Step 6 (Optional): Specify Access Permissions

Each object in the Business Data Catalog hierarchy of metadata objects (Application, Entity, Method, MethodInstance, Parameter, TypeDescriptor, and so on) has an access control list (ACL) that specifies which principals have which rights on the object. Of the 13 metadata objects, only LobSystem, Entity, Method, and MethodInstance have their own individually controllable ACL. These objects are referred to as Individually Securable metadata objects. Other metadata objects inherit the ACL from their immediate parent and are referred to as access-controlled metadata objects.

The following table shows the rights that the administrator, or someone with the Manage Permissions right, can set on a Business Data Catalog application.

Right Applies to Description


Access-controlled metadata objects

  • Update the object

  • Delete the object

  • Create child object

  • Add property

  • Remove property

  • Clear properties

  • Add localized display name

  • Remove localized display name

  • Clear localized display names

Manage Permissions

Individually securable metadata objects

  • Set permissions

  • Copy permissions to children

Execute (View)


  • Execute the MethodInstance object via various run-time API calls

Selectable in Clients

Application and Entity

  • Use in Web Parts and lists

  • View in Picker

The Business Data Catalog enables you to specify access permissions for each individually securable metadata object (such as LobSystem, Entity, Method, and MethodInstance) directly in the application definition file. You can also configure these parameters in the Business Data Catalog administration pages. In this step, you will specify the ACL at the LobSystem level in the XML.


Step 2: Define Entities, Methods, and Filters


Step 3 (Optional): Define Actions


Step 4 (Optional): Define Associations


Step 5 (Optional): Define IDEnumerator Methods and Enable Business Data Search

To specify access permissions

  1. To keep it simple, add the following XML to the end of the LobSystem element (before the </LobSystem> end tag). You must update the Principal attribute values with the correct domain and user or group names.

       <AccessControlEntry Principal="[your domain]\[you]">
          <Right BdcRight="Execute"/>
          <Right BdcRight="Edit"/>
          <Right BdcRight="SetPermissions"/>
          <Right BdcRight="SelectableInClients"/>
       <AccessControlEntry Principal="[your domain]\[your Business Data Catalog users]"> 
          <Right BdcRight="Execute"/>
          <Right BdcRight="SelectableInClients"/>
  2. Save the XML file.

  3. Before you add the application definition again, delete the AdventureWorksSample application you created in Step5 from the Business Data Catalog. To delete AdventureWorksSample, follow these steps:

    1. Open SharePoint 3.0 Central Administration.

    2. In the left navigation pane, click the name of your Shared Services Provider (SSP).

    3. In the Business Data Catalog section, click View Applications to view the registered applications.

    4. Click AdventureWorksSample to open the View Application: AdventureWorksSample page.

    5. Finally, click Delete Application in the Application Settings section.

  4. Add the application definition to the Business Data Catalog. For details, see How to: Add an Application Definition to the Business Data Catalog.

  5. Test access permissions as different Business Data Catalog users.

Next Steps

Step 7 (Optional): Use Single Sign-On to Connect to the AdventureWorks2000 Database

See Also


How to: Add an Access Control Entry to a Metadata Object
How to: Get the Access Control List for a Metadata Object