Implementing Security on custom BCS/.net class?

Question

I'm implementing a custom BCS Model to get data from a backend system. As the backend uses it's own user management, I'm accessing it through a service account.

All of this works well and allows me to pull data into SharePoint. However because it's channeled through the service account, everyone can access it, which is bad.

Can anyone give me some tips which method to implement? The backend does not give me NT ACLs, but I wonder if I could just "fake" them somehow? (Essentially saying "This NT Group has Read Access" is good enough).

I am aware of ISecurityTrimmer2 for Search Results, but ideally I want to cover security inside the BCS Model so that it applies to external lists as well. I want to avoid using Secure storage and mapping each individual user to the backend.

Answer 1

Got an answer here. I can set a field in the BCS Model to be the WindowsSecurityDescriptorField and then I can use custom code in my BCS methods to create a ACLs:

Byte[] GetSecurityDescriptor(string domain, string username)
{
    NTAccount acc = new NTAccount(domain, username);
    var sid = (SecurityIdentifier)acc.Translate(typeof(SecurityIdentifier));
    CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false,
        ControlFlags.None,sid,null, null, null);
    sd.SetDiscretionaryAclProtection(true, false);

    //Deny access to everyone
    SecurityIdentifier everyone = new SecurityIdentifier(
        WellKnownSidType.WorldSid, null);
    sd.DiscretionaryAcl.RemoveAccess(AccessControlType.Allow, everyone, 
      unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);

    //Grant full access to specified user
    sd.DiscretionaryAcl.AddAccess(AccessControlType.Allow, sid,
      unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);

    byte[] secDes = new Byte[sd.BinaryLength];
    sd.GetBinaryForm(secDes, 0);

    return secDes;
}

This works well and allows me to create custom ACLs once I translated users between the backend system and Active Directory.

I'm still interested to hear if someone has another way if having security as part of the BCS Model.

Answer 2

If you want to avoid Secure Store, it sounds like your only choice is PassThrough. The catch is that you cannot use NTLM. You must use Kerberos because NTLM does not allow for identity delegation since you are passing credentials from the user to the SharePoint server to the external system. In using Kerberos for identity delegation, you need to create a SPN (Service Principle Name) for your service so that AD knows that it is permitted to delegate identities.

Authenticating to Your External System

See Create Service Principal Names for your Web applications using Kerberos authentication in this article for creating a SPN.

Answer 3

I'm using a somewhat different approach. If you code .NET objects to retrieve the data from your external system, you can access the SPContext object to check on what site you're on, or which user is querying the data. In code, you can use that info to filter the data any what you like.

So the exact same instance of an External List on your SharePoint site might return 5 results for use A, but 10 results for user B based on username or perhaps group membership. Not that hard to implement and actually works pretty good.

Check out http://jsiegmund.wordpress.com/2010/05/19/creating-secured-bcs-objects-with-bcs-meta-man/.