Thank you everyone for your input on this.

The first thing to consider is the MDM Support pack version you are working on.

Since you have different security features in different versions.

Whats the Support Pack of the MDM 5.5 in your landscape?

Hi Khurram,

The following system tables are used for data protection and administration of the repository:

1. Roles: Roles in MDM are a very powerful and flexible tool for the definition of permissions at the field level and the functional level. At the functional level, there are the permissions to insert, edit, delete, protect, or remove the protection from a record, or to group multiple records together. Check in/check out functions for the locking and unlocking of a record, and rollback and join permissions can also be assigned.

2. Users: The users table is used to store information about the people who Users should have access to the repository, along with their roles (a user can also have multiple roles). A user with multiple roles has permissions that are appropriate to the combination of those roles.

For every repository, there is an Admin role created with all permissions and an Admin user that can be changed at any time.

Passwords for the users (not in clear text) and their email addresses are also entered here. The email addresses are required for workflow notifications in order to inform all participants of required workflow steps.

3. Logins: In the logins table, there is an overview of which users are currently Logins accessing the repository and which client applications they are using to access it. The times of the system logins and the last activity performed are also shown.

Thus not only can access to a repository be monitored, but the

administrator also has an overview of which users must be informed

before the repository is unloaded for maintenance.

Hope it will help you.

Regards

Richa

Hello Khurram,

SAP has provided multi-level security in MDM:

Server Level: MDM server can be protected by a password; so that every time user will have to provide a valid password before performing any Server level activity.

Server Level activities can be: Start MDM Server, Stop MDM Server, Mount Repository, Create Repository, Duplicate Repository, Delete Repository, Archive Repository, Un-archive Repository, DBMS Settings and Log file access.

Repository Level: Repository level security can help in restricting unauthorized users to access any MDM repository. Only an authorized user will be able to access the repository by providing a valid user id and password.This password can be changed anytime from Users table.

In a same way, roles can also be assigned to the user from Roles table; so that user will not be able to perform those operations which he is not supposed to.

Permissions like add record, modify record etc. can be granted or revoked from any user using Functions tab from Roles table.Similarly, user can also be restricted to modify any particular table or field. This can be done from Tables and Fields tab under Roles table.

Database Level: MDM Server can also be protected from any unauthorized access by enabling password at Database Level. This will restrict user to perform archiving, un-archiving, mounting, creation of repository and any other Server level activity which will help in reducing the load on MDM Server.

Hope this will help you.

TNR,

Saurabh...

Reward if found useful.

Hi Khurram,

I am new to MDM Security Administration and would like to know how and what controls are available in the system. (Example controls on able, fields etc)?

I am trying to compile a Task/Function Matrix which will help the functional teams convey their access requirement in the system.

MDM security is largely maintained by the presence of roles and users. We can have roles defined in MDM which will have proper authorizations. We can then create users and then assign them roles so that we can maintain the security in MDM. This all can be done through MDM console.

These authorizations ensures that only users who have access or read/write authorization will be able to perform theie respective tasks.

This is what is mentioned in SAP Help documentation in this regard.

A. MDM Repository Security

A traditional SQL DBMS allows you to define basic user-level security to prevent unauthorized access to the database. You can specify the tables to which each user has access, granting at the table level either: (1) no access to the table; or (2) complete read/write access to the table, including access to all of its fields and records.

By contrast, MDM supports a dramatically more flexible multidimensional security scheme that provides much more granular control over which users can access an MDM repository, which functions they can perform, and which tables, fields, and records they can access. The MDM security scheme includes:

● Users. A user represents an entity that can connect to and access the MDM repository. Each user has a user name and password, and is assigned one or more roles that collectively specify the complete set of privileges for that particular user.

● Roles. Each role specifies a set of privileges to access each of the MDM repositoryu2019s tables, fields, lookup record values, and records, and to perform each of the repository functions. The same role can be assigned to more than one user.

● Privileges. For each repository function, you can either prevent or allow the role to perform the function, and for each table and field, you can grant the role full read/write access or read-only access.

● Constraints. For the Masks table and some lookup tables (those referenced by at least one single-valued lookup field and no multi-valued lookup fields), you can specify the set of masks or lookup values that should be visible and accessible for the role.

Precisely defining each role u2013and then assigning one or more roles to each useru2013 provides very fine control over who can access an MDM repository and how they can access it.

You can define repository security from within the MDM Console by working on the following administrative tables, which are located under a repositoryu2019s Admin node in the Console Hierarchy tree:

● Roles. Defines the sets of functional permissions, access privileges, and record constraints that can be assigned to MDM user names.

● Users. Defines the MDM user names that can access the MDM repository and manages their role assignments.

Within a SQL-based DBMS, you can use views to precisely control field- and record-level access by various users. However, views are cumbersome to manage, and more importantly, degrade system response, often creating severe performance bottlenecks.

B. Console-Level Repository Security

Recall that MDMu2019s multi-level security model supports granular, role-based repository access to functions and data from within MDM client applications. This multi-level security model extends to administrative functions within the MDM Console itself.

The MDM Console security scheme includes:

● Users

Repository administrators must connect to an MDM repository with an MDM user name and password before any administrative tasks can be performed in the MDM Console.

● Roles

The roles assigned to an administratoru2019s MDM user name determine which administrative functions are permitted or restricted for that administrator in the MDM Console.

● Privileges

Administrative, Schema, and Change Tracking functional groups on the Roles table enable granular control over access to all MDM Console functions.

With these features, you can precisely define limited administrative roles for each of your administrators or administrative tasks. You can then assign these targeted roles to users instead of the Admin role, which retains full access to all MDM privileges.

Kindly go through the link below to get additional info:

http://help.sap.com/saphelp_mdm550/helpdata/en/8e/9f9c427055c66ae10000000a155106/frameset.htm

Go to ->Repository maintenance->MDM repository security

You will find enough information.

Hope it helps.

• Kindly reward points if helpful

Thanks and Regards

Nitin Jain