Administering security for the Business Data Catalog

  • Article

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2008-07-31

Administrators can manage the following security settings for the Business Data Catalog:

  • Authentication. By default, Microsoft Office SharePoint Server 2007 uses the Single Sign-On (SSO) service to authenticate users who are attempting to view business data on SharePoint sites.

  • Authorization: shared services permissions. After users are authenticated, users must be granted the correct services permissions for the Business Data Catalog. Some of these permissions also require read permission to the Shared Services Administration site. Permissions can be set for all applications in the Business Data Catalog, or for specific line-of-business applications, or for one or more imported entities for a specific line-of-business application.

To access business data, users must be properly authenticated, have all of the necessary services permissions for the Business Data Catalog, line-of-business application, and entity accessed, and have access to the Shared Services Administration site for administrator tasks performed on that site.

Authentication for the Business Data Catalog typically uses SSO to access line-of-business applications by using stored credentials. However, other authentication methods can be used.

Note

Before you can configure authentication and authorization for the Business Data Catalog, you must configure authorization permissions for one or more credentials to the line-of-business application.

For more information about authentication for the Business Data Catalog, see Manage authentication for the Business Data Catalog.

Permissions for the Business Data Catalog are administered from the Shared Services Administration Web site for each Shared Services Provider (SSP). Administrators must have the following permissions when working with permissions for the Business Data Catalog:

  • Read permission to the Shared Services Administration site.

    Permissions to the site are granted by site administrators for the site. During installation, the account used to create the SharePoint Services Administration site is granted the rights of a site administrator. This account can later be used to grant read permission to other users.

  • The Set Permissions shared services permission to the Business Data Catalog. This permission is granted to the first site administrator for the Shared Services Administration site (that is, the account used to create the site). Additional users can be granted this permission by the site administrator or any other user who already has the permission.

Users must have the following services permissions to perform additional tasks:

  • Edit permission: Used to import, update, and delete application definitions for line-of-business applications.

  • Execute permission: Used to execute method instances for business data entities. This permission is intended for developers, and does not require access to the Shared Services Administration site.

  • Select in clients permission: Used to select business data in Web Parts, columns in SharePoint lists, and other clients with access to data from the Business Data Catalog. This permission is intended for information workers, usually administrators or site owners for SharePoint sites that display business data from line-of-business applications. This permission does not require access to the Shared Services Administration site.

The account used to create the SharePoint Services Administration site is granted all of the services permissions during installation.

Permissions for the Business Data Catalog are managed separately for each SSP. Access to business data imported to the Business Data Catalog for a specific SSP uses the same shared services permissions.

For more information about authorizing access to business data imported to the Business Data Catalog, see Manage authorization for the Business Data Catalog.

The following tasks for administering Business Data Catalog permissions are performed in this order: