I noticed an interesting issue with SQL Server 2012 RC0 Master Data Services. It seems that security does not work for some built-in Windows groups. It looks like MDS is not recognizing membership of some groups. For example, the following picture shows there are no members of my local Power Users groups. However, I gave permissions to this group, and I added a user to this group. Then I logged in to MDS with that user account. I did not inherit any permission from the group, and the group membership apparently was not resolved.

I mentioned this does not work for “some” group. Yes, this is the nasty part – seems that MDS security works for some built-in Windows groups and does not work for others. Currently, the only pattern I found is that it does not work if a group contains space in its name, if the name is delimited. For example, security works for Users built-in group and does not work for Power Users and Backup Administrators. However, if you create your own group with delimited name, or your own user with delimited name, everything works.

I tested this on Windows Server 2008 R2 64 SP1, SQL Server 2012 RC0.

For now, I would suggest that you simply create your own Windows groups, and not use delimited names, just to be on the safe side.

Dejan Sarka