SharePoint Server 的 Visio Services 資料驗證Data authentication for Visio Services in SharePoint Server

摘要:Visio Services 支援與 Excel 活頁簿、SharePoint 清單、SQL Server 資料庫以及 OLE DB 和 ODBC 資料來源的連線。Summary: Visio Services supports connections with Excel workbooks, SharePoint lists, SQL Server databases, and OLE DB and ODBC data sources.

如下所示,資料來源可分類為「內部」或「外部」:Data sources are categorized as internal or external as follows:

  • 內部:在 SharePoint 伺服器陣列中裝載的資料,例如 Excel 活頁簿或 SharePoint 清單。Internal: Data hosted within the SharePoint farm, such as an Excel workbook or a SharePoint list.

  • 外部:SQL Server 資料,或者 OLE DB 或 ODBC 資料來源。External: SQL Server data, or an OLE DB or ODBC data source.

從資料來源擷取資料需要使用者經過資料來源的驗證,然後授權該使用者存取它包含的資料。在圖表的例子中,Visio Services 將會代表正在檢視的使用者向資料來源進行驗證,以便重新整理圖表連線的資料。Retrieving data from a data source requires a user to be authenticated by the data source and then authorized to access the data that it contains. In the case of a diagram, Visio Services authenticates to the data source on behalf of the user who is viewing it in order to refresh the data to which the diagram is connected.

Visio Services 可以使用哪些驗證方法來擷取資料,須視基礎資料來源的類型而定,如下表所述。如需支援多個驗證方法的資料來源,資料連線必須指定要使用哪一種。Which authentication method Visio Services can use to retrieve data depends on the type of the underlying data source, as outlined in the following table. For data sources that support more than one authentication method, the data connection must specify which one to use.

資料來源Data source 驗證方法Authentication method
SharePoint 清單SharePoint lists
SharePoint 使用者權限SharePoint user permissions
Excel 活頁簿Excel workbooks
SharePoint 使用者權限SharePoint user permissions
SQL ServerSQL Server
其中一個:One of:
Windows 驗證 (整合安全性)Windows authentication (integrated security)
使用 Kerberos 限制委派using Kerberos Constrained Delegation
使用 Secure Store。using Secure Store
使用自動服務帳戶using the Unattended Service Account
SQL Server 驗證SQL Server Authentication
OLE DB/ODBCOLE DB/ODBC
每個資料來源會不同,一般而言,使用者名稱與密碼組會儲存在連線字串中。Varies per data source, typically a user-name and password pair stored in the connection string.

也可以使用自訂資料提供者。Custom data providers can also be used.

在 Visio 中支援下列資料來源,但是在 Visio Services 中則不支援:The following data sources are supported in Visio but not in Visio Services:

  • Access 資料庫Access databases

  • 非 SharePoint Server 主控的 Excel 活頁簿Excel workbooks not hosted on SharePoint Server

  • OLAPOLAP

將 Visio Service 連線至 SharePoint Server 上所裝載的資料Connect Visio Services to data hosted on SharePoint Server

Visio Services 支援的資料連線圖表,是連線至 SharePoint 伺服器陣列主控資料的圖表,包括下列項目:Visio Services supports data-connected diagrams that are connected to data hosted within the SharePoint farm, including the following:

  • 文件庫中的 Excel 活頁簿Excel workbooks residing in a document library

  • SharePoint 清單中的資料Data in SharePoint lists

連線至 Excel 活頁簿Connect to Excel workbooks

Visio Services 使用圖表檢視者的 SharePoint Server 認證連線至 .xlsx Excel 活頁簿。為了讓驗證作業成功,必須符合下列條件:Visio Services uses the diagram viewer's SharePoint Server credentials to connect to an .xlsx Excel workbook. For the authentication operation to succeed, the following conditions must be met:

  • SharePoint 伺服器陣列必須正確佈建和設定 Office Online Server 預覽Office Online Server Preview must be provisioned correctly and configured on the SharePoint farm.

  • 活頁簿與圖表必須主控於相同的伺服器陣列。The workbook must be hosted on the same farm as the diagram.

  • 圖表檢視者必須至少擁有 Excel 活頁簿的「讀取」權限。The diagram viewer must have at least "read" permissions to the Excel workbook.

不需要任何其他設定步驟,即可允許這種資料連線。No other configuration steps are required to enable this kind of data connection.

