Model Object Permissions (Master Data Services)
Model object permissions are mandatory. They determine the attributes a user can access in the Explorer functional area of the UI.
For example, if you assign a user Update permission to the Product entity, the user can update all of the attributes of the Product entity. If you assign Update permission to a single attribute, the user can update that attribute only.
To determine security assigned on each individual attribute value, model object permissions are combined with hierarchy member permissions, which determine the members a user can access.
To give a user access to a functional area other than Explorer, the user must be a model administrator, which also involves assigning Admin permissions on object model. For more information, see Administrators (Master Data Services).
Model object permissions are assigned in the Master Data Manager user interface (UI), in the User and Group Permissions functional area on the Models tab. On this tab, the model is represented as a tree structure. When you assign permission to an object in the tree, all objects below inherit that permission. You can override that inheritance by assigning permission to individual objects.
You can assign a combination of Read, Create, Update and Delete or Deny permissions to model objects. If you do not assign any permissions on the Models tab, the user cannot view any models or data in Master Data Manager.
In general, you should assign ALL permission to the model object, and then explicitly assign permission to objects underneath.
Blog post, Security Improvements, on msdn.com.
Assign Model Object Permissions (Master Data Services)
Model Permissions (Master Data Services)
Functional Area Permissions (Master Data Services)
Hierarchy Member Permissions (Master Data Services)
How Permissions Are Determined (Master Data Services)