User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit

MDM Web App Permissions

Permissions (or roles) for the MDM Web App are defined in Files/etc/mda-permissions.xml and referenced in MDM Web App Backend. Keep in mind that for a new role to be able to work with drafts in the MDM Web App, the role also needs to be defined in metadata.xml and workflow.xml.

mda-permissions.xml overview

The mda-permissions.xml configuration file has the following structure:

<?xml version='1.0' encoding='utf-8'?>
		<role name="MDA_viewer"/>
		<role name="MDA_user"/>
		<role name="MDA_superuser"/>
		<role name="MDA_im_steward"/>
		<securityProvider class="">
			<rolesBean class="">
  • loggedUsername: Allows to skip the login screen and log in as the specified user (development mode only).

  • securityProviders: This section defines actual permissions to the entities and related attributes.

    • MdaAllPermissionsProvider: Grants permission for all entities and columns including all actions (development mode only).

    • MdaDefaultPermissionsProvider: Role types are hardcoded, and consist of:

      • viewRoles: User can see entity, workflow, and create issues.

      • userRoles: All the previous permissions plus the ability to edit records, create, discard drafts, and export data.

      • adminRoles: All the previous permissions plus the ability to publish drafts.

    • MdaPermissionsProvider: For custom definition of permissions for entities and their columns, and definition of transition permissions.

      Two security providers can be used, but one role should not be defined in both. Otherwise, permissions for that role can not be determined correctly.
  • rolesBean: The container node for definition of role. Currently, there is only one role provider available: RolesBean.

                <rolesBean class="">
                        <role name="MDA_user">
  • issueRoles: Users listed here are users to whom issues can be assigned.

    • keycloakConfigName, keycloakClientId - provide a list of users defined in issueRoles. These properties are defined in runtimeConfig.xml.

Role definition

Here is an example of actual role definition:

mda-permissions.gen.xml example
<role name="MDA_user">
                           <workflow name="consolidation">
                                   <step name="draft" discard="true"/>
                                   <step name="waiting_for_publish"/>
                                   <transition name="move_publish"/>
                               <entity name="party">
                                       <step name="draft" workflow="consolidation" override="true"/>
                                       <column name="id" write="true"/>
                                       <column name="src_first_name" write="true"/>
                                       <column name="cio_gender"/>
                                   <row>cio_gender IN ('F', 'M')</row>
                           <masterLayer name="masters">
                                   <entity name="party" export="false">
                                           <step name="draft" workflow="consolidation" ovrMatch="false"/>
                                           <column name="id" write="true"/>
                                           <column name="cmo_first_name" write="true"/>
                                           <column name="cmo_gender"/>
                                           <column name="cmo_type"/>
                                       <row>cmo_gender = 'F'</row>
                                   <entity name="party_instance" createIssue="true">
                                           <step name="draft" workflow="consolidation" ovrMatch="true"/>
                                           <step name="waiting_for_publish" workflow="consolidation" ovrMatch="true"/>
                                           <column name="id" write="true"/>
                                           <column name="src_first_name" write="true"/>
                                           <column name="cio_gender" write="true"/>
                                           <column name="cio_type" write="true"/>
                                       <row>cio_type = 'P'</row>
                               <entity name="party_contact_inst" createIssue="true">
                                       <column name="id" write="true"/>
                                       <column name="party_instance_std_first_name" write="true"/>
                                   <row>party_instance_std_first_name NOT IN ('John', 'Jordan')</row>
  • name: Name of the role.

  • workflow name: Name of the workflow.

  • If a role contains a workflow step, the role can view drafts in this state.

  • If a role contains a workflow transition, the role can execute this transition (move drafts to another state).

  • If a step contains the attributes discard="true" or publish="true", the role can discard or publish drafts in this state (for more information, see Publishing Workflow).

  • entity name: Name of the entity.

  • If a role contains an entity, the role can view the entity.

  • export: Specifies if the role can export issues.

  • createIssue: Specifies if the role can create an issue on the entity (see creating-data-issues.adoc).

createIssue attribute will only work if createIssue and seeOthersIssues permissions are assigned for the role in metadata.xml.
  • If an entity contains a step (identified by the step name and the workflow name), the role can execute actions. The following actions can be specified (Boolean):

  • column name: Name of the column.

  • If an entity contains columns, the role can view these columns.

  • If a column contains the attribute write="true", the role can override or edit this value if the workflow state allows this action.

  • If a column contains the attribute `edit="true’ (authored records only), the role can edit this value if the workflow state allows this action.

  • If a column contains the attribute override='true' (consolidated records only), the role can override this value if the workflow state allows this action.

  • If a column contains both edit='true' and override='true', the attribute write is generated, and works as previously described.

  • If a role does not contain a row permission, it can see all rows.

  • If an entity contains a row permission, the role can view only what is defined in the permission.

  • Row permissions are defined using SQL WHERE conditions (supported operators and syntax depend on the database).

  • If a user has more than one role, they have the row permissions of all assigned roles.

Row permission examples
    <!-- Role has permission to view column cio_gender if the values are 'M' or 'F' -->
<row>cio_gender IN ('F', 'M')</row>

    <!-- Role has permission to view records that have a first name column containing the letter 'a', gender column containing the value 'M' or an ID value less than 2000.  -->
<row>(first_name LIKE '%a%' AND gender = 'M') OR id &lt; 2000</row>

For example, to see only gender = M records in Party entity, the mda-permissions.xml would look as follows:

                               <entity name="party" >
                                        <column name="src_first_name" write="true"/>
                                        <column name="src_last_name" write="true"/>
                                        <column name="src_gender" write="true"/>
                                 <row> src_gender = 'M' </row>

Was this page useful?