Updated: 2009-11-12
[This article is pre-release documentation and is subject to change in future releases.]
In addition to the security requirements for deploying Microsoft SharePoint Server 2010, you should also review security considerations for a deployment that includes Visio Services in Microsoft SharePoint Server 2010.
Visio Services enables you to render published Visio Web Drawings. These drawings can be connected to external data, and drawing elements can be updated based on that data. Security is an important component for enabling these data-rendering scenarios. The Visio Graphics Service gives you a significant level of fine-grained control for the processing and displaying of Visio Web Drawings and what data sources they can connect to.
Web drawings that are not connected to data
Published Visio Drawings (.VDW files) must be stored in SharePoint document libraries to be opened by Visio Services. SharePoint Server 2010 maintains an access control list (ACL) for the files that are contained in the document library. By setting the library rules correctly you can limit access to a particular drawing.
Visio Web drawings that are connected to data
The Visio Graphics Service can connect to data sources, including SharePoint lists, Excel workbooks hosted on the farm, databases such as Microsoft SQL Server, and custom data sources. You can control access to specific data sources by explicitly defining the data providers that are trusted and configuring them in the list of trusted data providers.
When Visio Services loads a data connected diagram, the service checks the connection information that is stored in the diagram to determine whether the specified data provider is a trusted data provider. If the provider is a member of the list, a connection is tried; otherwise, the connection request is ignored.
Once an administrator has configured Visio Services to enable connections to a particular data source, there are additional security configurations that must be made, depending on the kind of the data source. The following data sources are supported by Visio Services:
- Excel workbooks stored on SharePoint Server with Excel Services
- SharePoint lists
- Databases such as SQL Server databases
- Custom Data Providers
Visio Web drawings that are connected to SharePoint lists
Published Visio Drawings can be connected to SharePoint lists on the same farm that the drawing is hosted on. The user viewing the diagram must have access to both the drawing and the SharePoint list that the drawing is connected to. These permissions and credentials are managed by SharePoint Server 2010.
Visio Web drawings that are connected to Excel Services
Published Visio drawings can be connected to Excel workbooks hosted on the same farm as the diagram with Excel Services running and configured correctly. The user viewing the diagram must have access to both the drawing and the Excel workbook the drawing is connected to. These permissions and credentials are managed by SharePoint Server 2010.
Visio Web drawings that are connected to SQL Server databases
When a published Visio diagram is connected to a database, Visio Services uses additional security configuration options to establish a connection between the Visio Graphics Service and the database. Visio diagrams can use connections stored in Office Data Connectivity (ODC) files. In order to author data-connected Web drawings that use the unattended account and the Secure Store Service, the users must first create Office Data Connectivity files by using Microsoft Excel.
The authentication methods supported by Visio Services are as follows:
- Integrated Windows authentication In this security model the Visio Graphics Service uses the drawing viewer's identity to authenticate with the database. Integrated Windows authentication with constrained Kerberos delegation is more helpful for enhancing security than the other authentication methods shown in this list. This configuration requires constrained Kerberos delegation to be enabled between the application server that is running the Visio Graphics Service and the database server. The database itself might require additional configuration to enables Kerberos-based authentication, which is beyond the scope of this document.
- Secure Store Service In this security model the Visio Graphics Service uses the Secure Store Service to map the user’s credentials to a different credential that has access to the database. The Secure Store Service supports individual and group mappings for both Integrated Windows authentication and other forms of authentication. This gives administrators more flexibility in defining one-to-one, many-to-one, or many-to-many relationships. This authentication model can only be used by drawings that use an ODC file to specify the connection. The ODC file specifies the target application that will be used for credential mapping.
- Unattended Service Account For ease of configuration the Visio Graphics Service provides a special configuration where an administrator can create a unique mapping associating all users to a single account by using a Secure Store Target Application. This mapped account, known as the unattended service account, must be a low-privilege Windows domain account that is given access to databases. The Visio Graphics Service impersonates this account when it connects to the database. Note that this approach does not enable personalized queries against a database and does not provide auditing of database calls. This authentication model can only be used by drawings that use an ODC file to specify the connection. The ODC file specifies "None" as the authentication type.
In a larger server farm it is likely that Visio drawings will use a mix of the authentication methods described here. It is important to be aware that:
- Visio Services supports usage of both the Secure Store Service and the unattended service account in the same farm.
- If Integrated Windows authentication is configured, Visio Services will not render drawings that use the unattended account authentication mode.