Solution designers, administrators, and end users interact with composite solutions using external content types, which enable the presentation of and interaction with external data in SharePoint lists (known as external lists), Web Parts, and supported Microsoft Office 2010 client applications. Permissions are recorded in the metadata definitions for the various objects stored in the BCS metadata store, such as external systems, models, and external content types. By correctly setting permissions on objects in Microsoft Business Connectivity Services, you help enable solutions to securely incorporate external data.

Roles in Business Connectivity Services

Following are the roles that individuals (or processes) in an organization must fill in Business Connectivity Services scenarios. Depending on your solution goals, individuals and groups in these roles may be assigned various levels of permissions on the objects in the metadata store:

  • SharePoint Server administrator: Deploys, administers, and maintains the server farm and creates the shared services that Business Connectivity Services depends on.
  • Database administrator: Deploys, administers, and maintains the database server.
  • Shared Service administrator: SharePoint Server administrators can delegate administration of an instance of a shared service to a shared service administrator.
  • Solution designer: Develops models and external content types using SharePoint Designer 2010.
  • Solution developer: Uses development tools such as Visual Studio 2008 to create external content types, Web services, and other components of a BCS solution.
  • Solution user: Interacts with the external content type to modify data or enter new data. Solution users can be configured to only be able to perform a subset of the operations available at an external system. For example, some solution users may be given the permissions to create and delete items in an external system while others may only be permitted to modify existing items.
  • Solution viewer: Views the external data in Web parts or external lists.
  • Application pool account: The account under which a shared service or other Web application will run.

What can permissions be assigned to?

The Business Data Connectivity service contains a metadata store that includes all the models, external systems, external content types, methods, and method instances that have been defined for that store’s purpose. Permissions in the Business Connectivity Services associate an individual account, group account, or claim with one or more permission levels on an object in a metadata store. Depending on the object for which the user or group is being granted permissions, the permission level specifies the actions that the user or group can take on that object. All permissions on objects in the Business Connectivity Services can be set using the following values: Edit, Execute, Selectable in clients, and SetPermissions. This section describes the types of objects in Business Connectivity Services on which permissions can be directly set and, for each object, describes how to assign permissions depending on the actions you want to permit.

clip_image002

In the drawing above, each object on which permissions can be set and optionally propagated to all objects below it is drawn with a solid line. (If the permissions can be set using the Business Data Connectivity service administration pages, the item is shown with a “ui” symbol.) Each object that only takes its permissions from its parent object is drawn with a dotted line. For example, the illustration shows that an External system (LobSystem) can be secured by assigning permissions directly to it, but an Action cannot be assigned permissions directly but takes its permissions from its parent External content type (Entity).

Note that when the permissions on an object in a metadata store are propagated, permission settings to all descendants of that item are replaced by the permissions of the propagating object. For example, if permissions are propagated from an External Content Type, all Methods and Method Instances of that External Content Type receive the new permissions.

Some objects can be assigned permissions by users with administrative permissions using the Business Data Connectivity service user interface. In the drawing above, those objects are displayed with a “UI” label.

Metadata store

The metadata store is the collection of XML files in the Business Data Connectivity service that contain definitions of models, external content types, and external systems.

To allow a user or group to …

Give them the following permissions …

On …

Set permissions on any object contained in the metadata store by propagating them from the metadata store.

SetPermissions

The metadata store

Model

A model is XML file that contains sets of descriptions of one or more external content types, their related external systems, and information that is specific to the environment, such as authentication properties.

To allow a user or group to …

Give them the following permissions …

On …

Create new models

Edit

The metadata store

Edit a model

Edit

The model

Set permissions on a model

SetPermissions

The model

Import a model

Edit

The metadata store

Export a model

Edit

The model and all external systems in the model

External system

An external system is the metadata definition of a supported source of data that can be modeled, such as a database, Web service, or .NET connectivity assembly.

To allow a user or group to …

Give them the following permissions …

On …

Create new external systems

Edit

The metadata store

Edit an external system

Edit

The external system

Use the external system in SharePoint Designer 2010

Edit

The external system

Set permissions on the external system

SetPermissions

The external system

External content type

An external content type is a reusable collection of metadata that defines a set of data from one or more external systems, the operations available on that data, and connectivity information related to that data.

To allow a user or group to …

Give them the following permissions …

On …

Create new external content types

Edit

The external system

Execute operations on an external content type

Execute

The method instances of the operation

Create lists of the external content type

Selectable in clients

The external content type

Set permissions on the external content type

SetPermissions

The external content type

Method

A method is an operation related to an external content type such as Read or Update.

To allow a user or group to …

Give them the following permissions …

On …

Edit a method

Edit

The method

Set permissions on a method

SetPermissions

The method

Method instance

A method instance describes, for a particular method, how to use a method by using a specific set of default values.

To allow a user or group to …

Give them the following permissions …

On …

Edit a method instance

Edit

The method instance

Execute a method instance

Execute

The method instance

Set permissions on a method instance

SetPermissions

The method instance

Example Scenario

In this scenario, a small departmental Web server hosts both SharePoint Server 2010 and a SQL Server database containing external data that will be integrated into a composite solution. For example, a small organization could use Business Connectivity Services to interact with customer contact information that is stored in a SQL Server database by creating a composite solution that exposes the data both in a SharePoint site using external lists and Web parts and from Microsoft Outlook 2010. Some users of the solution will have authorization to add new contacts or modify existing ones; other users will have read-only privileges.

The following permissions are typical for this scenario:

Role

Is given permissions …

By …

SharePoint Server Administrator

Full permissions to the metadata store.

SharePoint Server Administrator

Business Data Connectivity Service administrator

SetPermissions permission on the metadata store

SharePoint Server Administrator or other shared service administrators

Solution designer

Edit, Execute, and Selectable in clients permissions on the metadata store.

Business Data Connectivity Service administrators

Solution user

Execute permission on create, read, update, and delete operation method instances.

Business Data Connectivity Service administrators

Solution viewer

Execute permission on read operation method instances

Business Data Connectivity Service administrators

For more information on setting Business Connectivity Services permissions, along with other security-related topics, see my TechNet topic Business Connectivity Services security overview (SharePoint Server 2010).

-Rob Silver, SharePoint IT Pro Content Team

This post was updated 3/16/2010