Export (0) Print
Expand All
2 out of 2 rated this helpful - Rate this topic

Business Connectivity Services security operations (SharePoint Foundation 2010)

SharePoint 2010

Published: September 9, 2010

This article describes security-related administrative tasks for your Business Data Connectivity service application.

In this article:

Assign administrators to a Business Data Connectivity service application

Farm administrators can delegate administration of a specific Business Data Connectivity service application to a service application administrator. The delegated administrator is given access to the Central Administration Web site and can perform administrative tasks that are related to that Business Data Connectivity service application.

Tip Tip:

The delegated administrator is not given permissions to the metadata store.

To assign administrators to a Business Data Connectivity service application

  1. Verify that you have the following administrative credentials:

    • You must be a farm administrator.

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. In the list of service applications, click the row that contains the Business Data Connectivity service application.

    note Note:

    Do not select the row by clicking in the Name column. Clicking the name of the Business Data Connectivity service opens the Business Data Connectivity service management pages.

  4. In the Operations group of the ribbon, click Administrators.

  5. In the text box, type or select a user account or a group account, and then click Add.

  6. In the Permissions box, click Full Control, and then click OK.

Set permissions on a metadata store

Each Business Data Connectivity service application has a metadata store that includes all the models, external systems, external content types, methods, and method instances that have been defined for that store’s purpose. You set permissions on a metadata store to specify who can edit items in the metadata store and who can set permissions on the metadata store.

We recommend that you give specific permissions to each user or group that needs it, in such a way that the credentials provide the least privilege that is necessary to perform the needed tasks. For more information about setting permissions, see Business Connectivity Service permissions overview in "Business Connectivity Services security overview (SharePoint Foundation 2010)".

To set permissions on a metadata store

  1. Verify that you have one of the following administrative credentials:

    • You must be a farm administrator.

    • You must be the Business Data Connectivity service application administrator and have Set Permissions permission to the metadata store.

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  4. In the Permissions group of the ribbon, click Set Metadata Store Permissions.

  5. In the text box, type the user accounts, groups, or claims for which permissions will be granted, and then click Add.

    note Note:

    The user account, group, or claim cannot have a vertical bar (|) in its name.

  6. Set the permissions for the account, group, or claim:

    note Note:

    At least one user, group, or claim in the metadata object's access control list must have the Set Permissions permission.

    • Click Edit to allow the user, group, or claim to create external systems, to create models, to import models, and to export models.

      security Security Note:

      The Edit permission should be considered highly privileged. With the Edit permission, a malicious user can steal credentials or corrupt a server farm. To help ensure a secure solution, we recommend that you use a test environment where the Edit permission can be assigned freely to developers and solution designers. When you deploy the tested solution to a production environment, remove the Edit permissions.

    • Click Execute to allow the user, group, or claim to execute operations (create, read, update, delete, or query) on external content types.

      Tip Tip:

      The Execute permission is not applicable to the metadata store itself. This setting is used when you want to propagate the Execute permission to child objects in the metadata store.

    • Click Selectable In Clients to allow the user, group, or claim to create external lists of any external content types and to view the external content types in the external item picker.

      Tip Tip:

      The Selectable In Clients permission is not applicable to the metadata store itself. This setting is used when you want to propagate the Selectable In Clients permission to child objects in the metadata store.

    • Click Set Permissions to allow the user, group, or claim to set permissions on the metadata store.

      security Security Note:

      The Set Permissions permission should be considered highly privileged. With the Set Permissions permission, a user can grant Edit permission to the metadata store.

  7. To propagate permissions to all items in the metadata store, click Propagate permissions to all BDC Models, External Systems and External Content Types in the BDC Metadata Store. Doing so will overwrite existing permissions.

RevertToSelf authentication mode

Each external content type has an associated authentication mode. The authentication mode gives Business Connectivity Services information about how to process an incoming authentication request from a user and maps that request to a set of credentials that can be passed to the external system. By default, the RevertToSelf authentication mode (also called BDC Identity authentication mode) is not enabled. You cannot create or import models that use RevertToSelf when RevertToSelf authentication mode is not enabled.

RevertToSelf authentication mode uses the application pool account where the Business Connectivity Services is running to authenticate the logged-on user to the external system. For example, when a user opens an external list, the application pool account of the front-end Web server where the external list resides is used for authentication. The application pool account is a highly privileged account. By default, the application pool account has write permission to the farm configuration database. By using RevertToSelf mode, anyone who can create or edit a model that uses RevertToSelf mode has the power to make themselves an administrator of the SharePoint farm.