注意

[!附註] 連線至 Excel 活頁簿的過程中,如果 Excel Online 包含連至外部資料的連線,Visio Services 會要求它重新整理活頁簿。在此例中,會將圖表檢視者的身分識別傳遞給 Excel Online,因此 Excel Online 即可向基礎資料來源進行驗證,以重新整理活頁簿。As part of connecting to an Excel workbook, Visio Services requests that Excel Online refresh the workbook if it contains connections to external data. In this case, the diagram viewer's identity is passed on to Excel Online so that Excel Online can authenticate to underlying data sources to refresh the workbook.

將 Visio Service 連線至 SharePoint 清單Connect Visio Services to SharePoint lists

Visio Services 使用圖表檢視者的 SharePoint Server 認證連線至 SharePoint 清單。為了讓驗證作業成功,必須符合下列條件:Visio Services uses the diagram viewer's SharePoint Server credentials to connect to a SharePoint list. For the authentication operation to succeed the following conditions must be met:

  • 為了讓使用者能夠存取外部清單中的資料,使用者必須擁有存取外部內容類型的權限以及存取外部資料來源的權限。In order for a user to access data in an External List, the user must have permissions to access the External Content Type and permissions to access the external data source.

  • 圖表檢視者必須至少擁有 SharePoint 清單活頁簿的「讀取」權限。The diagram viewer must have at least "read" permissions to the SharePoint list.

不需要任何其他設定步驟,即可允許這種資料連線。No other configuration steps are required to enable this kind of data connection.

將 Visio Service 連線至外部資料Connect Visio Services to external data

Visio Services 可以連線至各種外部資料來源,包括 SQL Server、OLE DB/ODBC 及自訂資料提供者。為了連線至資料來源,Visio Services 為每種資料來源使用特定的資料提供者。Visio Services can connect to various external data sources, including SQL Server, OLE DB/ODBC, and custom data providers. To connect to the data source, Visio Services uses a specific data provider for each data source.

基於安全措施的考量,Visio Services 必須明確地信任資料提供者,才能使用它們。As a security measure, Visio Services must explicitly trust data providers before they can be used.

連線至 SQL Server 資料來源可以使用下列其中一項來完成:Connecting to a SQL Server data source can be done by using either:

  • Windows 驗證Windows authentication

  • SQL Server 驗證SQL Server Authentication

其他資料來源使用的連線字串通常是由使用者名稱與密碼組成。Other data sources use a connection string usually consisting of a user name and password.

資料連線Data connections

Visio 圖表使用兩種連線之一:Visio diagrams use one of two kinds of connections:

  • 內嵌連線Embedded connections

  • 連結連線Linked connections

內嵌連線儲存在 Visio 圖表中。連結連線儲存在圖表外部的 Office 資料連線 (ODC) 檔案。為了使用連結連線,圖表必須參照.odc 檔案,此檔案與圖表也儲存在相同伺服器陣列。每個資料連線是由以下所組成:Embedded connections are stored as part of the Visio diagram. Linked connections are stored externally to a diagram in Office Data Connection (ODC) files. To use a linked connection, a diagram must reference an .odc file that is also stored in the same farm as the diagram. Each data connection consists of:

  • 連線字串A connection string

  • 查詢字串A query string

  • 驗證方法An authentication method

  • (選用) 有些中繼資料需要擷取外部資料Optionally, some metadata required to retrieve external data

在此所討論的每種連線各有其優缺點,請選擇最符合您案例的連線。Each kind of connection has its advantages and drawbacks discussed here; choose the one that best suits your scenario.

