BCS Security Access Using Secure Store in code question
https://sharepoint.stackexchange.com/questions/16804
-
16-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have Secure Store and also Kerberos setup on my development and production farms. I am using Event Receivers to access BCS data. I have verified that if I simply impersonate a user that has access to the back-end I can return data in a web part. What is the best way to utilize the Secure Store instead of simple impersonation to in code to determine if a user is a member of that particular AD group that is assigned permissions with a particular Secure Store app id?
Do we impersonate or better yet how do we use the assigned secure store user that in turn has access to the back-end BCS system to access the data in a web part in code?
I have setup External Lists using External Content Types that have been created using BCS Meta Man. I have then assigned the Secure Store App Id to that Model using SharePoint Designer 2010 and of course everything works. I think I am just having a problem understanding how to utilize the Secure Store to simplify BCS access without having to impersonate a particular user that relies on Kerberos in code. Any help would be most appreciated, thanks!
Solution
When you set up a target application in secure store you can choose either a group or individual credentials.
Use group credentials if you want a single account to access the external system (usually a database) - this will act a bit like the trusted subsystem model and you won't be able to audit users accessing your back-end system, but you don't need to give them individual access.
Use individual credentials if you want the user's own account to be used to access the back-end. They will need to login once and the secure store will cache their credentials for subsequent connections to the back-end system. It sounds as though this is what you require, so that you can manage the security on the back-end.
Kerberos generally doesn't help you with this type of delegation problem unless the back-end system understands it, hence the need for the secure store (as well as for single sign-on).
There is more information on TechNet.
OTHER TIPS
I have been using the Secure Store now for a while, successfully I may add. I have found that when you initially create the SSO App, set it up with your BCS, configure security on your BCS, you still need to literally get up and walk away. It won't work for a little bit, must have something to do with timer jobs and such.
Any ways, I have a full setup so if anyone has any questions concerning how to setup the security on the Secure Store correctly with BCS security setup correctly as well you can always post, be glad to help.
