Security In Business Connectivity Services In SharePoint 2013

There are some types of authentication scenarios where the external system isn’t allowed to accept credentials directly from Business Connectivity Services. Yet the external system is able to accept them from 3rd parties and an authentication service that it is able to trust. That 3rd party is generally going to be a security token provider.

 They will accept a grouping of information called assertions about a user. The entire grouping is called the claim, and it can have plenty of information about the person requesting it. This can extend well beyond the username and password. The claim may contain metadata including the email address of that requestor or a security group that they belong to.

 With 3rd party authentication, the service performed will create a security token from the user. The Business Connectivity Service is then going to present that security token to the external system. It will look to see what the data is that the user is authorized to have access to.

When the external system in use doesn’t support credentials based or claims based authentication, then you have to create a customized solution that will take your own needs into consideration. It will take the credentials that you create with Business Connectivity Services and create a format that the external system is going to accept. This is possible to create for OData that has been secured either with OAuth or a custom ASP.NET HTTP module.

You are going to have to find out what the stakeholders of the business see as the solution as well as how they feel users should interact with it. They may need to interact with the data through Apps for Office, External lists, External web parts, Office 2013 , On premises SharePoint installation, SharePoint Online, and SharePoint Server.

The way in which the users will access the data determines how you will set up the external content type for Business Connectivity Services. This is how the users will be able to access that external data. When Business Connectivity Services offers a solution requiring apps for Office and SharePoint application, the external content type has to be customized to such an application.

If you don’t have to rely on apps for Business Connectivity Services, then the external content type has to be developed for the Business Data Connectivity only. Such external content is stored in the BDC Metadata Store. With on premises SharePoint 2013 installation, the external content type is stored in the BDC Metadata Store. A farm administrator will need to manage the security for them.

It is possible to share those external content types with multiple Business Connectivity Services web application. With SharePoint Online, the external content types have to be stored for you to use them in an all on site collection. The apps for SharePoint and Office scoped external content gets stored as XML file in the app for these applications. They can’t be used by other apps regardless of if they are on premises or SharePoint Online.

The connection setting objects offer the connection information including Names for any certificates required, Service address for the external data, Type of authentication in use, and URL.

With connection settings objects, they are separate from an external content type. The Business Connectivity Services solution has to connect with an external system. It uses the information that you select to define that connection separately from the external content type that was developed. You can only use connection settings objects with OData. Both of the apps are external content types.

The connection settings objects get managed in SharePoint Central Administration. All of the solutions have to be granted permission to use connection settings object. They can be used by multiple Business Connectivity Service solutions.  If the apps for SharePoint and Office are accessed through an OData source, you can create an automated app scoped external content type.

This is completed with the use of Visual Studio 2013. It has tools built into it that allow you to create external content types. Just point the Visual Studio 2013 at the OData service URL. The external content type can be used by an external data list. The app scoped external content type can also be used with a custom code including .NET using CSOM or JavaScript using JS CSOM.

You will have to include in your plan who will have permissions for which objects within that Business Connectivity Services solution. You will be able to grand as well as to restrict access based on the solution that you select. You will need to work with the external system administrator as well as the farm administrators for SharePoint to successfully set this up. The online administrators can configure the permission. There are three roles that must be involved with any Business Connectivity Services solution:

There are many roles that fall into this particular category. They include Managing permissions on the external system, Creating and managing Business Data Connectivity Service application, Importing Business Data Connectivity models, and Managing permissions on the BDC Metadata Store.

The SharePoint farm administrators have to be involved with publishing the application and creating the management connection objectives if the apps for SharePoint are using Business Connectivity Services.

This role involves understanding the various business needs for the solution. The common tasks include Creating external content types, Creating BDC models, and Creating the apps for SharePoint that Business Connectivity Services will use.

These are the users that will manipulate and use the external data from the Business Connectivity Services solution. There can be many user roles for a solution, and the users can have different levels of permission. That level will depend on their role within the organization.

There are four main elements to all Business Connectivity Services solutions that have to have managed permissions:

Each external system needs a method for authentication to take place as well as for authorization. Working with the external system administrator allows for identifying a method to grant access to the solutions users that are parallel to the principle of least privileges. This offers a mapping of groups of users from the Business Connectivity Services to a single account on the external side of things.

It will restrict access until a user has been authenticated and authorized to access data. Mapping between individual accounts and each system is also a possibility to consider. The external system will need to use the Secure Store Service though for authentication unless the credentials are already found within SharePoint.

The central infrastructure of the Business Connectivity Services has to be looked at because it is a shared service application. It has to be configured and managed so that the permissions are accessible through Central Administration. Creating a shared service application requires the rights of a farm administrator.

It is an option to delegate administration to Business Data Connectivity service application after you create it. You can manage the assignment of permissions to BDC Metadata Store too in Central Administration. The permissions assigned allow for management of BDC models, External content types, and External Systems.

