When administrating user and groups in MDS, group level permissions do not work for model administrator. For e.g. the following link http://msdn.microsoft.com/en-us/library/ff487055.aspx states that you can grant model administrator permissions to a specific group. If you follow these steps and add update permissions to a specific group and a specific model, then add all functions to the same group the user does not have access to manage the model i.e. alter entities etc. The permissions does allow them to update members in explorer. It seems only some of the permissions are inherited from the group. I've tried deleting the individual user and logging back in which re-creates the same user in MDS. The permissions to administer a model are still not available. If you add the same permissions to the individual user then models can be administered. I prefer not to add individual user permissions as this is a nightmare to maintain. I have also set the drop down item "permission" in each tab of the user to "user and inherited from group". We are running SQL Server 2012 MDS and the user is not a member of any other group in MDS. I imply have one AD group called MDS_Admins which users who I want to grant access to edit models, sub-entities, attributes etc are a member of.