MDS 2017 derived hierarchy permission issue

Question

Hello,

for my MDS model I've setup User Group permission for derived hierarchy members.
The type of groups are Active directory groups.

This works fine for members of that active directory group
when browsing the entity using the MDS Excel plugin.

But when one particular member of the AD group attemps to browse the entity, he didnot see any data.

Excel did not prompt any error messages but display just the empty table.

So far I've checked that there are no overlapping permissions in this model.

I also used SQL Server profiler to see the statements fired against the MDSDB,
i.e. exec mdm.udpUserLoginByIdentifier where @Tablet = is set to that particular windows user login.

Any idea what might cause this issue?

Thanks in advance
Bodo

Answer 1

Hi @bvuHH ,
Could you please check if there are any overlapping member permissions?
Please ensure enough time has passed for the permissions to be applied. To immediately apply hierarchy member permissions, you can execute the mdm.udpSecurityMemberProcessRebuildModel stored procedure in the Master Data Services database. Please refer to this doc which might help.
Best Regards,
Amelia

---

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi AmeliaGu-msft,

I checked for overlapping member permissions and found that a explicit deny permission exists for that user account.
In this case the user is member of an AD group but also exists as a single user in MDS User- and Group permission.

After removing the deny permission it works fine now.
Thanks again
Bodo