Business Connectivity Services security operations (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

**Summary:**Administrators can perform various operations to ensure that Business Data Connectivity service applications in SharePoint Server are secure.

This article describes security-related administrative tasks for your Business Data Connectivity service application.

In this article:

  • Assign administrators to a Business Data Connectivity service application

  • Set permissions on a metadata store

  • RevertToSelf authentication mode

  • Workflows and external lists

  • Set permissions to enable a consuming farm to generate deployment packages

Assign administrators to a Business Data Connectivity service application

Farm administrators can delegate administration of a specific Business Data Connectivity service application to a service application administrator. The delegated administrator is given access to the Central Administration Web site and can perform administrative tasks that are related to that Business Data Connectivity service application.

Tip

The delegated administrator is not given permissions to the metadata store.

To assign administrators to a Business Data Connectivity service application

  1. Verify that you have the following administrative credentials:

    • You must be a farm administrator.
  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. In the list of service applications, click the row that contains the Business Data Connectivity service application.

    Note

    Do not select the row by clicking in the Name column. Clicking the name of the Business Connectivity Service opens the Business Connectivity Service management pages.

  4. In the Operations group of the ribbon, click Administrators.

  5. In the text box, type or select a user account or a group account, and then click Add.

  6. In the Permissions box, click Full Control, and then click OK.

Set permissions on a metadata store

Each Business Data Connectivity service application has a metadata store that includes all the models, external systems, external content types, methods, and method instances that have been defined for that store’s purpose. You set permissions on a metadata store to specify who can edit items in the metadata store and who can set permissions on the metadata store.

We recommend that you give specific permissions to each user or group that needs it, in such a way that the credentials provide the least privilege that is necessary to perform the needed tasks. For more information about setting permissions, see Business Connectivity Service permissions overview in "Business Connectivity Services security overview (SharePoint Server 2010)".

To set permissions on a metadata store

  1. Verify that you have one of the following administrative credentials:

    • You must be a farm administrator.

    • You must be the Business Data Connectivity service application administrator and have Set Permissions permission to the metadata store.

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  4. In the Permissions group of the ribbon, click Set Metadata Store Permissions.

  5. In the text box, type the user accounts, groups, or claims for which permissions will be granted, and then click Add.

    Note

    The user account, group, or claim cannot have a vertical bar (|) in its name.

  6. Set the permissions for the account, group, or claim:

    Note

    At least one user, group, or claim in the metadata object's access control list must have the Set Permissions permission.

    • Click Edit to allow the user, group, or claim to create external systems, to create models, to import models, and to export models.

      securitySecurity Note
      The Edit permission should be considered highly privileged. With the Edit permission, a malicious user can steal credentials or corrupt a server farm. To help ensure a secure solution, we recommend that you use a test environment where the Edit permission can be assigned freely to developers and solution designers. When you deploy the tested solution to a production environment, remove the Edit permissions.
    • Click Execute to allow the user, group, or claim to execute operations (create, read, update, delete, or query) on external content types.

      Tip

      The Execute permission is not applicable to the metadata store itself. This setting is used when you want to propagate the Execute permission to child objects in the metadata store.

    • Click Selectable In Clients to allow the user, group, or claim to create external lists of any external content types and to view the external content types in the external item picker.

      Tip

      The Selectable In Clients permission is not applicable to the metadata store itself. This setting is used when you want to propagate the Selectable In Clients permission to child objects in the metadata store.

    • Click Set Permissions to allow the user, group, or claim to set permissions on the metadata store.

      securitySecurity Note
      The Set Permissions permission should be considered highly privileged. With the Set Permissions permission, a user can grant Edit permission to the metadata store.
  7. To propagate permissions to all items in the metadata store, click Propagate permissions to all BDC Models, External Systems and External Content Types in the BDC Metadata Store. Doing so will overwrite existing permissions.

RevertToSelf authentication mode

Each external content type has an associated authentication mode. The authentication mode gives Business Connectivity Services information about how to process an incoming authentication request from a user and maps that request to a set of credentials that can be passed to the external system. By default, the RevertToSelf authentication mode (also called BDC Identity authentication mode) is not enabled. You cannot create or import models that use RevertToSelf when RevertToSelf authentication mode is not enabled.

RevertToSelf authentication mode uses the application pool account where the Business Connectivity Services is running to authenticate the logged-on user to the external system. For example, when a user opens an external list, the application pool account of the front-end Web server where the external list resides is used for authentication. The application pool account is a highly privileged account. By default, the application pool account has write permission to the farm configuration database. By using RevertToSelf mode, anyone who can create or edit a model that uses RevertToSelf mode has the power to make themselves an administrator of the SharePoint farm.

RevertToSelf authentication mode is not recommended for production environments. We recommend that you use Secure Store Service.

If you must use RevertToSelf authentication mode in a production environment, consider the following:

  • Any users who can create or edit models, including SharePoint Designer users, should be considered equal to a farm administrator from a security perspective. You must be able to trust them as you would a farm administrator.

  • You must lock down the use of the application pool account as much as possible. Doing so can help to limit the damage a malicious user can do to the SharePoint farm and external systems.

Enable RevertToSelf authentication mode

After you enable RevertToSelf authentication mode, new models that use RevertToSelf can be created and imported.

securitySecurity Note
We do not recommend RevertToSelf authentication mode for production environments. Before enabling RevertToSelf authentication mode, make sure that you have read and understood the implications of enabling RevertToSelf authentication mode.

Note

RevertToSelf is not allowed in hosted environments.

