Authentication and Authorization for the Business Data Catalog
Authentication is working out who someone is.
Authorization is working out what someone can do.
Business Data Catalog Authentication
The authentication within the Business Data Catalog involves passing an identity from SharePoint to your backend data source, to make sure the identity has the necessary permissions to retrieve data. The BDC authentication mechanism you are going to use is defined within your application definition file:
These properties are then pieced together to create a connection string that is used to connect to your data source. If you are working with MS SQL Server there are two main types of BDC Authentication you are interested in
1, PassThrough - the logged on users identity is passed from the browser, to SharePoint, to the data source ie it is passed all the way through. This enables SQL Server to identify users uniquely and see if they have the necessary permissions to a table, view or stored procedure (this step is authorization). The big issue with PassThrough BDC authentication is the double hop issue.
2, RevertToSelf - this BDC authentication type will use the SharePoint web apps application pool identity to attempt to access the BDC data source. This means there is only one hop from SharePoint to the database meaning we do not get the double hop issue. As all users will be connecting through the web apps application pool identity you cannot do authorization at the database level as the database cannot uniquely identify each user. This is where authorization at the BDC level comes in (see later section).
You can also make use of two further methods, Single Sign on and using a database account
3, Single Sign On allows you to map credentials from one system to another without your users having to re-authenticate. This is one of the solutions for getting over the double hop issue associated with PassThrough. Configuring SSO requires additional steps outside the BDC, but we have a whitepaper you can download to get you going.
4, Database credentials - if you are using SQL accounts it is possible to get all your users to connect as a SQL user. We'll show you how to do this now in BDC Meta Man.
Configuring Business Data Catalog Authentication in BDC Meta Man
1, Connect to your MS SQL Server database and drag an table onto the design surface to create a BDC Entity
2, The treeview in the bottom left of the application will now have formed with the name of the LOBSystem as the root node of the tree
3, Right click on the LOBSystem root node of the tree and pick edit.
4, Now the LOB System/Instance Management window will appear where you can configure the Authentication
5, By default we always set the BDC Authentication Mode to be PassThrough. To change it to RevertToSelf just select it from the drop down and click Save. That's it, now you can generate your application definition file. One thing you do need to ensure when using RevertToSelf is that your SharePoint web apps application pool id is a domain account and has the necessary permissions in your datasource to read data.
6, If you want the BDC to use a SQL Database account, while in the LOB System/Instance Management screen, set the Authentication Mode to be RevertToSelf, and enter your SQL account username and password in the Username and Password fields. Having to set the Authentication Mode to RevertToSelf is a little confusing - but this is way to get it to work
Business Data Catalog Authorization
Once SharePoint and your datasource know who you are through Authentication, you can work out exactly what the user can do. If you are using PassThrough Authentication you can authorize users at the data source end. How to do this is more SQL Server (if this is your data source) configuration rather than the BDC per say, so here is a good starting point on managing SQL Server access.
For those using any other BDC Authentication mode however (or if you do not want to configure authorization at your data source end), you can also set permission access to BDC applications and even entities within your Shared Service Provider. To configure the BDC permissions within your Shared Service Provider:
1, Navigate to your Shared Service Provider Administration page. Within the Business Data Catalog section you'll find a link to Business Data Catalog Permissions
2, This is where you can give permissions to the BDC as a whole.
3, You can add an active directory (if this is what you are using) user or group and give them the permissions you want.
4, Back on the screen that lists the users, there is an important button for 'Copy all permissions to descendants' which will copy any selected users permissions down to BDC applications and entities
5, You can also manage the permissions of a single BDC application. Back at your SSP administration homepage click on View Applications and select one of the BDC applications you have imported
6, On the BDC Application home page you'll see another link to Manage Permissions where you can set authorization at the application level.
7, And you can go a step further by clicking on an Entity in your BDC application page, and on the Entity page you have Manage Permissions again
Hopefully this has explained to you the different between Authentication and Authorization, and how to configure both aspects for the Business Data Catalog.