Leaf Permissions (Master Data Services)
Leaf permissions apply to all leaf members for an entity. This includes the leaf member attributes and any attribute groups that exist.
For entities without explicit hierarchies enabled, assigning permission to Leaf is the same as assigning permission to the entity.
Note
These permissions apply to the Explorer functional area of the user interface only.
Permission |
Description |
|---|---|
Read-only |
Leaf members are displayed but the user cannot add, remove, or change them. If consolidated members exist, the names and codes are displayed but the user cannot add, remove, or change them. |
Update |
Leaf members are displayed and the user can add, remove, and change them. If consolidated members exist, the names and codes are displayed but the user cannot add, remove, or change them. |
Deny |
Leaf members for the entity are not displayed. |
Attribute Group Permissions
Attribute group permissions apply to all attributes in the attribute group, except Name and Code.
Permission |
Description |
|---|---|
Read-only |
The attribute group is displayed and the user cannot update any attributes. |
Update |
The attribute group is displayed and the user can update all attributes except Name and Code. |
Deny |
The attribute group (the tab in Explorer) is not displayed. |
Attribute Permissions
Attribute permissions apply to the attribute’s values for the specific entity. Users with attribute permissions only cannot add or remove members.
Permission |
Description |
|---|---|
Read-only |
The attribute is displayed but the user cannot change attribute values. |
Update |
The attribute is displayed and the user can change attribute values. |
Deny |
The attribute is not displayed. .gif "Note") Note
You cannot explicitly deny access to Name and Code attributes.
|
Example
For the Product entity, assign Update permission to the Name and Subcategory attributes.
Name (Update) |
Code (Read-only) |
Subcategory (Update) |
|---|---|---|
Mountain-100 |
BK-M101 |
{5} Mountain Bikes |
Mountain-100 |
BK-M201 |
{5} Mountain Bikes |
In Explorer, you can update any attribute value in the Name or Subcategory columns. If you do not have permission to an attribute, the attribute is not displayed.
Note
In this example, Subcategory is a domain-based attribute, based on the SubcategoryList entity. You can select a different subcategory for Mountain-100 but you cannot add members to or delete members from the SubcategoryList entity.
Possible Overlapping Permissions
When assigning permission on attributes and attribute groups, you may have to resolve overlapping permissions.
When an attribute belongs to multiple attribute groups
Two or more attribute groups can contain the same attribute.
If one group is assigned Update permission and another is assigned Read-only, the attribute is updateable in both groups (on both tabs).
If one group is assigned Update or Read-only permission and another is assigned Deny, the attribute is not displayed on the updateable tab.
When an attribute has different permission than its attribute group
Because an attribute group is made up of attributes, you can assign one permission to the attribute group and a different permission to the attribute.
If an attribute from the attribute group is assigned Deny permission, then the attribute is not displayed in the attribute group.
If an attribute from the attribute group is assigned Read-only permission, the attribute is Read-only when displayed in the attribute group. If the attribute is assigned Update, the attribute is updateable when displayed in the attribute group.