Secure Store for Business Intelligence service applications (SharePoint Server 2013)
Applies to: SharePoint Server 2013
Topic Last Modified: 2013-12-18
Summary: Learn how Secure Store works with Excel Services, PerformancePoint Services, and Visio Services to refresh data on SharePoint Server 2013.
This article describes how SharePoint Server 2013 business intelligence features use the Secure Store Service to provide access to external data sources (such as SQL Server) for SharePoint Server 2013 users. For the purposes of this article, the SharePoint Server 2013 business intelligence service applications are:
The SharePoint Server 2013 business intelligence service applications offer two methods of data access for users:
Integrated Windows authentication using Constrained Kerberos delegation
Secure Store Service (including an unattended service account)
Excel Services and PerformancePoint Services also support the SQL Server Analysis Services (SSAS) EffectiveUserName feature for Analysis Services connections.
This article covers Secure Store and its relationship to the business intelligence service applications.
For information about configuring specific scenarios in your SharePoint Server 2013 farm, see the following articles:
Secure Store is a feature in SharePoint Server 2013 that helps provide access to data outside SharePoint Server 2013 (for example, SQL Server data) by allowing a business intelligence service application to use a set of credentials with data access on behalf of a SharePoint Server 2013 user who is attempting to access that data. Such use of credentials by business intelligence service applications on behalf of users is called impersonation.
Secure Store provides this mapping between business intelligence services applications, users, and credentials through the use of a target application. A Secure Store target application is a collection of metadata that specifies which users shall be allowed access to a particular set of credentials that a business intelligence service application will use for impersonation when accessing external data. This metadata is stored in the Secure Store database along with the credentials themselves, which are encrypted.
Secure Store target applications can be used in many ways within SharePoint Server 2013, but for the purposes of SharePoint Server 2013 business intelligence scenarios, target applications consist of the following settings, configurable by the Farm Administrator:
Administrators Target application Administrators are users who have privileges to administer a given Secure Store target application. This can be the Farm Administrator or a specific user or users, depending on your needs.
Members The Members of a target application are the users on behalf of whom the Business Intelligence Service Application will impersonate the target application Credentials when it accesses external data. This could be a single user, multiple users, or an Active Directory group. Members are also referred to as Credential Owners.
Credentials Target application Credentials consist of an account with direct access to data sources. (You must grant the required data access to this account directly — access to external data sources is not controlled by SharePoint Server 2013. This should be a low-privileged account that only allows data access.) It is this account that is impersonated by business intelligence service applications to give users access to data.
The Administrators, Members, and Credentials are configurable by the Farm Administrator directly through Secure Store. Additionally, both Excel Services and PerformancePoint Services provide an option to automatically create a Secure Store target application for use with the unattended service account.
The business intelligence service applications can use Secure Store by using one of two methods:
Specified target application A specific target application is specified by the Excel worksheet, Visio diagram, or PerformancePoint data source. When a user accesses the worksheet, diagram, or dashboard, Secure Store uses the credentials associated with that target application for data access.
No specified target application (unattended service account) The unattended service account is specified by the Excel worksheet, Visio diagram, or PerformancePoint data source. When a user accesses the worksheet, diagram, or dashboard connected to an external data source, Secure Store uses the target application specified in the Global Settings of Excel Services, Visio Services, or PerformancePoint Services. When a target application is specified globally for a business intelligence service application, the target application credentials are referred to as the unattended service account.
The basic sequence of events that occurs is as follows:
A SharePoint Server 2013 user accesses a data-connected object such as an Excel Services worksheet, Visio Services diagram, or PerformancePoint Services dashboard.
The Business Intelligence Service Application accesses the target application specified by the object.
If the user is a Member of that target application, the credentials stored in the target application are returned and the Business Intelligence Service Application impersonates the credentials while accessing the data.
The data is displayed to the user within the context of the worksheet, Visio diagram, or dashboard.
All of the business intelligence service applications can use data connection files to specify authentication information. Excel Services and Visio Services use Office Data Connection (.ODC) files and PerformancePoint Services uses PerformancePoint Services Data Connection (.PPSDC) files. Use of such files allows multiple Excel Services worksheets, Visio Services diagrams, or PerformancePoint Services dashboards to share a common set of data access parameters.
The SharePoint Server 2013 business intelligence service applications each use data connection files differently. For a description of how each uses data connection files, see the section for each service application, below.
Excel 2013 and Visio 2013 are client applications that function independently from SharePoint Server 2013. Though they can publish documents to SharePoint Server 2013, they cannot use Secure Store directly for authentication to data sources. When you create or edit a data-connected worksheet or diagram, you must use Integrated Windows authentication or another applicable authentication method to connect directly to a data source from Excel 2013 or Visio 2013. (Other authentication methods you might use include SQL Authentication or an OLEDB connection string.) Once the worksheet or diagram is published to SharePoint Server 2013, Excel Services or Visio Services can use Secure Store to connect to the data source when it displays the content to a user.
PerformancePoint Dashboard Designer is directly integrated with SharePoint Server 2013. Dashboard Designer can use Secure Store directly to authenticate by using the unattended service account. As a result, users of Dashboard Designer do not need direct access to data sources through Integrated Windows authentication, provided the unattended service account has the required access.