Manage user access to BDC models (Duet Enterprise)

  • Article

 

Applies to: Duet Enterprise for Microsoft SharePoint and SAP

The BDC models provided with Duet Enterprise for Microsoft SharePoint and SAP make access easier to information that is stored in the SAP environment. To enable end-users to interact with the SAP information, you must grant them permissions on the models.

In this article:

  • Grant permissions by using Central Administration

  • Grant permissions by using a command prompt for all models

  • Grant permissions by using the Command Prompt window for a particular model

  • Remove permissions by using Central Administration

Grant permissions by using Central Administration

Perform this procedure to grant users permissions on the BDC models that you imported. You must grant the Execute permission to users who will access the Duet Enterprise sites, and also grant a system account that will be used to communicate all permissions to the models between the Microsoft SharePoint Server 2010 and SAP environments.

To grant user permissions to the model

  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group.

  2. On the Central Administration Web site, in the Quick Launch, click Central Administration.

  3. In the Application Management section, click Manage service applications.

  4. In the Name column, click the link for the Business Data Connectivity Service Application.

  5. Select the check box next to the models on which you want to grant permissions.

    Tip

    The models that are provided with Duet Enterprise and the solutions that they support are listed in List of models (https://go.microsoft.com/fwlink/p/?LinkId=205308).

  6. In the Permissions group of the ribbon, click Set Object Permissions.

  7. In the To add an account, or group, type or select it below and click ‘Add’ box, type the user accounts for which you want to grant permissions, and then click Add.

    Separate user accounts by semicolons.

    Tip

    If you synchronized roles from the SAP environment to create a 1:1 mapping of SAP users to SharePoint users, you can grant access based on SAP roles. If you do not have to have strict security, you can also grant access permissions for all models to the Authenticated Users role.

  8. In the middle box, select the user accounts that require full permissions to the model (for example, the user account that you added as the site owner of the workflow site) and then select all the check boxes in the Permissions list. Select any other user accounts that you have added and then select the Execute box.

  9. Click OK.

    For more information, see the "Set permissions on a BDC model" section in Manage BDC models (https://go.microsoft.com/fwlink/p/?LinkID=202033).

Grant permissions by using a Command Prompt for all models

After completing the configuration of the Duet Enterprise server, you should limit access to users who need access to SAP content. You must grant this permission to all users who will access the Workflow, Reporting, and Duet Enterprise sites. Create a group in Active Directory Domain Service (AD DS) to contain all users who will access SAP content and then grant permissions to this group by using the following procedure.

Important

This procedure is supported with BDC models that are provided with Duet Enterprise only. Do not use this procedure to import a custom BDC model. For more information, see Manage BDC models (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=200925).

To grant permissions for all models

  1. Log on to any front-end Web server or application server in the SharePoint Server farm.

  2. Open a Command Prompt window as a farm administrator and go to <SystemDrive>:\Program Files\Duet Enterprise\1.0.

  3. Type DuetConfig /importbdc “<UnzippedModelFileLocation>\models.xml” /AddUsers “<EndUsers>” /BDCServiceApplication <BDC Service Application Name>and press Enter.

    Where:

    • <UnzippedModelFileLocation> is the location where the decompressed models are stored. For example, d:\UnzippedModelFiles or \\contoso\UnzippedModelFiles.

    • <EndUsers> is a comma-separated list of Windows Active Directory Domain Services (AD DS) users or Windows AD DS groups in the format, domain\username, to which you want to grant execute permissions on the BDC models. This enables end-users who you add to make Business Data Connectivity service calls to SAP NetWeaver. When adding multiple users, you must enclose the comma-separated list in quotes. For example “contoso\user1,contoso\user2”.

      Tip

      All users and groups of users who you want to be able to view or interact with SAP information in SharePoint sites must be granted this permission. You can specify nt authority\authenticated users for this parameter so that all authenticated users have this permission. Later, if you want to improve security, you can replace this Windows group with individual user accounts or a different Windows group.

      Note

      Only Windows users and Windows groups are supported. SharePoint groups are not supported by this parameter. The administrator who will run DuetConfig /checkconfiguration must be included in this list in order to be granted permissions on the SAPRoles and SAPUsers BDC models.

      Note

      Only Windows users and Windows groups are supported. SharePoint groups are not supported by this parameter.

    • <BDC Service Application Name> is the service application name of the Business Data Connectivity service to which you want to install the models. By default, this name is “Business Data Connectivity Service”.

