Plan Visio Services security (SharePoint Server 2010)
Published: May 12, 2010
Summary: Security is an important consideration for determining who can gain access to data-connected diagrams rendered in Visio Services.
In addition to the security requirements to deploy Microsoft SharePoint Server 2010, you should also review security considerations for a deployment that includes Visio Services in Microsoft SharePoint Server 2010.Visio Services enables you to render published Visio Web drawings. These drawings can be connected to external data, and drawing elements can be updated based on that data. Security is an important component for enabling these data-rendering scenarios. The Visio Graphics Service gives you a significant level of fine-grained control for the processing and displaying of Visio Web Drawings and what data sources they can connect to.
Store Visio diagrams in SharePoint document libraries
Published Visio Drawings (.VDW files) must be stored in SharePoint document libraries to be opened by Visio Services. SharePoint Server 2010 maintains an access control list (ACL) for the files that are contained in the document library. By setting the library rules correctly you can limit access to a particular drawing. For information about how to work with document library permissions, see Plan site permissions (SharePoint Server 2010).
Visio Web drawings that are connected to data
The Visio Graphics Service can connect to data sources. These include SharePoint lists, Excel workbooks hosted on the farm, databases such as Microsoft SQL Server, and custom data sources. You can control access to specific data sources by explicitly defining the data providers that are trusted and configuring them in the list of trusted data providers.
Visio Services accesses external data sources by using a delegated Windows identity. Consequently, external data sources must reside within the same domain as the SharePoint Server 2010 farm or Visio Services must be configured to use the Secure Store Service. If the Secure Store Service is not used and external data sources do not reside within the same domain, authentication to the external data sources will fail. For more information, see Planning considerations for services that access external data sources in “Services Architecture Planning.”
When Visio Services loads a data connected Web drawing, the service checks the connection information that is stored in the Web drawing to determine whether the specified data provider is a trusted data provider. If the provider is specificed on the Visio Services trusted data provider list, a connection is tried; otherwise, the connection request is ignored.
Visio Services has an extensive list of preconfigured trusted data providers. For more information, see Configure Visio Graphics Service trusted data providers (SharePoint Server 2010).
Once an administrator has configured Visio Services to enable connections to a particular data source, there are additional security configurations that must be made, depending on the kind of the data source. The following data sources are supported by Visio Services:
Excel workbooks stored on SharePoint Server with Excel Services enabled
Databases such as SQL Server databases
Custom Data Providers
Visio Web drawings that are connected to SharePoint lists
Published Visio Drawings can be connected to SharePoint lists on the same farm that the drawing is hosted on. The user viewing the Web drawing must have access to both the drawing and the SharePoint list that the drawing is connected to. These permissions and credentials are managed by SharePoint Server 2010. For information about how to use Visio Services with SharePoint lists, see Use Visio Services with SharePoint lists (SharePoint Server 2010).
Visio Web drawings that are connected to Excel Services
Published Visio drawings can be connected to Excel workbooks hosted on the same farm as the Web drawing with Excel Services running and configured correctly. To view the Web drawing, the user must have access to both the drawing and the Excel workbook that the drawing is connected to. These permissions and credentials are managed by SharePoint Server 2010.
Excel workbooks can be connected to external data sources. For more information, see Plan Excel Services data sources and external connections (SharePoint Server 2010).
Visio Web drawings that are connected to SQL Server databases
When a published Visio Web drawing is connected to a SQL Server database, Visio Services uses additional security configuration options to establish a connection between the Visio Graphics Service and the database.
The authentication methods supported by Visio Services are as follows:
Integrated Windows authentication In this security model the Visio Graphics Service uses the drawing viewer's identity to authenticate with the database. Integrated Windows authentication with constrained Kerberos delegation is more helpful for increasing security than the other authentication methods shown in this list. This configuration requires constrained Kerberos delegation to be enabled between the application server that is running the Visio Graphics Service and the database server. The database itself might require additional configuration to enable Kerberos-based authentication. For information about how to configure Kerberos delegation for use with Visio Services, see Configure Kerberos authentication for SharePoint 2010 Products (white paper).
Secure Store Service In this security model the Visio Graphics Service uses the Secure Store Service to map the user’s credentials to a different credential that has access to the database. The Secure Store Service supports individual and group mappings for both Integrated Windows authentication and other forms of authentication such as SQL Server Authentication. This gives administrators more flexibility in defining one-to-one, many-to-one, or many-to-many relationships. This authentication model can only be used by drawings that use an Office Data Connection (ODC) file to specify the connection. The ODC file specifies the Secure Store target application that will be used for credential mapping. The ODC files must be created by using Microsoft Excel. For more information, see Use Visio Services with Secure Store.
Unattended Service Account For ease of configuration the Visio Graphics Service provides a special configuration where an administrator can create a unique mapping associating all users to a single account by using a Secure Store Target Application. This mapped account, known as the unattended service account, must be a low-privilege Windows domain account that is given access to databases. The Visio Graphics Service impersonates this account when it connects to the database if no other authentication method is specified. Note that this approach does not enable personalized queries against a database and does not provide auditing of database calls. This authentication method is the default authentication method that is used when you connect to SQL Server databases: if no ODC file is used in the Visio Web drawing that specifies a different authentication method, then Visio Services uses the credentials specified by the unattended account to connect to the SQL Server database. For information about how to use Visio Services with the unattended service account, see Use Visio Services with Secure Store.
In a larger server farm it is likely that Visio drawings will use a mix of the authentication methods described here. It is important to be aware of the following things:
Visio Services supports usage of both the Secure Store Service and the unattended service account in the same farm. In Web drawings that are connected to SQL Server data but do not use ODC files, the unattended account is required and always used.
If Integrated Windows authentication is selected, and authentication to the data source fails, Visio Services will not attempt to render the drawing using the unattended service account.
Integrated Windows authentication can be used together with the Secure Store by configuring drawings to use an ODC file that specifies a Secure Store target application for those drawings that require specific credentials.