MDS 2016 Permissions Setup

Following on from a previous post of how to set up Master Data Services (MDS) with IIS, this post is about setting up permissions in MDS 2016.

In previous releases, you had to choose a Windows account during the installation and configuration of the MDS database. This account would become a system-wide administrator and have access to all models. The problem is sometimes system administrators chose their own account instead of a service account. If that person leaves the company, it could break the MDS installation if the account becomes invalid. Correcting this was not easy; it requires lots of manual changes in the MDS database. In SQL Server 2016, you still have to configure such an account.

However, you can now assign users to a new role called Super User. Users assigned to this role will have administrator access to all models. This allows is to mitigate the problem with the super user assigned during configuration of MDS. Furthermore, it also allows you to create multiple super users, which can be useful when maintenance is done by a team of administrators. You can assign users to this role in the Functions tab in the editing screen of a user in the User and Group Permissions section of MDS.

Aside from the Super User Role, some permission sets have been explicitly defined. For example, when a user had update permission on a model in a previous release – and no other permissions in the subtree below the model – the user would become a model administrator. However, if at a later point in time the user gets another explicit permission assigned in the model sub tree (for example on an entity), the user would lose model administrator permissions. Now you can explicitly assign the model administrator role to a user. Any permissions assigned on a lower level are ignored.

The same is true for entity administrators: you can now assign explicit entity administrator privileges to a user.

To recap, there are three administrator roles:

  • Super User – Access to all models and functional areas.
  • Model Administrator – If has access to explorer, the user can modify all master data. If access to system administration, the user can perform all administrative tasks on the model.
  • Entity Administrator – If has access to explorer, the user can modify all data of the entity. The user can also approve or reject change sets for the entity.

Note that making a user a Model Administrator on all the models is not the same as having the Super User permissions. A Super User has access to all the functional areas, while a Model Administrator needs explicit access to a functional area. For example, if a Model Administrator doesn’t have access to the System Administration functional area, he/she cannot create new entities.

In previous versions, you could only assign two permissions on a model object: read-only or update. With MDS 2016, you can now assign the following permissions: readcreateupdatedelete or deny.

If you want to assign a user all permissions (read + create + update + delete) you can choose the shortcut for All permissions. In the tree view, indicators are used to show which permissions a user has for an entity. On the right, you can view a summary of all permissions.

If you assign a user create, update or delete to an entity, the user automatically gets the read permission assigned as well.

Original Article here.