Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Overlapping Model and Member Permissions (Master Data Services)

 

Applies To: SQL Server 2016 Preview

Permission assigned to a member can overlap with permission assigned to a model object. When overlaps occur, the more restrictive permission takes effect.

If a member has permission that is different than its corresponding model object, the following rules apply:

  • Deny overrides all other permissions.

  • Admin permission on the Model level overrides all other permissions and is changed to All (CRUD) access permission on sub levels.

  • Effective access permission intersects permissions for members and attributes.

    For example, if member permissions include Create and Update, the permission for attributes is Update. The effective permission is Update.

The following image shows which permissions take effect on an individual attribute value when attribute permissions are different than member permissions.

mds_conc_security_member_overlap_table

mds_conc_overlap_model_1

On the Models tab, the Product entity has Update permission assigned. All attributes in the entity inherit that permission.

On the Hierarchy Members tab, the Mountain Bikes subcategory node in a derived hierarchy has Update permission assigned.

Result: In Explorer, the user has Update permission to all attribute values for all members in the Mountain Bikes node. All other members and attributes are hidden.

mds_conc_overlap_model_example_1

mds_conc_overlap_model_2

On the Models tab, the Subcategory attribute has Update permission assigned.

On the Hierarchy Members tab, the Mountain Bikes subcategory node in a derived hierarchy is explicitly assigned Read permission.

Result: In Explorer, the user has Read permission to the Subcategory attribute values for the members in the Mountain Bikes node. All other members and attributes are hidden.

mds_conc_overlap_model_example_2

mds_conc_overlap_model_3

On the Models tab, the Subcategory attribute has Read permission assigned.

On the Hierarchy Members tab, the Mountain Bikes subcategory in a derived hierarchy is explicitly assigned Update permission.

Result: In Explorer, the user has Read permission to the attribute values. All other members and attributes are hidden.

mds_conc_overlap_model_example_2

Community Additions

ADD
Show:
© 2015 Microsoft