RevertToSelf authentication mode is not recommended for production environments. We recommend that you develop a custom, single sign-on provider.

If you must use RevertToSelf authentication mode in a production environment, consider the following:

  • Any users who can create or edit models, including SharePoint Designer users, should be considered equal to a farm administrator from a security perspective. You must be able to trust them as you would a farm administrator.

  • You must lock down the use of the application pool account as much as possible. Doing so can help to limit the damage a malicious user can do to the SharePoint farm and external systems.

Enable RevertToSelf authentication mode

After you enable RevertToSelf authentication mode, new models that use RevertToSelf can be created and imported.

security Security Note:

We do not recommend RevertToSelf authentication mode for production environments. Before enabling RevertToSelf authentication mode, make sure that you have read and understood the implications of enabling RevertToSelf authentication mode.

note Note:

RevertToSelf is not allowed in hosted environments.

To enable RevertToSelf authentication mode

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following commands:

    1. To create a variable that contains the Business Data Connectivity service application object, type the following command:

      $bdc = Get-SPServiceApplication | where {$_ -match "<ServiceName>"}
      

      Where <ServiceName> is the name of the Business Data Connectivity service application. This can also be a regular expression (for example, "BDC").

      note Note:

      If the Business Data Connectivity service application is a shared service application, this command must be run on the farm where the service application is published.

    2. To enable RevertToSelf authentication mode, type the following command:

      $bdc.RevertToSelfAllowed = $true
      

Disable RevertToSelf authentication mode

When RevertToSelf is disabled, new models that use RevertToSelf cannot be created or imported.

note Note:

If you have existing models that use RevertToSelf, they will continue to work. You must delete the existing models if you want to remove all instances of RevertToSelf authentication from your farm.

To disable RevertToSelf authentication mode

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following commands:

    1. To create a variable that contains the Business Data Connectivity service application, type the following command:

      $bdc = Get-SPServiceApplication | where {$_ -match "<ServiceName>"}
      

      Where <ServiceName> is the name of the Business Data Connectivity service application. This can also be a regular expression (for example, "BDC").

      note Note:

      If the Business Data Connectivity service application is a shared service application, this command must be run on the farm where the service application is published.

    2. To disable RevertToSelf authentication mode, type the following command:

      $bdc.RevertToSelfAllowed = $false
      

Workflows and external lists

Additional configuration is required when you want to develop workflows that interact with external lists. The following sections describe requirements that can affect workflow behavior.

note Note:

Workflows cannot interact with external lists in a hosted environment.

Workflows cannot be associated directly with an external list

Because the external data is not stored in SharePoint Foundation, the workflow cannot be notified when an item in the external list changes. Instead, you can create a site workflow or a list workflow, and then have the workflow read or update an external list. You can also use an external list item as a destination for a task process in SharePoint Designer; however, the link to the task will not display a title for the external list item.

Workflows sometimes run as the service account

Workflows run as the service account (typically, the application pool account) in the following scenarios:

  • Visual Studio workflows.

  • Declarative workflows that interact with external lists and are started automatically. This is true even when you use an impersonation step in your workflow.

In this case, you must give the service account Execute permission to the external content type that the external list is associated with and verify that the service account has the necessary permissions to access the external system.

Workflows and authentication

To support workflow activities, the external content type that the external list is associated with must use RevertToSelf or Secure Store Service for authentication.

note Note:

These authentication mode restrictions do not apply if you are using a .NET Assembly connector or a custom connector.

  • Authenticate by using RevertToSelf

    RevertToSelf authentication mode (also known as BDC identity authentication mode) authenticates to the external system by using the application pool account of the front-end Web server where the external list resides. This means that the application pool account must have permission to access the external system. By default, RevertToSelf authentication is not enabled. You must enable RevertToSelf authentication mode before you can create or import models that use RevertToSelf authentication.

    security Security Note:

    RevertToSelf authentication is not recommended for production environments.

    For more information about RevertToSelf authentication, see RevertToSelf authentication mode.

  • Authenticate by using a custom secure store provider

For more information about authentication modes, see Business Connectivity Services authentication overview in "Business Connectivity Services security overview (SharePoint Foundation 2010)."

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.