to this post are disabled
Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement