Solution designers, administrators, and end users interact with composite solutions using external content types, which enable the presentation of and interaction with external data in SharePoint lists (known as external lists), Web Parts, and supported Microsoft Office 2010 client applications. Permissions are recorded in the metadata definitions for the various objects stored in the BCS metadata store, such as external systems, models, and external content types. By correctly setting permissions on objects in Microsoft Business Connectivity Services, you help enable solutions to securely incorporate external data.
Following are the roles that individuals (or processes) in an organization must fill in Business Connectivity Services scenarios. Depending on your solution goals, individuals and groups in these roles may be assigned various levels of permissions on the objects in the metadata store:
The Business Data Connectivity service contains a metadata store that includes all the models, external systems, external content types, methods, and method instances that have been defined for that store’s purpose. Permissions in the Business Connectivity Services associate an individual account, group account, or claim with one or more permission levels on an object in a metadata store. Depending on the object for which the user or group is being granted permissions, the permission level specifies the actions that the user or group can take on that object. All permissions on objects in the Business Connectivity Services can be set using the following values: Edit, Execute, Selectable in clients, and SetPermissions. This section describes the types of objects in Business Connectivity Services on which permissions can be directly set and, for each object, describes how to assign permissions depending on the actions you want to permit.
In the drawing above, each object on which permissions can be set and optionally propagated to all objects below it is drawn with a solid line. (If the permissions can be set using the Business Data Connectivity service administration pages, the item is shown with a “ui” symbol.) Each object that only takes its permissions from its parent object is drawn with a dotted line. For example, the illustration shows that an External system (LobSystem) can be secured by assigning permissions directly to it, but an Action cannot be assigned permissions directly but takes its permissions from its parent External content type (Entity).
Note that when the permissions on an object in a metadata store are propagated, permission settings to all descendants of that item are replaced by the permissions of the propagating object. For example, if permissions are propagated from an External Content Type, all Methods and Method Instances of that External Content Type receive the new permissions.
Some objects can be assigned permissions by users with administrative permissions using the Business Data Connectivity service user interface. In the drawing above, those objects are displayed with a “UI” label.
The metadata store is the collection of XML files in the Business Data Connectivity service that contain definitions of models, external content types, and external systems.
To allow a user or group to …
Give them the following permissions …
On …
Set permissions on any object contained in the metadata store by propagating them from the metadata store.
SetPermissions
The metadata store
A model is XML file that contains sets of descriptions of one or more external content types, their related external systems, and information that is specific to the environment, such as authentication properties.
Create new models
Edit
Edit a model
The model
Set permissions on a model
Import a model
Export a model
The model and all external systems in the model
An external system is the metadata definition of a supported source of data that can be modeled, such as a database, Web service, or .NET connectivity assembly.
Create new external systems
Edit an external system
The external system
Use the external system in SharePoint Designer 2010
Set permissions on the external system
An external content type is a reusable collection of metadata that defines a set of data from one or more external systems, the operations available on that data, and connectivity information related to that data.
Create new external content types
Execute operations on an external content type
Execute
The method instances of the operation
Create lists of the external content type
Selectable in clients
The external content type
Set permissions on the external content type
A method is an operation related to an external content type such as Read or Update.
Edit a method
The method
Set permissions on a method
A method instance describes, for a particular method, how to use a method by using a specific set of default values.
Edit a method instance
The method instance
Execute a method instance
Set permissions on a method instance
In this scenario, a small departmental Web server hosts both SharePoint Server 2010 and a SQL Server database containing external data that will be integrated into a composite solution. For example, a small organization could use Business Connectivity Services to interact with customer contact information that is stored in a SQL Server database by creating a composite solution that exposes the data both in a SharePoint site using external lists and Web parts and from Microsoft Outlook 2010. Some users of the solution will have authorization to add new contacts or modify existing ones; other users will have read-only privileges.
The following permissions are typical for this scenario:
Role
Is given permissions …
By …
SharePoint Server Administrator
Full permissions to the metadata store.
Business Data Connectivity Service administrator
SetPermissions permission on the metadata store
SharePoint Server Administrator or other shared service administrators
Solution designer
Edit, Execute, and Selectable in clients permissions on the metadata store.
Business Data Connectivity Service administrators
Solution user
Execute permission on create, read, update, and delete operation method instances.
Solution viewer
Execute permission on read operation method instances
For more information on setting Business Connectivity Services permissions, along with other security-related topics, see my TechNet topic Business Connectivity Services security overview (SharePoint Server 2010).
-Rob Silver, SharePoint IT Pro Content Team
This post was updated 3/16/2010