Overview of Business Connectivity Services security tasks in SharePoint 2013


Applies to: SharePoint Foundation 2013, SharePoint Server 2013

Topic Last Modified: 2016-12-16

Summary: Understand Business Connectivity Services (BCS) security in SharePoint 2013 for IT professionals, site and SharePoint Online administrators, and developers.

Providing security for the data that your customers work with through Microsoft Business Connectivity Services (BCS) is a critical part of every BCS solution. Unlike regular SharePoint data, which is stored in a SharePoint content database, the data that BCS solutions make visible live outside of SharePoint in external systems. BCS provides the channel that SharePoint uses to get to the external data. In addition to working within the usual SharePoint products security controls such as site access permissions, and list permissions, BCS solutions have to deal with additional communication and security layers. For example, the external system might use a different authentication mechanism or provider, and require different credentials than the ones your users use to access SharePoint products with. Because there are more security layers in a BCS solution, there are more security configuration tasks involved.

The Business Connectivity Services security tasks fall to three different roles: the IT professional; the SharePoint Online administrator, site collection administrator, or site owner; and the developer. The following examples describe what each role is responsible for.

  • IT professionals have the responsibility of managing the security on the Metadata Store and its contents. They also handle account and group administration and credential mapping in the Secure Store Service.

  • SharePoint Online administrators, site collection administrators, and site owners are responsible for understanding the kind of security the external system uses and how to configure no-code, or declarative, external content types to communicate with it. They are also responsible for planning and applying security to external lists and business data Web Parts.

  • BCS solution developers are responsible for understanding the kind of security that the external system uses and how to configure the BDC model to communicate with it, and security around development and deployment of apps for Office and SharePoint.

In this article:

Delegation of administration to the Business Data Connectivity service

The first task that the farm administrator should perform after creating an instance of the Business Data Connectivity service is to delegate administration of the service to a different account, preferably one without farm administrator rights. This best practice follows the principle of least-privilege. The delegated account will be granted the necessary permissions to open the SharePoint Central Administration website and access to the Business Data Connectivity service service application. This should be the primary account that is used to administer the service. The only permission that can be granted or revoked is Full Control.

Managing permission on the Metadata Store and its contents

The Metadata Store holds the external content type, the external system, and the BDC model definitions that the Business Data Connectivity service application uses. One of the main jobs of the BCS Services administrator is to manage security of the Metadata Store and all the items it contains. Items in the Metadata Store get their permissions in two ways. First you can directly apply the permissions to the Metadata Store, BDC models, external systems, or external content types. The second way is by inheriting them from a higher level item. Both methods are shown in the following figure.

Figure: Metadata Store permissions

Diagram of metadata store permissions
  • Inheritance   Inheritance happens in two ways. First when any item is added to the Metadata Store, it inherits the permissions configuration of the Metadata Store itself. Second, the Metadata Store, external system, and external content type items can forcibly overwrite the permissions of items that are below them in the hierarchy. This happens when you select the Propagate permissions to all… and click OK when you are setting permissions on the parent item.

  • Direct Application   If the permissions that an item has inherited from its parent when the item was added to the Metadata Store or when they were forcibly overwritten, do not meet your needs, you can manually adjust them on the items themselves.

You can directly apply four permissions:

  • Edit   This allows the user or group to edit the item

  • Execute   This allows the user or group to execute the operations (create, read, update, delete, query) of external content types in the Metadata Store. All users of a BCS solution must have execute permission on the associate external content type.

  • Selectable in Clients   This allows the user or group to use the External Content Type for External Lists, and apps for SharePoint by making them available in the external item picker

  • Set Permissions   This allows the user or group to set permissions on the item. Every item must have at least one user or group that has the Set Permissions permission.

Recommendations for managing Metadata Store permissions

  1. Pick one account, probably your Business Connectivity Services administrator account or your SharePoint Online administrator account and grant it Set Permissions at the Metadata Store level. This will satisfy the requirement that every item has one user or group that has Set Permissions with a securely managed administrative account. If you don’t explicitly set an account, the farm account is used by default. Do not select the Propagate permissions to all option. You don’t have to select the Propagate permissions to all option because every item will inherit this configuration when it is added to the Metadata Store. This also prevents unnecessary accounts from gaining access to any external systems, BDC models, or external content types that they shouldn’t have.

  2. Use the direct application method, configure the permissions on the individual items, again not selecting the Propagate permissions to all option. This will allow you to maintain unique permissions configuration on each object.

  3. Periodically, as part of your maintenance and operational plans, review the permissions configuration starting from the Metadata Store level and moving down the hierarchy to ensure that each item has the correct permissions configuration. If the permissions configuration has drifted from what it should be you should manually reconfigure them.

  4. You should only use the Propagate all permissions option when you must completely reset all the permissions on the parent item and all its children. Note that this is a destructive process and all custom permissions on child items are lost. This action can break BCS solutions for users or groups that lose their permissions.

