cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Enabling Human Workflow – Part 2: Granting permission to your data
By
SSIS-Team
Published Mar 25 2019 02:33 PM 209 Views
SSIS-Team
Copper Contributor
‎Mar 25 2019 02:33 PM

Enabling Human Workflow – Part 2: Granting permission to your data

‎Mar 25 2019 02:33 PM
First published on MSDN on Feb 16, 2010

(this post was contributed by Brian Barnett, Senior Software Engineer on the MDS Team)

In Part 1 you made the necessary model changes. In this post we will make the security changes necessary to meet the requirements of our workflow scenario.

Step 6: Set up the proper security permissions for the groups

Based on our scenario, we want to send out email notifications to several different types of users based on the product line they work with and their responsibility with that product line. The best way to implement this is by creating groups, setting the group permissions, and then assigning users to these groups.

The security model within MDS allows you to create very general to very granular access permissions on groups and users. MDS uses Windows integrated security - local and/or domain principals can be used. Therefore, the creation of users, groups, and user-group assignments is done outside of MDS. This needs to be done in either Active Directory or Server Manager (Configuration | Local Users and Groups). Within MDS, you simply select the local or domain users and groups that you desire to give access.

In our scenario we will only be adding groups, since that is how we are going to be managing permissions. We will be setting up the following groups and permissions. You will need at least one user assigned to each group. Again, this user-group assignment must be done outside of MDS.

The Functions , Models , and Hierarchy Members bullet points below correlate to tabs on the Group security page.

  • Functions – What functional areas of MDS the user is allowed to access.
  • Models - What model metadata the user is allowed to see and maintain.
  • Hierarchy Members - What hierarchy members the user is allowed to see and maintain.

Here are the five groups we will be adding.

MDS Product Administrator
  • Description – Members of this group have full access to the all products and have access to all functions.
  • Functions
    • Explorer, Version Management, Integration Management, System Administration, User and Group Permissions
  • Models
    • Model Product – Update
  • Hierarchy Members
    • No explicit permissions given, thus, has full access based on the update permission on the Product model.
MDS Accessories Inventory Dept
  • Description – Members of this group maintain the Inventory information of the Bike Accessories product line.
  • Functions
    • Explorer
  • Models
    • Model Product - Read only
    • Attribute group Product:Product:Leaf:Inventory - Update
  • Hierarchy Members
    • Derived: Product: Category 4{Accessories} - Update
MDS Accessories Dept Mgmt
  • Description – Members of this group manage the Bike Accessories product line.
  • Functions
    • Explorer, Version Management
  • Models
    • Model Product - Update
  • Hierarchy Members
    • Derived: Product: Category 4{Accessories} - Update
MDS Bikes Inventory Dept
  • Description – Members of this group maintain the Inventory information of the Bike product line.
  • Functions
    • Explorer
  • Models
    • Model Product - Read only
    • Attribute group Product:Product:Leaf:Inventory - Update
  • Hierarchy Members
    • Derived: Product: Category 1{Bikes} - Update
MDS Bikes Dept Mgmt
  • Description – Members of this group manage the Bike product line.
  • Functions
    • Explorer, Version Management
  • Models
    • Model Product - Update
  • Hierarchy Members
    • Derived: Product: Category 1{Bikes} - Update

I’ll walk through creating one group here and will leave the rest as an exercise for you. Before you begin, ensure the users and groups exist in Active Directory and/or your local server.

In Master Data Manager, click User and Group Permissions.

  1. On the Users page, from the menu bar click Manage Groups.
  2. Click the Add button.
  3. In the Groups field enter the domainname of the groups, separated by a semi-colon.
  4. Optionally click the Check names button to verify the names exist.
  5. Click the OK button.

Now that the groups have been added to MDS, let’s walk through setting permissions for one of them.

  1. On the Groups page, click the context menu button (down arrow) next to the MDS Bike Inventory Dept group and select Edit | Functions.
  2. Click the Edit button.
  3. Move Explorer from the Available functions list to the Assigned functions list.
  4. Click the Save and continue button.
  5. On the Model Permissions page, click the Edit button.
  6. Right-click on the Product model node and select Read-only from the context menu.
  7. Now we need to expand a few levels down to set permissions on the Inventory attribute group.
  8. Expand the Product model node as follows: Product –> Entities –> Product –> Leaf –> Attribute groups.
  9. Click on the Inventory attribute group node and select Update from the context menu.
  10. Click the Save and continue button.
  11. On the Hierarchy Member Permissions page, in the Hierarchy list, select Derived: Category.
  12. Click the Edit button.
  13. Expand the hierarchy as follows: Root à 2{Retail}.
  14. Click on the 1{Bikes} node and select Update from the context menu.
  15. Click the Save button.

Below are what the Models and Hierarchy Members tabs should look like.

Follow similar steps as above to set permissions for the other groups.

In Part 3 we will configure MDS to send out email notifications


0 Likes
Like
Version history
Last update:
‎Mar 25 2019 02:33 PM
Updated by: