Share via


Manage external systems (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

Summary: Administrators of Business Data Connectivity service applications can perform operations on the source of data for those applications to maintain security and ensure appropriate access to data.

An external system is a source of data, such as a Web service, SQL Server database, other relational database, or a custom connector, that can be used in a solution. An instance of an external system includes connection and authentication information for a specific instance of an external system. There can be one or more instances of an external system for any external system. Configuring multiple external system instances allows the solution designer to set different security parameters on external data connections to support multiple ways to connect to the same external system. However, in many applications, a single external system instance is all that is needed.

In this article:

  • Set permissions on an external system

  • View all external systems for a Business Data Catalog service application instance

  • Delete an external system

  • View the external content types of an external system

  • Configure an external system

  • Configure an instance of an external system

Set permissions on an external system

You set permissions on an external system to specify who can edit it, who can execute operations (such as read or update) on external content types stored at the external system, who can create external lists using the data that is stored in the external system, and who can set permission on it.

We recommend that you give specific permissions to each user or group that needs them, in such a way that the credentials provide the least privilege necessary to perform the needed tasks. For more information about setting permissions, see Business Connectivity Service permissions overview in "Business Connectivity Services security overview (SharePoint Server 2010)".

To set permissions on an external system

  1. Verify that you have one of the following administrative credentials:

    • You must be a farm administrator.

    • You must be an administrator of the Business Data Connectivity service application and have Set Permissions permission on the external system.

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  4. In the View group of the ribbon, click External Systems.

  5. Click the check box of the external system for which you want to set permissions.

  6. In the Permissions group of the ribbon, click Set Object Permissions.

  7. In the box, type the user accounts, groups, or claims for which permissions will be granted, and then click Add.

    Note

    The user account, group, or claim cannot have a vertical bar (|) in its name.

  8. Set the permissions for the account, group, or claim:

    Note

    At least one user, group or claim in the metadata object's access control list must have the Set Permissions permission.

    • Click Edit to allow the user, group, or claim to edit the external system.

      securitySecurity Note
      The Edit permission should be considered highly privileged. With the Edit permission a malicious user can steal credentials or corrupt a server farm. To help ensure a secure solution, we recommend using a test environment where the Edit permission can be assigned freely to developers and solution designers. When you deploy the tested solution to a production environment, remove the Edit permissions.
    • Click Execute to allow the user, group, or claim to execute operations (create, read, update, delete, or query) on external content types that are stored at the external system.

      Tip

      The Execute permission is not applicable to the external system itself. This setting is used when you want to propagate the Execute permission to child objects (such as external content types) in the external system.

    • Click Selectable In Clients to allow the user, group, or claim to create external lists of any external content types whose data is stored at the external system and to view the external content types in the external item picker.

      Tip

      The Selectable In Clients permission is not applicable to the external system itself. This setting is used when you want to propagate the Selectable In Clients permission to child objects (such as external content types) in the external system.

    • Click Set Permissions to allow the user, group, or claim to set permissions on the external system.

      securitySecurity Note
      The Set Permissions permission should be considered highly privileged. With the Set Permissions permission, a user can grant Edit permission to the external system.
  9. To propagate permissions to all items nested in the external system, click Propagate permissions to all External Content Types that belong to this External System. Doing so will overwrite existing permissions.

View all external systems for a Business Data Connectivity service application instance

View the external systems in the Business Data Connectivity service application to choose an external system before configuring it or to perform some other operation.

To view all external systems for a Business Data Connectivity service application instance

  1. Verify that you have the following administrative credentials:

    • You must be a farm administrator or an administrator of the service application.
  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  4. In the View group of the ribbon, click External Systems.

Delete an external system

Delete an external system to remove it from the metadata store.

Note

You cannot delete an external system that contains external content types in the metadata store. To delete the external system, you must first delete all external content types that it contains.

To delete an external system

  1. Verify that you have one of the following administrative credentials:

    • You must be a farm administrator.

    • You must be an administrator of the Business Data Connectivity service application and have Edit permission on the external system.

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  4. In the View group of the ribbon, click External Systems.

  5. Point to the external system, click the arrow that appears, and then click Delete.

View the external content types of an external system

External systems make external data available using external content types. You can view all the external content types associated with an external system.

