SharePoint 2010 Business Connectivity Services Security Best Practices – Permissions And Authorization
The various permissions associated with Microsoft Business Connectivity services are all associated in various ways. This can be with an individual account, a group account, or a claim with several different levels of permission in place for a given object within a metadata store. It is crucial that the settings for permission for any object in Microsoft Business Connectivity Services is done correctly. This will allow it to create solutions for securing access to external data. The strategy for permissions needs to be carefully evaluated during the planning stages. It is a good idea to provide specific permissions to each user or each group. The goal is to offer credentials that provide only the privileges that are necessary in order for them to perform necessary tasks. The overall security strategy you have is important. Don’t overlook the value of it for your external systems too. The way in which you will set permissions up can vary by business and implementation purpose. Take various security models and features into consideration before you decide how you will proceed with it.
There is a metadata store that is inside of each instance in the Business Data Connectivity Service. This includes the external content types, methods, external systems, and all the models which have been defined for the purpose of that store. There is a hierarchy among those objects used to determine which of them can be used to gain permission to other objects. Each of the objects will gain permission from parent objects. The idea is to set up the permissions so that all of the settings for children of a given item can be replaced by those of the parent object. There are four permission levels that may be set for the metadata store: Execute, Set permissions, Edit, and Selectable in clients.
There are many objects that have to be taken into consideration to determine what type of permissions to set. As you go through them you will be able to determine what is best for you to use.
External Content Type – The external content type offers a collection of metadata that can be reused. This metadata defines one set of data from others that are used with external systems. All of the connectivity information that is related to certain groups of data is maintained here. There aren’t any edit permissions with the external content type. However, the setting can be used for permissions linking to child objects in the metadata catalog. The user is able to execute permissions and create external lists in client permissions. The user is able to set permissions with external content type.
External System – The external system is a metadata type of support for sources of data. They can be modeled like a database, web service, or .NET for connecting purposes. The user is able to edit the external system so that the permissions are accessible though SharePoint Designer. There aren’t any execute permissions or selectable permissions with the external system. However, the settings can be used to gain permissions to child objects that are part of the metadata catalog. The user is able to set permissions on the external system.
Metadata Store – This is the collection of .XML files that are stored in the Business Data Connectivity Service. Each of them contain definitions for external systems, external content types, and all the models. The user is able to create new external systems if they wish. There isn’t an execute permissions with the Metadata Store. However, it can be used to create permissions in child objects according to what is listed in the metadata catalog. There aren’t any selectable clients in permissions either. Yet the settings can be used to create permissions along with child objects in the metadata catalog as well. The user has the ability to set permissions on any object within the Metadata Store.
Method – The method is the type of operation relating to an external content type. The user is able to edit the method being used. There aren’t any execute permissions or selectable in clients permissions available in method. However, the user is able to set permissions for it.
Method Instance – The method instance is a description for how to use a given method with a given set of default values is in place. The user can edit the method instance. They can also use execute permissions. However, there aren’t any selectable in client’s permissions. The user is able to set permissions on the method instance.
Model – The model is a .XML file that has sets of descriptions for one or more of the external content types. It also contains descriptions for their external systems that relate to it. All of the information that is specific to a given environment including authentication is stored here. The user can edit the model file if they wish to do so. There aren’t any execute permissions or selectable permissions for models. However, the user can change and set the permissions in the models as they see fit to do so.
There are more than just general capabilities when it comes to setting the permissions that were described earlier. There are special permissions to consider with the Business Data Connectivity Service as well:
- Application Pool Accounts This pertains to front end servers and they must have the same permissions as Farm Administrators to the Business Data Connectivity Service. This is necessary in order to create deployment that will be based on Microsoft Business Connectivity Services.
- Farm Administration They will have full permission to access the Business Data Connectivity Service. This is so they are able to properly maintain, fix, and update the service as needed. The Farm Administration doesn’t have the ability to execute permissions though on any object in the Metadata Store.
- SharePoint Designer Users They will be given a series of permissions for the entire Metadata Store. This includes the ability to edit, execute, and select clients. They aren’t given permission though to set permissions. It is possible to limit the permissions of the SharePoint Designer to a subset for the Metadata Store as well.
- Windows PowerShell The users are Farm Administrators and they have the ability to operate various commands with the Business Data Connectivity Service.
There are plenty of common tasks that take place in the Business Data Connectivity Service. Here are the permissions that are necessary in order to be able to perform them:
- Adding a new object in the Metadata Store The user has to edit permissions on the parent metadata object.
- Adding external content type to a model the user has to edit permissions on the model.
- Deleting an object from the Metadata Store The user has to edit permissions on that object. This includes the parent and all of the child objects.
- Deploying a package This is generated by the application pool account used by the front end server. This has to have full permissions to the Business Data Connectivity Service for this task to be completed.
- Exporting models The user has to edit permissions on the model and for the external systems that are within that model.
- Importing models The user has to edit permissions for the Metadata Store. The user that imported it will typically be the one given permissions for such roles to take place.
- Setting permissions on the Metadata Store To initially get the Business Data Connectivity Services permissions have to be set. They are empty after first and the Farm Administration has to go to the Metadata Store and install those initial permissions.