Security (Master Data Services)

Applies to: SQL Server - Windows only Azure SQL Managed Instance

In Master Data Services, use security to ensure that users have access to the specific master data necessary to do their jobs, and to prevent them from accessing data that should not be available to them.

You can also use security to make someone an administrator of a specific model and functional area (for example, to allow someone to create versions of the Customer model or to give someone the ability to set security permissions).

Master Data Services security is based on local or Active Directory domain users and groups. MDS security allows you to use a granular level of detail when determining the data a user can access. Because of the granularity, security can easily become complicated and you should use caution when using overlapping users and groups. For more information, see Overlapping User and Group Permissions (Master Data Services).

You can assign security access in the User and Group Permissions functional area of the Master Data Manager web application or by using the web service.

Types of Users

There are two types of users in Master Data Services:

  • Those who access data in the Explorer functional area.

  • Those who have the ability to perform administrative tasks in areas other than Explorer. These users are called Administrators (Master Data Services).

How to Set Security

To give a user or group permission to access data or functionality in MDS, you must assign:

  • Functional area access, which determines which of the five functional areas of the user interface a user can access.

  • Model object permissions, which determine the attributes a user can access, and the type of access (Read, Create, and Update) that the user has to those attributes. The user can also assign Admin permissions at the Model level.

  • Optionally, hierarchy member permissions, which determine the members a user can access, and the type of access (Read, Update, and Delete) the user has to those members.

When you assign permissions to attributes and members, the permissions intersect and rules determine which permission takes precedence. For more information, see How Permissions Are Determined (Master Data Services).

Security in the Add-in for Excel

Security set in the Master Data Manager web application is also applied to the Add-in for Excel. Users are only able to view and work with data they have permission to. Administrators can perform administrative tasks.

The only caveat is that all security assigned in Master Data Manager does not take effect in Excel until a 20 minute interval passes. The interval is defined by the MdsMaximumUserInformationCacheInterval setting in the web.config file. To change the interval, you can change the setting and restart IIS.

Task Description Topic
Create a user who has full permission to a model. Create a Model Administrator (Master Data Services)
Add an Active Directory group to Master Data Services; this is the first step in giving a group permission to access data in the Master Data Services web application. Add a Group (Master Data Services)
Assign permission to a functional area of the Master Data Services web application. Assign Functional Area Permissions (Master Data Services)
Assign permission to attribute values by assigning permission to model objects. Assign Model Object Permissions (Master Data Services)
Assign permission to member values by assigning permission to hierarchy nodes. Assign Hierarchy Member Permissions (Master Data Services)

See Also

Administrators (Master Data Services)
Users and Groups (Master Data Services)
Functional Area Permissions (Master Data Services)
Model Object Permissions (Master Data Services)
Hierarchy Member Permissions (Master Data Services)
How Permissions Are Determined (Master Data Services)