連線類型Connection type 內嵌連線Embedded connections ODC 檔案ODC files
支援的資料來源Data sources supported
SQL ServerSQL Server
OLE DB/ODBCOLE DB/ODBC
Excel 活頁簿Excel workbooks
SharePoint 清單SharePoint lists
自訂資料提供者Custom Data Providers
SQL Server (支援所有驗證方法)SQL Server (supports all authentication methods)
OLE DB/ODBCOLE DB/ODBC
優點Advantages
所有連線資訊都會儲存在圖表中。All connection information is stored in the diagram.
內嵌連線只需少量的管理工作即可支援。Embedded connections require little administrative overhead to support.
內嵌連線很容易建立。Embedded connections are easy to create.
連結連線可透過使用資料連線文件庫來集中儲存、管理、稽核、共用和存取它們。Linked connections can be centrally stored, managed, audited, shared and access to them controlled by using a data connection library.
圖表作者可以使用現有的連線,而不必建立查詢和連線字串。Diagram authors can use existing connections without having to create queries and connection strings.
如果資料來源的資料連線詳細資料變更,管理員只需要更新一個 ODC 檔案。多虧此變更,所有參照 ODC 檔案的圖表,將會在下次重新整理時使用更新的連線資訊。(移動資料庫伺服器或變更資料庫名稱時,就是此案例的範例)。If the data connection details for a data source change, an administrator only need update one ODC file. Thanks to that change, all diagrams that refer to the ODC file will use the updated connection information when the next refresh occurs. (An example of this scenario is when the database server is moved or the database name is changed.)
缺點Drawbacks
如果資料來源的資料連線詳細資料變更,具有連至該資料來源之內嵌連線的所有圖表,必須以更新的連線資訊重新發佈。If the data connection details for a data source change, all diagrams with embedded connections to that data source will have to be republished with updated connection information.
內嵌資料連線較不易讓 SharePoint 管理員進行稽核。Embedded data connections are more difficult to audit by SharePoint administrators.
連結連線可能需要 SharePoint 管理員的協助,以共用、管理和保護其安全。Linked connections may require the help of a SharePoint administrator to share, manage and secure.
連結連線是以純文字儲存,而且可能包含資料庫密碼。請務必特別小心,才能協助保護這些檔案的安全。Linked connections are saved in clear text and may contain database passwords. Extra care must be taken to help secure these files.

對於您必須具有連至企業規模相關的資料來源 (例如,SQL Server) 的資料連線之案例,請選擇使用 ODC 檔案連線的資料連線。連結資料連線對於必須將連線在許多使用者之間共用,以及連線必須透過管理員控制的案例特別有用。Choose a linked data connection, by using an ODC file, for scenarios in which you must have a data connection to an enterprise-scale relational data source such as SQL Server. Linked data connections are most useful in scenarios in which they will be shared across many users and in which administrator control of the connection is important.

注意

[!附註] 如果您使用 Visio 2010,ODC 檔案必須先在Excel 中建立,並匯出至 SharePoint Server ,才能與 Visio Services 搭配使用。If you are using Visio 2010, ODC files must first be created in Excel and exported to SharePoint Server before it can be used with Visio Services.

對於您必須具有的快速資料連線,是連至僅供某些使用者使用的小型或檔案式的資料來源,請選擇內嵌連線。Choose an embedded connection for scenarios in which you have to have a quick data connection to a small or file-based data source that will only be used by some users.

ODC 檔案可以儲存在資料連線庫中,這是一種特殊的 SharePoint 文件庫。將資料連線集中在這樣的文件庫有多項優點:ODC files can be stored in a data connection library, a special kind of SharePoint document library. Centralizing data connections in such a document library has several advantages:

  • 管理員可以將資料連線庫的寫入權限限制為信任的資料連線作者,以確保圖表作者僅使用經過嚴謹測試及安全的資料連線。Administrators can restrict write access to a data connection library to trusted data connection authors to make sure that only well tested and secure data connections are used by diagram authors.

  • 管理員可在單一地點管理大量使用者的資料連線。Administrators have a single location to manage data connections for a large group of users.

  • 管理員可以使用文件庫版本設定與工作流程功能,輕鬆地核准、稽核、回復和管理資料連線檔案。Administrators can easily approve, audit, revert and manage data connection files by using document library versioning and workflow features.

  • 使用者只有單一位置可尋找圖表資料,以減少混淆和使用者訓練。End-users only have a single location to find diagram data, reducing confusion and user training.

Windows 驗證Windows authentication

這種認證常用於 Windows 網路,而且與登入 Windows 網域電腦所使用的認證相同。Windows 認證被視為控制 SQL Server 資料庫存取權更加安全且最容易管理的方式。不過,Windows 認證與 Visio Services 搭配使用的一個障礙,是 Windows 雙躍點安全性措施。在這個措施中,使用者認證無法在 Windows 網路中跨越通過一台以上的電腦。假設 Visio Services 是多層系統,Visio Services 將需要特殊的驗證方法,以代表使用者擷取資料。This kind of credential is common on Windows networks and is the same credential used to log on to computers on a Windows domain. Windows credentials are considered a more secure and manageable means of controlling access to SQL Server databases. However, one obstacle to using Windows authentication with Visio Services is the Windows double-hop security measure, wherein a user's credentials cannot be passed across more than one computer in a Windows network. Given that Visio Services is a multi-tiered system, special authentication methods are required for Visio Services to retrieve data on behalf of the end-user.

