Share via


Leaf Permissions (Master Data Services)

Leaf permissions apply to all leaf members for an entity. This includes the leaf member attributes and any attribute groups that exist.

For entities without explicit hierarchies enabled, assigning permission to Leaf is the same as assigning permission to the entity.

Note

These permissions apply to the Explorer functional area of the user interface only.

Permission

Description

Read-only

Leaf members are displayed but the user cannot add, remove, or change them.

If consolidated members exist, the names and codes are displayed but the user cannot add, remove, or change them.

Update

Leaf members are displayed and the user can add, remove, and change them.

If consolidated members exist, the names and codes are displayed but the user cannot add, remove, or change them.

Deny

Leaf members for the entity are not displayed.

Attribute Group Permissions

Attribute group permissions apply to all attributes in the attribute group, except Name and Code.

Permission

Description

Read-only

The attribute group is displayed and the user cannot update any attributes.

Update

The attribute group is displayed and the user can update all attributes except Name and Code.

Deny

The attribute group (the tab in Explorer) is not displayed.

Attribute Permissions

Attribute permissions apply to the attribute’s values for the specific entity. Users with attribute permissions only cannot add or remove members.

Permission

Description

Read-only

The attribute is displayed but the user cannot change attribute values.

Update

The attribute is displayed and the user can change attribute values.

Deny

The attribute is not displayed.

NoteNote
You cannot explicitly deny access to Name and Code attributes.

Example

For the Product entity, assign Update permission to the Name and Subcategory attributes.

Name (Update)

Code (Read-only)

Subcategory (Update)

Mountain-100

BK-M101

{5} Mountain Bikes

Mountain-100

BK-M201

{5} Mountain Bikes

In Explorer, you can update any attribute value in the Name or Subcategory columns. If you do not have permission to an attribute, the attribute is not displayed.

Note

In this example, Subcategory is a domain-based attribute, based on the SubcategoryList entity. You can select a different subcategory for Mountain-100 but you cannot add members to or delete members from the SubcategoryList entity.

Possible Overlapping Permissions

When assigning permission on attributes and attribute groups, you may have to resolve overlapping permissions.

When an attribute belongs to multiple attribute groups

Two or more attribute groups can contain the same attribute.

  • If one group is assigned Update permission and another is assigned Read-only, the attribute is updateable in both groups (on both tabs).

  • If one group is assigned Update or Read-only permission and another is assigned Deny, the attribute is not displayed on the updateable tab.

When an attribute has different permission than its attribute group

Because an attribute group is made up of attributes, you can assign one permission to the attribute group and a different permission to the attribute.

  • If an attribute from the attribute group is assigned Deny permission, then the attribute is not displayed in the attribute group.

  • If an attribute from the attribute group is assigned Read-only permission, the attribute is Read-only when displayed in the attribute group. If the attribute is assigned Update, the attribute is updateable when displayed in the attribute group.