To view the external content types of an external system

  1. Verify that you have the following administrative credentials:

    • You must be a farm administrator or an administrator of the service application.
  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  4. In the View group of the ribbon, click External Systems.

  5. Point to the external system, click the arrow that appears, and then click View External Content Types.

Configure an external system

You can configure some settings of an external system by using the Business Data Connectivity service.

To configure an external system

  1. Verify that you have one of the following administrative credentials:

    • You must be a farm administrator.

    • You must be an administrator of the Business Data Connectivity service application and have Edit permission on the external system.

  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  4. In the View group of the ribbon, click External Systems.

    Tip

    The only external systems that are configurable in the Business Data Connectivity service are Windows Communication Foundation (WCF) Web services.

  5. Point to the external system, click the arrow that appears, and then click Settings.

  6. Edit or view the settings.

    If the external system is a WCF Web service, the following settings are available:

    Field Notes

    Metadata Exchange URL

    The full Web address of the Web service description language (.wsdl) file of the Web service.

    Metadata Exchange Discovery Mode

    The protocol to use for discovering web service metadata:

    • Disco: the Business Data Connectivity service uses the DiscoveryClientProtocol (equivalent to wsdl.exe ) to download the metadata.

    • MetadataExchange: the Business Data Connectivity service uses WS-Transfer (equivalent to svcutil /mex) to download the metadata.

    • CustomProxy: the Business Data Connectivity service does not attempt to discover the service. When this option is used, the user must provide Address, Binding and Contract for the service.

    WSDL Authentication Mode

    The default way that incoming credentials are passed to the Web service.

    Five choices are available:

     

    Mode Description

    User’s Identity

    Uses the credentials of the logged on user to authenticate to the Web service.

    This mode is called PassThrough in the BDC model file.

    BDC Identity

    Uses the application pool account under which the Business Data Connectivity service is running to authenticate the logged on user to the Web service.

    This mode is called RevertToSelf in the BDC model file.

    Impersonate Custom Identity

    For Web services that use basic authentication instead of Windows authentication.

    Uses the Secure Store Service to map the user’s credentials to the individual or group credentials that are used by the Web service.

    This mode is called Credentials in the BDC model file.

    Impersonate Windows Identity

    For Web services that use Windows authentication.

    Uses the Secure Store Service to map the user’s credentials to the individual or group credentials that are used by the Web service.

    This mode is called WindowsCredentials in the BDC model file.

    Impersonate Custom Identity - Digest

    For Web services that use digest authentication instead of Windows authentication. Uses the Secure Store Service to map the user’s credentials to the individual or group credentials that are used by the Web service.

    This mode is called DigestCredentials in the BDC model file.

    Secure Store WSDL Target Application ID

    For Impersonate Custom Identity, Impersonate Windows Identity, and Impersonate Custom Identity-Digest authentication, the target application identifier for this Web service, as configured in the Secure Store Service.

    Secure Store Implementation

    If you are providing a custom secure store provider, specify the fully qualified assembly name of the provider. Otherwise, leave this field empty.

  7. Click OK.

Configure an instance of an external system

There can be one or more instances of an external system for any external system. Configuring multiple external system instances allows the solution designer to set different security parameters on external data connections to support multiple ways to connect to the same external system.

To configure an instance of an external system

  1. Verify that you have one of the following administrative credentials:

    • You must be a farm administrator.

    • You must be an administrator of the Business Data Connectivity service application and have Edit permission on the external system.

  2. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.

  3. In the View group of the ribbon, click External Systems.

  4. Click the external system to view its instances.

    Tip

    The only instances of external system types that are configurable by default are databases and WCF Web services.

  5. Point to the external system instance, click the arrow that appears, and then click Settings.

  6. Edit or view the settings.

    If the external system is a WCF Web service, the following settings are available:

    Field Description

    Authentication Mode

    The way that incoming credentials are passed to the Web service.

    Five choices are available:

     

    Mode Description

    User’s Identity

    Uses the credentials of the logged on user to authenticate to the Web service.

    This mode is called PassThrough in the BDC model file.

    BDC Identity

    Uses the application pool account under which the Business Data Connectivity service is running to authenticate the logged on user to the Web service.

    This mode is called RevertToSelf in the BDC model file.