    Note

    You must grant all users who will access the Workflow, Reporting, and Duet Enterprise sites, this permission.

    Import is complete when you see success messages (displayed in the Command Prompt window) for each of the models that you imported and the message [Success] Duet Enterprise configuration utility has successfully imported all the BDC models.

    Note

    The models are listed in List of models (https://go.microsoft.com/fwlink/p/?LinkId=205308).

Grant permissions by using the Command Prompt window for a particular model

After completing the configuration of your Duet Enterprise server, you should limit access to only those users who you want to have access to SAP content. You must grant all users who will access the Workflow, Reporting, and Duet Enterprise sites, permissions to the BDC models. You can grant permissions for a single model or a group of models by using the steps in the following procedure. For ease of administration, create a group in AD DS to contain all users who will access SAP content and then grant permissions to this group by using the following procedure.

Important

This procedure is supported with BDC models that are provided with Duet Enterprise only. Do not use this procedure to import a custom BDC model. For more information, see Manage BDC models (SharePoint Server 2010) (https://go.microsoft.com/fwlink/p/?LinkId=200925).

To grant permission to specific models

  1. Log on to any front-end Web server or application server in the SharePoint Server farm.

  2. Open a Command Prompt window as a farm administrator and go to <SystemDrive>:\Program Files\Duet Enterprise\1.0.

  3. At a command prompt, type DuetConfig /importbdc “<UnzippedModelFileLocation>\models.xml” /models <Comma separated list of models> /AddUsers “<EndUsers>” /BDCServiceApplication <BDC Service ApplicationName> and press Enter.

    Where:

    • <UnzippedModelFileLocation> is the location where the decompressed models are stored. For example, d:\UnzippedModelFiles or \\contoso\UnzippedModelFiles.

    • <Comma separated list of models> is a comma-separated list of the file names of the models on which to assign permissions.

      The models are listed in List of models (https://go.microsoft.com/fwlink/p/?LinkId=205308).

    • <EndUsers> is a comma-separated list of Windows Active Directory Domain Services (AD DS) users or Windows AD DS groups, in the format domain\username, to which you want to grant execute permissions on the BDC models. This enables the end-users who you add to make Business Data Connectivity service calls to SAP NetWeaver. When adding multiple users, you must enclose the comma-separated list in quotes. For example “contoso\user1,contoso\user2”.

      Note

      Only Windows users and Windows groups are supported. SharePoint groups are not supported by this parameter.

    • <BDC Service Application Name> is the service application name of the Business Data Connectivity Service to which you want to install the models. By default, this name is “Business Data Connectivity Service”.

    Note

    You must grant all users who will access the Workflow, Reporting, and Duet Enterprise sites, this permission.

    Import is complete when you see success messages (displayed in the Command Prompt window) for each of the models that you imported and the message [Success] Duet Enterprise configuration utility has successfully imported all the BDC models.

Remove permissions by using Central Administration

Perform this procedure to remove or modify permissions on the BDC models that you imported. If users no longer require permissions for Duet Enterprise, you can either modify their permissions of remove the user accounts from the list of permissions on the BDC models.

To remove user permissions to the model using Central Administration

  1. Verify that you have the following administrative credentials:

    • You must be a member of the Farm Administrators group.

  2. On the Central Administration Web site, in the Quick Launch, click Central Administration.

  3. In the Application Management section, click Manage service applications.

  4. In the Name column, click the link for the Business Data Connectivity Service Application.

  5. Select the check box next to the models on which you want to remove permissions.

    Tip

    The models that are provided with Duet Enterprise and the solutions that they support are listed in List of models (https://go.microsoft.com/fwlink/p/?LinkId=205308).

  6. In the Permissions group of the ribbon, click Set Object Permissions.

  7. In the To remove an account, or group, select it above and click ‘Remove’ box, select the user accounts for which you want to remove all permissions, and then click Remove.

  8. You can also modify permissions for existing users. In the middle box, select the user accounts that require modified permissions to the model and then clear the selection for the check boxes in the Permissions list that correspond to the permissions you want to remove.

  9. Click OK.

    For more information, see the "Set permissions on a BDC model" section in Manage BDC models (https://go.microsoft.com/fwlink/p/?LinkID=202033).

See Also

Other Resources

Manage BDC models (https://go.microsoft.com/fwlink/p/?LinkID=202033)