Plan Visio Services security in SharePoint Server 2013
Published: July 16, 2012
Summary: Security is an important consideration for determining who can gain access to data-connected diagrams rendered in Visio Services.
Applies to: SharePoint Server 2013
In addition to the security requirements to deploy SharePoint Server 2013, you should also review security considerations for a deployment that includes Visio Services in SharePoint Server 2013. Visio Services enables you to render Visio diagrams. These diagrams can be connected to external data, and diagram elements can be updated based on that data. Security is an important component for enabling these data-rendering scenarios. Visio Services gives you a significant level of fine-grained control for the processing and displaying of Visio diagrams and what data sources they can connect to.
Store diagrams in SharePoint document libraries
Visio diagrams must be stored in SharePoint document libraries to be opened by Visio Services. SharePoint Server 2013 maintains an access control list (ACL) for the files that are contained in the document library. By setting the library rules correctly you can limit access to a particular diagram. For information about how to work with document library permissions, see Plan site permissions in SharePoint 2013.
Visio diagrams that are connected to data
The Visio Graphics Service can connect to data sources. These include SharePoint lists (including external lists), Excel workbooks hosted on the farm, databases such as SQL Server, and custom data sources. You can control access to specific data sources by explicitly defining the data providers that are trusted and configuring them in the list of trusted data providers.
Visio Services accesses external data sources by using a delegated Windows identity. Consequently, external data sources must reside within the same domain as the SharePoint Server 2013 farm or Visio Services must be configured to use the Secure Store Service. If Secure Store is not used and external data sources do not reside within the same domain, authentication to the external data sources will fail. For more information, see Planning considerations for services that access external data sources in "Services Architecture Planning."
When Visio Services loads a data connected diagram, the service checks the connection information that is stored in the diagram to determine whether the specified data provider is a trusted data provider. If the provider is specified on the Visio Services trusted data provider list, a connection is tried; otherwise, the connection request is ignored.
Visio Services has an extensive list of preconfigured trusted data providers. For more information, see Configure Visio Graphics Service trusted data providers in SharePoint Server 2013.
Once an administrator has configured Visio Services to enable connections to a particular data source, there are additional security configurations that must be made, depending on the kind of the data source. The following data sources are supported by Visio Services:
Excel workbooks stored on SharePoint Server with Excel Services enabled
SharePoint lists, including external lists enabled through Microsoft Business Connectivity Services
Databases such as SQL Server databases
Custom Data Providers
Visio diagrams that are connected to SharePoint lists
Visio diagrams can be connected to SharePoint lists on the same farm that the diagram is hosted on. The user viewing the diagram must have access to both the diagram and the SharePoint list that the diagram is connected to. These permissions and credentials are managed by SharePoint Server 2013.
Visio diagrams can also be connected to external lists by using Microsoft Business Connectivity Services. External lists exposed through a Microsoft Business Connectivity Services External Content Type can be connected to a Visio diagram in Visio and the data can be refreshed through Visio Services. In order for a user to access data in an External List, the user must have permissions to access the External Content Type and permissions to access the external data source.
Visio diagrams that are connected to Excel Services
Visio diagrams can be connected to Excel workbooks hosted on the same farm as the diagram with Excel Services running and configured correctly. To view the diagram, the user must have access to both the diagram and the Excel workbook that the diagram is connected to. These permissions and credentials are managed by SharePoint Server 2013.
Excel workbooks can be connected to external data sources. For more information, see Data authentication for Excel Services in SharePoint Server 2013.
Visio diagrams that are connected to SQL Server databases
When a Visio diagram is connected to a SQL Server database, Visio Services uses additional security configuration options to establish a connection between the Visio Graphics Service and the database.
The authentication methods supported by Visio Services are as follows:
Integrated Windows authentication In this security model the Visio Graphics Service uses the diagram viewer's identity to authenticate with the database. Integrated Windows authentication with constrained Kerberos delegation is more helpful for increasing security than the other authentication methods shown in this list. This configuration requires constrained Kerberos delegation to be enabled between the application server that is running the Visio Graphics Service and the database server. The database itself might require additional configuration to enable Kerberos-based authentication.
Secure Store Service In this security model the Visio Graphics Service uses the Secure Store Service to map the user’s credentials to a different credential that has access to the database. Secure Store supports individual and group mappings for both Integrated Windows authentication and other forms of authentication such as SQL Server Authentication. This gives administrators more flexibility in defining one-to-one, many-to-one, or many-to-many relationships. For more information, see Use Visio Services with Secure Store Service in SharePoint 2013.
Unattended Service Account For ease of configuration the Visio Graphics Service provides a special configuration where an administrator can create a unique mapping associating all users to a single account by using a Secure Store target application. This mapped account, known as the unattended service account, must be a low-privilege Windows domain account that is given access to databases. The Visio Graphics Service impersonates this account when it connects to the database if no other authentication method is specified. Note that this approach does not enable personalized queries against a database and does not provide auditing of database calls. This authentication method is the default authentication method that is used when you connect to SQL Server databases: if no ODC file is used in the Visio diagram that specifies a different authentication method, then Visio Services uses the credentials specified by the unattended account to connect to the SQL Server database. For information about how to use Visio Services with the unattended service account, see Use Visio Services with Secure Store Service in SharePoint 2013.
In a larger server farm it is likely that Visio diagrams will use a mix of the authentication methods described here. It is important to be aware of the following things:
Visio Services supports usage of both Secure Store and the unattended service account in the same farm. In diagrams that are connected to SQL Server data but do not use ODC files, the unattended account is required and always used.
If Integrated Windows authentication is selected, and authentication to the data source fails, Visio Services will not attempt to render the diagram using the unattended service account.
Integrated Windows authentication can be used together with Secure Store by configuring diagrams to use a Secure Store target application for those diagrams that require specific credentials.