Manage authorization for the Business Data Catalog
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2017-01-26
The Business Data Catalog is a service that can be used to integrate line-of-business data with Microsoft Office SharePoint Server 2007. It includes a database for storing metadata for line-of-business applications in a consistent format and the corresponding APIs to extract data from applications and connect clients to the database.
Clients for the Business Data Catalog include, but are not limited to, business data profiles, Web Parts, SharePoint lists, and user profiles. Every time a client attempts to access business data, the current account is authenticated and granted access to data depending upon the authorization settings for the authenticated account. If the account has the correct permissions, data is retrieved from the middle-tier database and returned to the client.
Access to data in line-of-business applications, such as databases or Web services, can be authorized by the application on the back-end server. If the Trusted Subsystem authentication model is used, access for clients can be authorized by using the Business Data Catalog services permissions. For more information about authentication models, see Manage authentication for the Business Data Catalog.
In this article:
Back-end authorization
Middle-tier authorization
Back-end authorization
In back-end authorization, the back-end server for the application is responsible for granting access to data on the server, and individually identifies and authenticates users according to the permissions defined by the application. This might have some advantages for auditing business data transactions in some scenarios, but requires additional configuration work on the back-end server. Line-of-business applications that use back-end authorization grant access control to users based upon authorization by the back-end server. Data from those applications is made available in client applications depending upon authorization of each user. When you use back-end authorization, you cannot use the services permissions for the Business Data Catalog to enable more specific access control.
Middle-tier authorization
Middle-tier authorization uses a single identity to authorize all users on the back-end server. You configure Business Data Catalog services permissions to enable more specific access control for individual users. This provides a single model of authorization across all applications, enabling database connection pooling, and supporting scenarios in which back-end authorization is not possible.
The services permissions for the Business Data Catalog enable users to access business data from line-of-business applications imported to the Business Data Catalog. These permissions are not part of the Windows SharePoint Services 3.0 security and permissions model, and are managed from a special Shared Services Rights page on the Shared Services Administration site.
By default, the account used to create the Shared Services Administration site for a Shared Services Provider (SSP) has all of the services permissions for the Business Data Catalog. No other accounts, including accounts added as site administrators for the Shared Services Administration site, are automatically granted services permissions.
Any account with at least View Only permission to the Shared Services Administration site can be granted one or more of the services permissions.
The services permissions for the Business Data Catalog are:
Set permissions permission
Enables permissions managers for the Business Data Catalog to administer services permissions for other users, including the Set permissions permission.
Edit permission
Enables application definition administrators to import, update, and delete application definitions for line-of-business applications.
Select in clients permission
Enables information workers, usually site administrators or owners of SharePoint sites that display business data from line-of-business applications, to select business data in Web Parts, columns in SharePoint lists, and other clients with access to data from the Business Data Catalog. Users granted this permission do not require access to the Shared Services Administration site. For more information about using business data in clients such as SharePoint lists and Web Parts, see Business data in sites, lists, and libraries (https://go.microsoft.com/fwlink/?LinkID=107616&clcid=0x409) and Work with business data in SharePoint lists (https://go.microsoft.com/fwlink/?LinkID=107617&clcid=0x409).
Execute permission
Enables developers to execute method instances for business data entities. Users granted this permission do not require access to the Shared Services Administration site. For more information about executing method instances for business data entities, see the SharePoint Server 2007 SDK: Software Development Kit.
These permissions can be set as access control lists (ACLs) at five hierarchical levels that correspond to object names used in application definition XML files for line-of-business applications in the Business Data Catalog:
Business Data Catalog (the top level, known as Application Registry in the schema)
Application (LobSystem in the schema)
Entity or business data type (Entity in the schema)
Method
Method instance (MethodInstance in the schema)
For an example of an application definition file, see Sample: AdventureWorks2000 PassThrough Metadata (https://go.microsoft.com/fwlink/?LinkId=124631&clcid=0x409).
Permissions at each level are set separately. For example, a user with Edit permission at the Business Data Catalog level can import new application definitions, but can only edit or delete existing application definitions if they have the Edit permission at the application level. Permissions can be viewed and managed from the Manage Permissions pages on the Shared Services Administration site for the top three levels. Methods and method instances permissions can only be viewed in the relevant application definition files.
Permissions managers at one level can copy permissions at that level to all descendants. For example, users with access to the Business Data Catalog can be granted the same permissions to all existing applications and entities, or users with access to an application can be granted permissions to all entities for that application.
During initial configuration of the Business Data Catalog, it is a good idea to configure permissions across the Business Data Catalog and consider which users need each services permission at that level before moving to permissions for individual applications. Then, after you have added permissions for users to each application, you configure the permissions for each entity, method, or method instance. During ongoing operations, application definition managers can add or remove permissions to applications and entities as business needs and practices change over time.
Top-level Business Data Catalog permissions
The account used to create the Shared Services Administration site has all of the services permissions at the top level of the Business Data Catalog by default. That includes the Set permissions permission. As a permissions manager, this user typically adds services permissions for a small number of users at the top level of the Business Data Catalog. These users are Business Data Catalog administrators who are permissions managers, application definition administrators, or both.
The application definition administrators work with a designer or developer who authors the application definition for each line-of-business application. Application definitions include ACLs for all imported entities, methods, and method instances. These permissions can be added in detail when the application definition is authored, or you can add a minimal number of users and then edit the application definition after it is imported.
The top-level application definition administrators typically add permissions to other users that are limited to each application. This way, different users can be given responsibility for managing business data permissions for each application without granting permissions across applications to a large number of users.
When adding permissions at any level, it is a good practice to grant each user the minimum permissions necessary to work with relevant business data.
Application administrators have all permissions at the application level. Typically, there are a small number of application administrators and they are the only users granted Set permissions permission and the Edit permission at the application level.
Information workers have Select in client permission, and do not have the other permissions.
Developers and designers have Execute permissions for the applications and entities that they are developing and designing, and do not have the other permissions.
The initial permissions for the application and entity level are configured by the author of the application definition for the application. The author of the application definition can also configure permissions for users and groups to the application and optionally to one or more entities for the application. When the application definition administrator imports the application definition to the Business Data Catalog, those users are added to the ACL and are authorized to view data for the relevant application and entities. Changes made to permissions at each level impact the underlying XML in the application definition.
Task requirements
The following are required to perform the procedures for this task:
- Administrators must have access to the Shared Services Administration site, and must have the Set permissions permission enabled for the Business Data Catalog. The account used to create the Shared Services Administration site has this permission and can grant the permission to other users.
To manage permissions for the Business Data Catalog, you can perform the following procedures: