none
Override of overlapping rules

    Question

  • Hello everyone!

    In out current project we have a quite difficult logic of separating an access on MDS which is based on AD groups.

    We have Projects and Contractors entities and also have three groups - UG1 access to the first, UG2 access to the second UG3 have access to both of them. The access based on a derived hierarchies.

    Problem is starting with UG3 because of out-of-the-box we have more higher priority of deny restriction then allow.

    Hence if UG3 group have the deny restriction for Projects entity and in same time allow restriction for Contracts we will get deny at all.

    Is there exists any possible way to change this standard behavior to opposite?

    As workaround it can be propose to change T-SQL procedure or override method of somehow class in the security model of MDS?


    Friday, September 20, 2013 8:17 PM

Answers

  • It's not possible to change this behavior. Group-level permissions are intended to simplify the administration for common security configurations.  If the way users get permissions from multiple groups doesn't work for you, you can remove the group that has the Deny, and instead apply permissions more granularly to the group members.   Managing lots of granular permissions can be tedious, but can be automated along the lines of the security sample here:

    "This C# sample code shows how to export security information into the specified file and import security information from the file by using MDS APIs (SecurityPrincipalsGet and SecurityPrincipalsClone). "

    http://sqlserversamples.codeplex.com/wikipage?title=SQL%20Server%202012%20Master%20Data%20Services

    But instead of exporting the grants you import, you would generate it based on group membership data.

    David

     

    David http://blogs.msdn.com/b/dbrowne/


    Saturday, September 21, 2013 3:41 PM

All replies

  • Can you elaborate a bit more on what you're trying to achieve?

    I don't understand this "Hence if UG3 group have the deny restriction for Projects entity and in same time allow restriction for Contracts we will get deny at all."

    David


    David http://blogs.msdn.com/b/dbrowne/

    Friday, September 20, 2013 9:13 PM
  • Make changes in the formulation of the problem. I am trying to create two groups that control access to a single entity and are assigned to a particular user. The first one has more privileged than the second. After the appointment of its user, I expect to get rights the first group but because of the higher priority operation deny and overlapping rights I've got rights of the second group.

    The second example provides a good description of my problem:

    http://technet.microsoft.com/en-us/library/ff486958.aspx

    I really appreciate your help.


    • Edited by Denis Datsko Saturday, September 21, 2013 10:32 AM
    Saturday, September 21, 2013 9:33 AM
  • It's not possible to change this behavior. Group-level permissions are intended to simplify the administration for common security configurations.  If the way users get permissions from multiple groups doesn't work for you, you can remove the group that has the Deny, and instead apply permissions more granularly to the group members.   Managing lots of granular permissions can be tedious, but can be automated along the lines of the security sample here:

    "This C# sample code shows how to export security information into the specified file and import security information from the file by using MDS APIs (SecurityPrincipalsGet and SecurityPrincipalsClone). "

    http://sqlserversamples.codeplex.com/wikipage?title=SQL%20Server%202012%20Master%20Data%20Services

    But instead of exporting the grants you import, you would generate it based on group membership data.

    David

     

    David http://blogs.msdn.com/b/dbrowne/


    Saturday, September 21, 2013 3:41 PM
  • There is not way to alter,  the way MDS calculates effective permission and enforces them. I am not sure but this should be handled at AD level. Typically a group represents one permission set for Ex-

    UG1---Allow--> Entity1 

    UG2---Allow--> Entity2

    So any User with group UG1 will have access to only Entity1 and not in Entity2. 

    So you can create all kind of permssion set like 

    User having permission in both table -> UG1+UG2

    User having permission in one table -> UG1/UG2

    User having no permission in any table -> Null

    I am not sure if this helps but I do agree this requirement should be more handled in AD  or by granular permission (low Performance) side rather than disturbing the inner functionality of MDM.

    Tuesday, September 24, 2013 7:05 AM