Security (Master Data Services)
Applies To: SQL Server 2016 Preview
In Master Data Services, use security to ensure that users have access to the specific master data necessary to do their jobs, and to prevent them from accessing data that should not be available to them.
You can also use security to make someone an administrator of a specific model and functional area (for example, to allow someone to create versions of the Customer model or to give someone the ability to set security permissions).
Master Data Services security is based on local or Active Directory domain users and groups. MDS security allows you to use a granular level of detail when determining the data a user can access. Because of the granularity, security can easily become complicated and you should use caution when using overlapping users and groups. For more information, see Overlapping User and Group Permissions (Master Data Services).
You can assign security access in the User and Group Permissions functional area of the Master Data Services web application or by using the web service.
There are two types of users in Master Data Services:
Those who access data in the Explorer functional area.
Those who have the ability to perform administrative tasks in areas other than Explorer. These users are called Administrators (Master Data Services).
To give a user or group permission to access data or functionality in MDS, you must assign:
Functional area access, which determines which of the five functional areas of the user interface a user can access.
Model object permissions, which determine the attributes a user can access, and the type of access (Read, Create, and Update) that the user has to those attributes. The user can also assign Admin permissions at the Model level.
Optionally, hierarchy member permissions, which determine the members a user can access, and the type of access (Read, Update, and Delete) the user has to those members.
When you assign permissions to attributes and members, the permissions intersect and rules determine which permission takes precedence. For more information, see How Permissions Are Determined (Master Data Services).
Security set in the Master Data Services web application is also applied to the Add-in for Excel. Users are only able to view and work with data they have permission to. Administrators can perform administrative tasks.
The only caveat is that all security assigned in Master Data Services does not take effect in Excel until a 20 minute interval passes. The interval is defined by the MdsMaximumUserInformationCacheInterval setting in the web.config file. To change the interval, you can change the setting and restart IIS.
Create a user who has full permission to a model.
Add an Active Directory group to Master Data Services; this is the first step in giving a group permission to access data in the Master Data Services web application.
Assign permission to a functional area of the Master Data Services web application.
Assign permission to attribute values by assigning permission to model objects.
Assign permission to member values by assigning permission to hierarchy nodes.