Permissions in Business Connectivity Services
Solution designers, administrators, and end users interact with composite solutions using external content types, which enable the presentation of and interaction with external data in SharePoint lists (known as external lists), Web Parts, and supported Microsoft Office 2010 client applications. Permissions are recorded in the metadata definitions for the various objects stored in the BCS metadata store, such as external systems, models, and external content types. By correctly setting permissions on objects in Microsoft Business Connectivity Services, you help enable solutions to securely incorporate external data.
Roles in Business Connectivity Services
Following are the roles that individuals (or processes) in an organization must fill in Business Connectivity Services scenarios. Depending on your solution goals, individuals and groups in these roles may be assigned various levels of permissions on the objects in the metadata store:
- SharePoint Server administrator: Deploys, administers, and maintains the server farm and creates the shared services that Business Connectivity Services depends on.
- Database administrator: Deploys, administers, and maintains the database server.
- Shared Service administrator: SharePoint Server administrators can delegate administration of an instance of a shared service to a shared service administrator.
- Solution designer: Develops models and external content types using SharePoint Designer 2010.
- Solution developer: Uses development tools such as Visual Studio 2008 to create external content types, Web services, and other components of a BCS solution.
- Solution user: Interacts with the external content type to modify data or enter new data. Solution users can be configured to only be able to perform a subset of the operations available at an external system. For example, some solution users may be given the permissions to create and delete items in an external system while others may only be permitted to modify existing items.
- Solution viewer: Views the external data in Web parts or external lists.
- Application pool account: The account under which a shared service or other Web application will run.
What can permissions be assigned to?
The Business Data Connectivity service contains a metadata store that includes all the models, external systems, external content types, methods, and method instances that have been defined for that store’s purpose. Permissions in the Business Connectivity Services associate an individual account, group account, or claim with one or more permission levels on an object in a metadata store. Depending on the object for which the user or group is being granted permissions, the permission level specifies the actions that the user or group can take on that object. All permissions on objects in the Business Connectivity Services can be set using the following values: Edit, Execute, Selectable in clients, and SetPermissions. This section describes the types of objects in Business Connectivity Services on which permissions can be directly set and, for each object, describes how to assign permissions depending on the actions you want to permit.
In the drawing above, each object on which permissions can be set and optionally propagated to all objects below it is drawn with a solid line. (If the permissions can be set using the Business Data Connectivity service administration pages, the item is shown with a “ui” symbol.) Each object that only takes its permissions from its parent object is drawn with a dotted line. For example, the illustration shows that an External system (LobSystem) can be secured by assigning permissions directly to it, but an Action cannot be assigned permissions directly but takes its permissions from its parent External content type (Entity).
Note that when the permissions on an object in a metadata store are propagated, permission settings to all descendants of that item are replaced by the permissions of the propagating object. For example, if permissions are propagated from an External Content Type, all Methods and Method Instances of that External Content Type receive the new permissions.
Some objects can be assigned permissions by users with administrative permissions using the Business Data Connectivity service user interface. In the drawing above, those objects are displayed with a “UI” label.
Metadata store
The metadata store is the collection of XML files in the Business Data Connectivity service that contain definitions of models, external content types, and external systems.
To allow a user or group to … |
Give them the following permissions … |
On … |
Set permissions on any object contained in the metadata store by propagating them from the metadata store. |
SetPermissions |
The metadata store |
Model
A model is XML file that contains sets of descriptions of one or more external content types, their related external systems, and information that is specific to the environment, such as authentication properties.
To allow a user or group to … |
Give them the following permissions … |
On … |
Create new models |
Edit |
The metadata store |
Edit a model |
Edit |
The model |
Set permissions on a model |
SetPermissions |
The model |
Import a model |
Edit |
The metadata store |
Export a model |
Edit |
The model and all external systems in the model |
External system
An external system is the metadata definition of a supported source of data that can be modeled, such as a database, Web service, or .NET connectivity assembly.
To allow a user or group to … |
Give them the following permissions … |
On … |
Create new external systems |
Edit |
The metadata store |
Edit an external system |
Edit |
The external system |
Use the external system in SharePoint Designer 2010 |
Edit |
The external system |
Set permissions on the external system |
SetPermissions |
The external system |
External content type
An external content type is a reusable collection of metadata that defines a set of data from one or more external systems, the operations available on that data, and connectivity information related to that data.
To allow a user or group to … |
Give them the following permissions … |
On … |
Create new external content types |
Edit |
The external system |
Execute operations on an external content type |
Execute |
The method instances of the operation |
Create lists of the external content type |
Selectable in clients |
The external content type |
Set permissions on the external content type |
SetPermissions |
The external content type |
Method
A method is an operation related to an external content type such as Read or Update.
To allow a user or group to … |
Give them the following permissions … |
On … |
Edit a method |
Edit |
The method |
Set permissions on a method |
SetPermissions |
The method |
Method instance
A method instance describes, for a particular method, how to use a method by using a specific set of default values.
To allow a user or group to … |
Give them the following permissions … |
On … |
Edit a method instance |
Edit |
The method instance |
Execute a method instance |
Execute |
The method instance |
Set permissions on a method instance |
SetPermissions |
The method instance |
Example Scenario
In this scenario, a small departmental Web server hosts both SharePoint Server 2010 and a SQL Server database containing external data that will be integrated into a composite solution. For example, a small organization could use Business Connectivity Services to interact with customer contact information that is stored in a SQL Server database by creating a composite solution that exposes the data both in a SharePoint site using external lists and Web parts and from Microsoft Outlook 2010. Some users of the solution will have authorization to add new contacts or modify existing ones; other users will have read-only privileges.
The following permissions are typical for this scenario:
Role |
Is given permissions … |
By … |
SharePoint Server Administrator |
Full permissions to the metadata store. |
SharePoint Server Administrator |
Business Data Connectivity Service administrator |
SetPermissions permission on the metadata store |
SharePoint Server Administrator or other shared service administrators |
Solution designer |
Edit, Execute, and Selectable in clients permissions on the metadata store. |
Business Data Connectivity Service administrators |
Solution user |
Execute permission on create, read, update, and delete operation method instances. |
Business Data Connectivity Service administrators |
Solution viewer |
Execute permission on read operation method instances |
Business Data Connectivity Service administrators |
For more information on setting Business Connectivity Services permissions, along with other security-related topics, see my TechNet topic Business Connectivity Services security overview (SharePoint Server 2010).
-Rob Silver, SharePoint IT Pro Content Team
This post was updated 3/16/2010
Comments
- Anonymous
March 10, 2010
Do I understand this correctly: You must "Set object level permissions" in Central Administration before an external content type created in SharePoint Designer is usable in any context.If that is incorrect, I seem to be unable to get default permissions from the metastore on any new types.Thanks! - Anonymous
March 11, 2010
Hey Doug,You can set permissions in Central Admin or by using PowerShell cmdlets.Permissions should be set on the External Content Type (and it's Method/Instances) before use, yes. When creating the External Content Type in SPD permissions are inherited.