Mapping accounts and groups in Secure Store Service

In most cases, your users’ accounts won’t be able to directly access the external data for a BCS solution. This is true when the external system doesn’t use Active Directory Domain Services (AD DS) to secure the external data; as it is secured in different way. For example, your external data might be in SQL Server but the database is secured using SQL Server security. This problem is solved in BCS solutions by using the Secure Store Service to map your Active Directory Domain Services (AD DS) accounts or groups to external system credentials. To ensure that only the intended people can access the external data, you have to plan out the credential mapping between the two systems. The Secure Store service stores the mappings in a target application. Before you create the target application, you must know who requires access to the external data with the AD DS credentials and the credentials for the external system. You can also choose an administrator for the target application. There are two ways to configure your mappings:

  • Group mapping   In group mapping target application, you add AD DS user accounts and security groups to the target app and then map them to a single set of credentials from the external system. This is the easiest way to manage access to the BCS solution.

  • Individual mapping   In an individual mapping target application you can only map a single AD DS user account to a single set of credentials from the external system. Basically, this is a 1:1 mapping. You would generally do this if you have very few accounts to manage or if you want to track access and activity on the external system.

For more information about how to plan for the Secure Store Service see, Plan the Secure Store Service in SharePoint Server 2013. For more information about how to configure the Secure Store Service and how to create target applications see, Configure the Secure Store Service In SharePoint 2013.

Managing permissions on the BDC Service application

By default, every Web Application in your farm is granted access to the BDC Service application through the server farm account. If you want to restrict access to only certain web applications, you can change this by removing the server farm account and then adding the Application Pool Identity account of desired the web applications. By doing this you control which web applications have access to the BDC Service application. For more information, see Set Permissions to a published service application (SharePoint Server).

If you are publishing the BCS Service Application to other farms, you have to add the Farm IDs of the consuming farms. For more information, see Share service applications across farms (SharePoint Server 2010).

SharePoint Online administrators and site collection administrators and site owners have to manage the security for site collections and sites, as well as external lists on those sites. If you are in this role and you will be creating external content types by using SharePoint Designer 2013, you have to understand the different authentication modes the Business Connectivity Services supports, including using a target application in Secure Store. The following table provides information about security tasks for administrators.

Table: Security tasks for administrators

Security task Article Description

Set authentication mode and credentials in a no-code external content type

  1. Business Connectivity Services authentication overview

  2. Introduction to external data

  3. Configure the Secure Store Service In SharePoint 2013

  1. Learn what the supported authentication modes are for BCS.

  2. An Office.com introduction to external data.

  3. Configure storage of authorization credentials in Secure Store Service on a SharePoint Server 2013 farm. A video demonstration is included.

Manage external list permissions

  1. Introduction: Control user access with permissions

  2. What is uniquely secured content?

  3. Edit permissions for a list, library or individual item

  1. An Office.com article on understanding and managing user permissions in SharePoint products including SharePoint Online.

  2. Uniquely secured content is any content that does not use the same permissions settings as the site collection that contains the content. Instead, the content has its own unique permissions settings. When you are working with permissions on your site, you might see a message about uniquely secured content on the permissions page.

  3. This topic explains how to assign unique permissions for an individual site, list, library, folder, list item, or document.

Manage SharePoint Online BCS

  1. Business Connectivity Services security for IT professionals

  1. A description of security related administrative tasks for BCS.

Manage the Office client Trust Center

  1. View my options in settings in the Trust Center

  1. The Trust Center is where you can find security and privacy settings for Microsoft Office programs. With the consistent appearance of the ribbon in Office programs, steps to find the Trust Center are the same for each program.

Out of all the roles that are involved in Business Connectivity Services solution security tasks, the developer has to have the deepest understanding of the BCS security architecture and how to use it to create a secure BCS solution. The following table presents summaries of the level security tasks that the developer performs and links to detailed information in the MSDN Library.

Table: Security tasks for developers

Developer security task Article Summary

Configure authentication modes for external content types

  1. Using OData sources with Business Connectivity Services in SharePoint 2013

  2. How to: Create an external content type from an OData source in SharePoint 2013

  3. External content types in SharePoint 2013

  4. How to: Create external content types for SQL Server in SharePoint 2013 Preview

  1. Learn how to get started creating external content types based on OData sources and using that data in SharePoint 2013 Preview or Office 2013 components.

  2. Learn how to use Visual Studio 2012 to discover a published OData source and create a reusable external content type for use in Microsoft Business Connectivity Services (BCS) in SharePoint 2013 Preview.

  3. Learn what you can do with external content types and what you must have to start creating them in SharePoint 2013 Preview.

  4. Learn how to create an external content type for SQL Server in SharePoint 2013 Preview. Creating an external content type is a pivotal task when you are working with external data. An external content type contains important information about connections, access, methods of operation, columns, filters, and other metadata that is used to retrieve the data from the external data source.

Manage OAuth, exchange of tokens and building web requests

  1. Authentication, authorization, and security in SharePoint 2013

  1. Learn about authentication and authorization in SharePoint products, claims–based identity and authentication, and, forms-based authentication.

Manage development environment security

  1. Start: Set up the development environment for SharePoint 2013

  1. Learn the steps to set up a SharePoint 2013 Preview development environment by installing SharePoint 2013 Preview and Visual Studio 2012.

Manage security for apps for Office and SharePoint

  1. Deploying and installing apps for SharePoint: methods and options

  1. Learn about the methods for publishing, installing, and uninstalling an app for SharePoint.

Manage security on events and alerts from external systems

  1. External events and alerts in SharePoint 2013

  1. Learn the concepts behind creating event receivers in SharePoint 2013 Preview that can be attached to external lists and execute when the external data that the list represents is updated.