Model Object Permissions (Master Data Services)
Model object permissions are mandatory. They determine the attributes a user can access in the Explorer functional area of the UI.
For example, if you assign a user Update permission to the Product entity, the user can update all of the attributes of the Product entity. If you assign Update permission to a single attribute, the user can update that attribute only.
To determine security assigned on each individual attribute value, model object permissions are combined with hierarchy member permissions, which determine the members a user can access.
To give a user access to a functional area other than Explorer, the user must be a model administrator, which also involves assigning model object permissions. For more information, see Administrators (Master Data Services).
Model object permissions are assigned in the Master Data Manager user interface (UI), in the User and Group Permissions functional area on the Models tab. On this tab, the model is represented as a tree structure. When you assign permission to an object in the tree, all objects below inherit that permission. You can override that inheritance by assigning permission to individual objects.
You can assign Read-only, Update, or Deny permission to model objects. If you do not assign any permissions on the Models tab, the user cannot view any models or data in Master Data Manager.
In general, you should assign Update permission to the model object, and then explicitly assign permission to objects underneath. If you do not assign permission to objects underneath, the permissions are inherited and the user is an administrator.