It is necessary to assign and execute permissions for an external content type to all users within the Business Connectivity Services solution. The tables below show a detailed mapping of those objections, permissions, and abilities.


Integrating Data For Business Connectvity Services In SharePoint 2013

Microsoft Business Connectivity Services solutions don’t have any form that is predefined; making is very different from other SharePoint 2013 features. Since you don’t know what they look like or what they do beforehand, you won’t know for sure how users are going to be able to interact with them or even how to secure them.

Every Business Connectivity Service solution is a customize solution. Therefore, you will have to use SharePoint Designer 2013 or Visual Studio 2013 as you develop your solution. This is how you will define the external data source. There is no one size fits all configuration or template that you will be able to rely on. You will be designing and implementing what you need so that it best serves the integrated external data of both SharePoint 2013 and Office 2013.

You will be able to develop a design for your Business Connectivity Services solution, but first you have to understand the needs of the business. The goal is to drive your solution towards an environment that it will be successful within. There are five questions you need to answer before you can design a great Business Connectivity Services solution. By collecting such information and sharing it with key stakeholders for approval, everyone will have the same vision in mind for the solution to achieve.

The first thing you need to look at with planning your Business Connectivity Services solution is where the external data is going be stored. You will need to look at three different perspectives:

Understanding the external data source in regards to the network that you create and users that will be accessing it is important. Draw a diagram of these components so that you can see where they fall for your particular network. You will be able to see if they are inside of the internal network and your firewall. You may discover that the infrastructure of the Business Connectivity Services though is an external data source. It could be separated by a boundary network or firewall that is on separate networks.

There are some basic rules that you need to use as a guide for your design:

  • For an external data source, the infrastructure of Business Connectivity Services needs to be solution for a corporate controlled network. To accomplish this, you need to implement on premises solution.
  • For an infrastructure of the Business Connectivity Services that are corporate controlled, you will need to deploy the all on premise solution. This is true even if the external data source is located outside of your own network. The Business Connectivity Services will have to communicate with that external data source. This will be accomplished through the firewall so make sure you plan well for such traffic.
  • Should you use Business Connectivity Services in SharePoint Online, the external data source is the cloud. You will then be implemented the cloud only solution.

Identify where the users will gain access to the Business Connectivity services solution. Make sure you will be able to consider the communications for the data between the Business Connectivity Services solution and the client. They should be encrypted for security. Make sure the browser and Office clients are able to fully support the functions that the solution is to provide.

An external system is going to host the external data. This could be in a SQL server database which is very popular. The connector of that external content type is going to connect to the data in a variety of ways based on what that external system happens to be. Should you be connecting to Exchange Server 2013, you will need to have a .NET connector.

Find out who has the daily administrative responsibility for the external data source. This is a group that you will need to be working with so that you can set up the right connectivity resource for that external data source. That individual will be able to help you discover how the data is to be made available for external use as well as how it is secured.

They can help you to create the necessary credentials to use that external system that is being created. They can also help you to see the big picture in terms of how it will impact your Business Connectivity Services solution.

With Business Connectivity Services solutions, you will be able to connect with an external data source. This is accomplished through one of the following:

  • .NET Assemblies
  • OData
  • SQL Server
  • Windows Communication Foundation Service

It is very important to know how the data will surface for external use. This is going to affect the development tools that you use for creating that external content type. In the following table, you will see those tools that you want to use based on a given external data source.

All of the authentication for communications between Business Connectivity Services and the external system is done internally. This means that Business Connectivity Service is going to offer the external system the information it needs to authenticate the request. Then it will be able to authorize access to data in the external system. Through Business Connectivity Services, there is support for many other types of authentication to be completed.

You will have to know what type of authentication mechanism the external system requires in order to complete your Business Connectivity Services solution design. It has to be designed in a manner that will represent the authentication information to the external system requirements. There are three authentication models that Business Connectivity Services is able to support:

This type of authentication requires credentials to be passed from Business Connectivity Services to the external system. These credentials are a combination of a username and some type of password. There are several ways this can be authenticated, but the most common involves the credentials of the user logging in to be passed through the mapping credentials so that they can be recognized.

The SQL Server database stores External content types, External system definitions, and Model definitions.

You will need to use a development environment to create Business Connectivity Services solution. It should be separate from your production environment though. You can use it to grant higher level permissions to certain users than you would in the production environment. If connecting to OData sources is part of the Business Connectivity Services solution, you must have Visual Studio 2012 or XML editor included.

The external data has to be accessible through the following:

  1. Apps for SharePoint or Office
  2. Business data web parts
  3. External data columns
  4. External lists

Users that can access the app for SharePoint and Office are able to access all of the external data. Working with site administrators you can plan the permissions that will be involved with the external data in your solution.