To enable RevertToSelf authentication mode

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following commands:

    1. To create a variable that contains the Business Data Connectivity service application object, type the following command:

      $bdc = Get-SPServiceApplication | where {$_ -match "<ServiceName>"}
      

      Where <ServiceName> is the name of the Business Data Connectivity service application. This can also be a regular expression (for example, "BDC").

      Note

      If the Business Data Connectivity service application is a shared service application, this command must be run on the farm where the service application is published.

    2. To enable RevertToSelf authentication mode, type the following command:

      $bdc.RevertToSelfAllowed = $true
      

Disable RevertToSelf authentication mode

When RevertToSelf is disabled, new models that use RevertToSelf cannot be created or imported.

Note

If you have existing models that use RevertToSelf, they will continue to work. You must delete the existing models if you want to remove all instances of RevertToSelf authentication from your farm.

To disable RevertToSelf authentication mode

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. At the Windows PowerShell command prompt, type the following commands:

    1. To create a variable that contains the Business Data Connectivity service application, type the following command:

      $bdc = Get-SPServiceApplication | where {$_ -match "<ServiceName>"}
      

      Where <ServiceName> is the name of the Business Data Connectivity service application. This can also be a regular expression (for example, "BDC").

      Note

      If the Business Data Connectivity service application is a shared service application, this command must be run on the farm where the service application is published.

    2. To disable RevertToSelf authentication mode, type the following command:

      $bdc.RevertToSelfAllowed = $false
      

Workflows and external lists

Additional configuration is required when you want to develop workflows that interact with external lists. The following sections describe requirements that can affect workflow behavior.

Note

Workflows cannot interact with external lists in a hosted environment.

Workflows cannot be associated directly with an external list

Because the external data is not stored in SharePoint Server, the workflow cannot be notified when an item in the external list changes. Instead, you can create a site workflow or a list workflow, and then have the workflow read or update an external list. You can also use an external list item as a destination for a task process in SharePoint Designer; however, the link to the task will not display a title for the external list item.

Workflows sometimes run as the service account

Workflows run as the service account (typically, the application pool account) in the following scenarios:

  • Visual Studio workflows.

  • Declarative workflows that interact with external lists and are started automatically. This is true even when you use an impersonation step in your workflow.

In this case, you must give the service account Execute permission to the external content type that the external list is associated with and verify that the service account has the necessary permissions to access the external system.

Workflows and authentication

To support workflow activities, the external content type that the external list is associated with must use RevertToSelf or Secure Store Service for authentication.

Note

These authentication mode restrictions do not apply if you are using a .NET Assembly connector or a custom connector.

  • Authenticate by using RevertToSelf

    RevertToSelf authentication mode (also known as BDC identity authentication mode) authenticates to the external system by using the application pool account of the front-end Web server where the external list resides. This means that the application pool account must have permission to access the external system. By default, RevertToSelf authentication is not enabled. You must enable RevertToSelf authentication mode before you can create or import models that use RevertToSelf authentication.

    securitySecurity Note
    RevertToSelf authentication is not recommended for production environments.

    For more information about RevertToSelf authentication, see RevertToSelf authentication mode.

  • Authenticate by using the Secure Store Service

    Secure Store Service enables you to securely store data that provides credentials that are required for connecting to external systems and associating those credentials to a specific identity or group of identities. You must ensure that the external content type uses one of the Secure Store Service authentication modes.

    securitySecurity Note
    If the workflow is running as the service account, we recommend that you map the service account to an account that has lower privileges. For example, you can create a secure store target application ID that maps the service account to an account that has minimal permissions and can access only the required external system.

For more information about authentication modes, see Business Connectivity Service authentication overview in "Business Connectivity Services security overview (SharePoint Server 2010)."

Set permissions to enable a consuming farm to generate deployment packages

The Business Data Connectivity service application can be shared across server farms. The farm that contains the Business Data Connectivity service application and publishes the Business Data Connectivity service application is known as the publishing farm. The consuming farm is the farm that connects to a remote location to use the Business Data Connectivity service application.

When a user takes an external list offline, the application pool account that is used by the front-end Web server where the external list resides, generates a deployment package, which is then installed on the client computer. On the publishing farm, the application pool account of the front-end server has full permissions to the metadata store so that it can generate the deployment package. If you want the consuming farm to be able to generate deployment packages, you must give Edit and Set Permissions permission to the metadata store to the application pool account that is used by the front-end server on the consuming farm. If you do not give these additional permissions to the application pool account, external lists that reside on the consuming farm cannot be taken offline.

securitySecurity Note
Giving the application pool account of the consuming farm Edit and Set Permissions permission to the metadata store makes that account a farm administrator on the publishing farm.

Note

This section applies only to on-premise SharePoint Server deployments.

For more information about external list deployments, see Plan Business Connectivity Services client integration (SharePoint Server 2010).

To assign permissions to the application pool account of the consuming farm

  1. Verify that you have one of the following administrative credentials:

    • You must be a farm administrator on the publishing farm.

    • You must be the administrator of the Business Data Connectivity service application and have Set Permissions permission to the metadata store.

  2. On the Central Administration site of the publishing farm, in the Application Management section, click Manage service applications.

  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  4. In Permissions group of the ribbon, click Set Metadata Store Permissions.

  5. In the text box, type the application pool account that is used by the front-end Web server on the consuming farm, and then click Add.

  6. In the Permissions box, click Edit, and then click Set Permissions.

  7. Click OK.

For more information about shared service applications, see Share service applications across farms (SharePoint Server 2010).

See Also

Concepts

Business Connectivity Services security overview (SharePoint Server 2010)

Other Resources

Resource Center: Operations and Manageability for SharePoint Server 2010