    Impersonate Custom Identity

    For Web services that use basic authentication instead of Windows authentication.

    Uses the Secure Store Service to map the user’s credentials to the individual or group credentials that are used by the Web service.

    This mode is called Credentials in the BDC model file.

    Impersonate Windows Identity

    For Web services that use Windows authentication.

    Uses the Secure Store Service to map the user’s credentials to the individual or group credentials that are used by the Web service.

    This mode is called WindowsCredentials in the BDC model file.

    Impersonate Custom Identity - Digest

    For Web services that use digest authentication instead of Windows authentication. Uses the Secure Store Service to map the user’s credentials to the individual or group credentials that are used by the Web service.

    This mode is called DigestCredentials in the BDC model file.

    Service Endpoint Address

    The full Web address of the Web service’s .wsdl file.

    Impersonation Level

    The degree to which the Business Data Connectivity service will can act on behalf of the user when connecting to an external web service. Values include:

    • None: An impersonation level is not assigned.

    • Anonymous: The server process cannot obtain identification information about the client, and it cannot impersonate the client.

    • Identification: The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.

    • Impersonation: The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems.

    • Delegation: The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems.

    Secure Store Target Application ID

    For Impersonate Custom Identity and Impersonate Windows Identity authentication, the target application identifier for this Web service, as configured in the Secure Store Service.

    Secondary Secure Store Target Application ID

    This field is used to provide the target application identifier of the optional filter that will be used to capture user-supplied input values for Secure Store related filters. For information on the types of filters supported, and on implementing filters, see the Microsoft SharePoint 2010 Software Development Kit (https://go.microsoft.com/fwlink/p/?LinkId=166117).

    Secure Store Implementation

    If you are providing a custom secure store provider, specify the fully qualified assembly name of the provider. Otherwise, leave this field empty.

    If the external system is a database, the following settings are available:

    Field Description

    Access Provider

    The type of database.

    Authentication Mode

    The way that incoming credentials are passed to the database.

    Four choices are available:

     

    Mode Description

    User’s Identity

    Uses the credentials of the logged on user to authenticate to the database.

    This mode is called PassThrough in the BDC model file.

    BDC Identity

    Uses the application pool account under which the Business Data Connectivity service is running to authenticate the logged on user to the database.

    This mode is called RevertToSelf in the BDC model file.

    Impersonate Custom Identity

    For databases that do not use Windows authentication.

    Uses the Secure Store Service to map the user’s credentials to the individual or group credentials that are used by the database.

    This mode is called RdbCredentials in the BDC model file.

    Impersonate Windows Identity

    For databases that use Windows authentication.

    Uses the Secure Store Service to map the user’s credentials to the individual or group credentials that are used by the database.

    This mode is called WindowsCredentials in the BDC model file.

    Database Server

    The name of the database server.

    Initial Database Name

    The name of the database.

    Integrated Security

    If you are using integrated security, type the string, SSPI, and the Business Data Connectivity service will use the user’s Windows credentials to connect to the external system. If you are not using integrated security, leave this field blank, and the Business Data Connectivity service will connect by using unique credentials for the database server.

    Connection Pooling

    If this is selected, the Business Data Connectivity service maintains ownership of the connections to the external system in a pool as an optimization.

    Secure Store Target Application Target ID

    For Impersonate Custom Identity and Impersonate Windows Identity authentication, the target application identifier for this database, as configured in the Secure Store Service.

    Secondary Secure Store Target Application Target ID

    This field is used to provide the target application identifier of the optional filter that will be used to capture user-supplied input values for Secure Store related filters. For information on the types of filters supported, and on implementing filters, see the Microsoft SharePoint 2010 Software Development Kit (https://go.microsoft.com/fwlink/p/?LinkId=166117).

    Secure Store Implementation

    If you are providing a custom secure store provider, specify the fully qualified assembly name of the provider. Otherwise, leave this field empty.

  7. Click OK.

See Also

Other Resources

Resource Center: Operations and Manageability for SharePoint Server 2010 (https://go.microsoft.com/fwlink/p/?LinkId=220215)
Resource Center: Business Connectivity Services in SharePoint Server 2010 (https://go.microsoft.com/fwlink/p/?LinkId=220222)