MDS 2017 derived hierarchy permission issue

bvuHH 41 Reputation points


for my MDS model I've setup User Group permission for derived hierarchy members.
The type of groups are Active directory groups.

This works fine for members of that active directory group
when browsing the entity using the MDS Excel plugin.

But when one particular member of the AD group attemps to browse the entity, he didnot see any data.

Excel did not prompt any error messages but display just the empty table.

So far I've checked that there are no overlapping permissions in this model.

I also used SQL Server profiler to see the statements fired against the MDSDB,
i.e. exec mdm.udpUserLoginByIdentifier where @Tablet = is set to that particular windows user login.

Any idea what might cause this issue?

Thanks in advance

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
10,895 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmeliaGu-MSFT 13,926 Reputation points Microsoft Vendor

    Hi @bvuHH ,
    Could you please check if there are any overlapping member permissions?
    Please ensure enough time has passed for the permissions to be applied. To immediately apply hierarchy member permissions, you can execute the mdm.udpSecurityMemberProcessRebuildModel stored procedure in the Master Data Services database. Please refer to this doc which might help.
    Best Regards,

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. bvuHH 41 Reputation points

    Hi AmeliaGu-msft,

    I checked for overlapping member permissions and found that a explicit deny permission exists for that user account.
    In this case the user is member of an AD group but also exists as a single user in MDS User- and Group permission.

    After removing the deny permission it works fine now.
    Thanks again

    0 comments No comments