| title | description | author | ms.author | ms.date | ms.service | ms.subservice | ms.topic |
|---|---|---|---|---|---|---|---|
Security |
Learn about security in Master Data Services, including types of users, how to set security, security in the add-in for Excel, and related tasks. |
CordeliaGrey |
jiwang6 |
03/01/2017 |
sql |
master-data-services |
conceptual |
[!INCLUDE SQL Server - Windows only ASDBMI]
In [!INCLUDEssMDSshort], use security to ensure that users have access to the specific master data necessary to do their jobs, and to prevent them from accessing data that should not be available to them.
You can also use security to make someone an administrator of a specific model and functional area (for example, to allow someone to create versions of the Customer model or to give someone the ability to set security permissions).
[!INCLUDEssMDSshort] security is based on local or Active Directory domain users and groups. MDS security allows you to use a granular level of detail when determining the data a user can access. Because of the granularity, security can easily become complicated and you should use caution when using overlapping users and groups. For more information, see Overlapping User and Group Permissions (Master Data Services).
You can assign security access in the User and Group Permissions functional area of the [!INCLUDEssMDSmdm] web application or by using the web service.
There are two types of users in [!INCLUDEssMDSshort]:
-
Those who access data in the Explorer functional area.
-
Those who have the ability to perform administrative tasks in areas other than Explorer. These users are called Administrators (Master Data Services).
To give a user or group permission to access data or functionality in MDS, you must assign:
-
Functional area access, which determines which of the five functional areas of the user interface a user can access.
-
Model object permissions, which determine the attributes a user can access, and the type of access (Read, Create, and Update) that the user has to those attributes. The user can also assign Admin permissions at the Model level.
-
Optionally, hierarchy member permissions, which determine the members a user can access, and the type of access (Read, Update, and Delete) the user has to those members.
When you assign permissions to attributes and members, the permissions intersect and rules determine which permission takes precedence. For more information, see How Permissions Are Determined (Master Data Services).
Security set in the [!INCLUDEssMDSmdm] web application is also applied to the [!INCLUDEssMDSXLS]. Users are only able to view and work with data they have permission to. Administrators can perform administrative tasks.
The only caveat is that all security assigned in [!INCLUDEssMDSmdm] does not take effect in Excel until a 20 minute interval passes. The interval is defined by the MdsMaximumUserInformationCacheInterval setting in the web.config file. To change the interval, you can change the setting and restart IIS.
| Task Description | Topic |
|---|---|
| Create a user who has full permission to a model. | Create a Model Administrator (Master Data Services) |
| Add an Active Directory group to [!INCLUDEssMDSshort]; this is the first step in giving a group permission to access data in the [!INCLUDEssMDSshort] web application. | Add a Group (Master Data Services) |
| Assign permission to a functional area of the [!INCLUDEssMDSshort] web application. | Assign Functional Area Permissions (Master Data Services) |
| Assign permission to attribute values by assigning permission to model objects. | Assign Model Object Permissions (Master Data Services) |
| Assign permission to member values by assigning permission to hierarchy nodes. | Assign Hierarchy Member Permissions (Master Data Services) |
Administrators (Master Data Services)
Users and Groups (Master Data Services)
Functional Area Permissions (Master Data Services)
Model Object Permissions (Master Data Services)
Hierarchy Member Permissions (Master Data Services)
How Permissions Are Determined (Master Data Services)