First published on MSDN on Feb 16, 2010
(this post was contributed by Brian Barnett, Senior Software Engineer on the MDS Team)
In
Part 1
you made the necessary model changes. In this post we will make the security changes necessary to meet the requirements of our workflow scenario.
Step 6: Set up the proper security permissions for the groups
Based on our scenario, we want to send out email notifications to several different types of users based on the product line they work with and their responsibility with that product line. The best way to implement this is by creating groups, setting the group permissions, and then assigning users to these groups.
The security model within MDS allows you to create very general to very granular access permissions on groups and users. MDS uses Windows integrated security - local and/or domain principals can be used. Therefore, the creation of users, groups, and user-group assignments is done outside of MDS. This needs to be done in either Active Directory or Server Manager (Configuration | Local Users and Groups). Within MDS, you simply select the local or domain users and groups that you desire to give access.
In our scenario we will only be adding groups, since that is how we are going to be managing permissions. We will be setting up the following groups and permissions. You will need at least one user assigned to each group. Again, this user-group assignment must be done outside of MDS.
The
Functions
,
Models
, and
Hierarchy Members
bullet points below correlate to tabs on the Group security page.
-
Functions – What functional areas of MDS the user is allowed to access.
-
Models - What model metadata the user is allowed to see and maintain.
-
Hierarchy Members - What hierarchy members the user is allowed to see and maintain.
Here are the five groups we will be adding.
MDS Product Administrator
-
Description – Members of this group have full access to the all products and have access to all functions.
-
Functions
-
Explorer, Version Management, Integration Management, System Administration, User and Group Permissions
-
Models
-
Hierarchy Members
-
No explicit permissions given, thus, has full access based on the update permission on the Product model.
MDS Accessories Inventory Dept
-
Description – Members of this group maintain the Inventory information of the Bike Accessories product line.
-
Functions
-
Models
-
Model Product - Read only
-
Attribute group Product:Product:Leaf:Inventory - Update
-
Hierarchy Members
-
Derived: Product: Category 4{Accessories} - Update
MDS Accessories Dept Mgmt
-
Description – Members of this group manage the Bike Accessories product line.
-
Functions
-
Explorer, Version Management
-
Models
-
Hierarchy Members
-
Derived: Product: Category 4{Accessories} - Update
MDS Bikes Inventory Dept
-
Description – Members of this group maintain the Inventory information of the Bike product line.
-
Functions
-
Models
-
Model Product - Read only
-
Attribute group Product:Product:Leaf:Inventory - Update
-
Hierarchy Members
-
Derived: Product: Category 1{Bikes} - Update
MDS Bikes Dept Mgmt
-
Description – Members of this group manage the Bike product line.
-
Functions
-
Explorer, Version Management
-
Models
-
Hierarchy Members
-
Derived: Product: Category 1{Bikes} - Update
I’ll walk through creating one group here and will leave the rest as an exercise for you. Before you begin, ensure the users and groups exist in Active Directory and/or your local server.
In Master Data Manager, click User and Group Permissions.
-
On the Users page, from the menu bar click Manage Groups.
-
Click the
Add
button.
-
In the
Groups
field enter the domainname of the groups, separated by a semi-colon.
-
Optionally click the
Check names
button to verify the names exist.
-
Click the
OK
button.
Now that the groups have been added to MDS, let’s walk through setting permissions for one of them.
-
On the Groups page, click the context menu button (down arrow) next to the MDS Bike Inventory Dept group and select Edit | Functions.
-
Click the
Edit
button.
-
Move Explorer from the
Available functions
list to the
Assigned functions
list.
-
Click the
Save and continue
button.
-
On the
Model Permissions
page, click the
Edit
button.
-
Right-click on the Product model node and select
Read-only
from the context menu.
-
Now we need to expand a few levels down to set permissions on the Inventory attribute group.
-
Expand the Product model node as follows: Product –> Entities –> Product –> Leaf –> Attribute groups.
-
Click on the Inventory attribute group node and select
Update
from the context menu.
-
Click the
Save and continue
button.
-
On the
Hierarchy Member Permissions
page, in the
Hierarchy
list, select Derived: Category.
-
Click the
Edit
button.
-
Expand the hierarchy as follows: Root à 2{Retail}.
-
Click on the 1{Bikes} node and select
Update
from the context menu.
-
Click the
Save
button.
Below are what the Models and Hierarchy Members tabs should look like.
Follow similar steps as above to set permissions for the other groups.
In Part 3 we will configure MDS to send out email notifications