MDS 2016 Permissions Setup

Following on from a previous post of how to set up Master Data Services (MDS) with IIS, this post is about setting up permissions in MDS 2016.

In previous releases, you had to choose a Windows account during the installation and configuration of the MDS database. This account would become a system-wide administrator and have access to all models. The problem is sometimes system administrators chose their own account instead of a service account. If that person leaves the company, it could break the MDS installation if the account becomes invalid. Correcting this was not easy; it requires lots of manual changes in the MDS database. In SQL Server 2016, you still have to configure such an account.

However, you can now assign users to a new role called Super User. Users assigned to this role will have administrator access to all models. This allows is to mitigate the problem with the super user assigned during configuration of MDS. Furthermore, it also allows you to create multiple super users, which can be useful when maintenance is done by a team of administrators. You can assign users to this role in the Functions tab in the editing screen of a user in the User and Group Permissions section of MDS.

Aside from the Super User Role, some permission sets have been explicitly defined. For example, when a user had update permission on a model in a previous release – and no other permissions in the subtree below the model – the user would become a model administrator. However, if at a later point in time the user gets another explicit permission assigned in the model sub tree (for example on an entity), the user would lose model administrator permissions. Now you can explicitly assign the model administrator role to a user. Any permissions assigned on a lower level are ignored.

The same is true for entity administrators: you can now assign explicit entity administrator privileges to a user.

To recap, there are three administrator roles:

  • Super User – Access to all models and functional areas.
  • Model Administrator – If has access to explorer, the user can modify all master data. If access to system administration, the user can perform all administrative tasks on the model.
  • Entity Administrator – If has access to explorer, the user can modify all data of the entity. The user can also approve or reject change sets for the entity.

Note that making a user a Model Administrator on all the models is not the same as having the Super User permissions. A Super User has access to all the functional areas, while a Model Administrator needs explicit access to a functional area. For example, if a Model Administrator doesn’t have access to the System Administration functional area, he/she cannot create new entities.

In previous versions, you could only assign two permissions on a model object: read-only or update. With MDS 2016, you can now assign the following permissions: readcreateupdatedelete or deny.

If you want to assign a user all permissions (read + create + update + delete) you can choose the shortcut for All permissions. In the tree view, indicators are used to show which permissions a user has for an entity. On the right, you can view a summary of all permissions.

If you assign a user create, update or delete to an entity, the user automatically gets the read permission assigned as well.

Original Article here.

MDS “Service Unavailable” Error

After restarting a server that has MDS on, I could no longer access MDS via the browser. This seemed very strange as I have restarted the server multiple times and it had never done this before.

Turns out the Application Pool had stopped for MDS. So I started it up and then it would stop again, frustrating me further.

Then is occurred to me that it was using my domain details and my password had changed. Then I went into the advanced settings of my MDS Application Pool to update my details under Identity.

And there we go, it works and I can access MDS again via the browser!

Hope this helps someone else with this error.

MDS Backup Strategies

Recently a colleague and I had a discussion about which method is the best to use for backing up MDS (Master Data Services) for disaster recovery. We came to the conclusion it all depended on the SQL environment version you were recovering to. Below are the 2 different methods for backing up an MDS database.

Model Backup
Pros:

  • Fast to create, can backup specific versions
  • Will always be able to deploy a model to a MDS install
  • Can be automated via SSIS
  • Can be restore to a server version that is +1, 0 and -1

Cons:

  • If you want to save backups of different models, then the models will have to be backed up separately.
  • Security is not retained; it will have to be redone. Can take about 2 minutes per user. On a small model this should not be a problem, however, when scaled out it could be very time consuming.
  • Saving more than one backup of a model would require a script/maintenance task to remove backups older than X amount of time.

When deploying the model, the option DeployClone must be used, not DeployNew. DeployNew will remove the MUID and therefore will not allow any changes to be deployed to that model at a later stage. DeployClone keeps it all intact and will allow for future updates.

Database Backup
Pros:

  • Security is retained
  • Simple to set-up and maintain
  • Easy to restore
  • Maintenance tasks to clean up old backups

Cons:

  • Cannot be restored to a server version less than the current version.

The database backup for MDS can be scheduled just like other backups. You can use the maintenance wizard to set up the backup and clean up task on a schedule.

If you know what version the disaster recovery environment will be on, for example the same version as the current MDS server version or higher, then it is simpler to use the Database Backup method. If you are uncertain of what version the disaster recovery version will be then you would want to use the Model Backup method in case you have to restore to a version less than the current MDS server version.

Hope this helps you to choose what is best suited for your environment!

Special thanks to Janlo Du Toit for the discussion on these methods 🙂

Master Data Services (MDS) 2016 Prerequisites for IIS

This is just a high-level overview of the prerequisites that are needed for IIS. You need to have IIS installed on the server you are installing MDS on in order for MDS to work. The easiest way to check if you have all the prerequisites for IIS installed is to open up Master Data Services Configuration Manager.

A warning screen will appear if you do not have all the prerequisites installed for IIS. This warning message will give you a link to check what is needed for IIS.
IIS
First you will need to install the Role and Role Services for IIS:
You can use Server Manager, which is available in the Microsoft Management Console (MMC), to install the Web Server (IIS) role, and required role services.

  • Internet Information Services
  • Web Management Tools
  • IIS Management Console
  • World Wide Web Services
  • Application Development
  • .NET Extensibility 3.5
  • .NET Extensibility 4.5
  • NET 3.5
  • NET 4.5
  • ISAPI Extensions
  • ISAPI Filters
  • Common HTTP Features
  • Default Document
  • Directory Browsing
  • HTTP Errors
  • Static Content
  • [Note: Do not install WebDAV Publishing]
  • Health and Diagnostics
  • HTTP Logging
  • Request Monitor
  • Performance
  • Static Content Compression
  • Security
  • Request Filtering
  • Windows Authentication

Roles Installed:
IIS1

Next you will need to install the features IIS requires in order to run:
You can use the Server Manager to install the below features.

  • .NET Framework 3.5 (includes .NET 2.0 and 3.0)
  • .NET Framework 4.5 Advanced Services
  • NET 4.5
  • WCF Services
  • HTTP Activation [Note: This is required.]
  • TCP Port Sharing
  • Windows Process Activation Service
  • Process Model
  • .NET Environment
  • Configuration APIs

Features Installed:
IIS3

Once all the prerequisites for IIS are installed you will see a green tick in Master Data Services Configuration Manager.
IIS2

impossible-until-its-done