Windows 驗證需要 Visio Services 向 SQL Server 呈現一組 Windows 認證。有數個選項可以執行這項作業。選擇哪一種驗證方法,需視下表中所述的各項因素而定。請選擇最符合您案例的一種方法。Windows authentication requires that Visio Services present to SQL Server a set of Windows credentials. There are several options for doing this. The authentication method to choose depends on various factors as outlined in the following table. Choose the one that best suits your scenario.

驗證方法Authentication method Kerberos 限制的委派Kerberos constrained delegation Secure StoreSecure Store 自動服務帳戶Unattended Service Account
描述Description
使用 Kerberos 限制委派,會將圖表檢視者的 Windows 認證直接傳送到資料來源。Using Kerberos constrained delegation, the diagram viewer's Windows credentials are sent to the data source directly.
使用 Secure Store 時,檢視者的 Windows 認證會對應至 Secure Store 目標應用程式中所指定的另一組認證。Using Secure Store, the viewer's Windows credentials are mapped to another set of credentials specified in a Secure Store target application.
使用 Secure Store 時,會將所有檢視者對應至一組稱為「自動服務帳戶」的特定認證,「自動服務帳戶」儲存於特定 Secure Store 目標應用程式。此應用程式會在 Visio Services 通用設定中指定。Using Secure Store, all viewers are mapped to a specific set of credentials called the Unattended Service Account that is stored in a specific Secure Store target application specified in Visio Services Global Settings.
資料連線認證Data connection credentials
圖表檢視者的 Windows 認證。The Windows credentials of the diagram viewer.
在 Secure Store 目標應用程式中指定的認證。The credentials specified in the Secure Store target application.
「自動服務帳戶」的認證。The credentials of the Unattended Service Account.
優點Advantages
Kerberos 通訊協定是認證管理方面的業界標準。The Kerberos protocol is an industry standard in credentials management.
Kerberos 會繫結至現有的 Active Directory 基礎結構。Kerberos ties into the existing Active Directory infrastructure.
Kerberos 委派啟用個別存取資料來源的稽核。Kerberos delegation enables auditing of individual accesses to a data source.
假設已知圖表檢視者的身分識別,圖表建立者可以將個人化的資料庫查詢內嵌至圖表。Given that the diagram viewer's identity is known, diagram creators can embed personalized database queries into diagrams.
Secure Store 是 SharePoint Server 的一部分且與 Kerberos 驗證相比更加容易設定。Secure Store is part of SharePoint Server and is easier to configure than Kerberos authentication.
對應具有彈性:使用者可以是 1 對 1 或多對 1 對應。Mappings are flexible: a user can be mapped either 1-to-1 or many-to-1.
非 Windows 認證可用以連線至不接受 Windows 認證的資料來源。Non-Windows credentials can be used to connect to data sources that do not accept Windows credentials.
為 Visio 建立的對應可供 Excel Online 之類的其他商業智慧應用程式重複使用。Mappings created for Visio can be re-used by other business intelligence applications such as Excel Online.
「自動服務帳戶」是部署和安裝時最簡單的驗證方法。The Unattended Service Account is the easiest authentication method to deploy and setup.
「自動服務帳戶」不需要太多管理工作。The Unattended Service Account does not require much administrative overhead.
缺點Drawbacks
SharePoint Server 與 Visio Services 需要設定其他管理工作。Additional administrative effort required to configure for SharePoint Server and Visio Services.
建立和管理對應表格需要執行一些管理工作。Establishing and managing mapping tables requires some administrative overhead.
Secure Store 允許有限的稽核。在多對 1 的案例中,會將個別的連入使用者透過目標應用程式對應至相同的認證,這樣可有效地將它們併入一個使用者。Secure Store allows limited auditing. In the many-to-1 scenario, individual incoming users are mapped into the same credentials through a target application, effectively blending them into one user.
假設每個人都對應至相同的認證,管理員將無法分辨誰存取過資料來源。Given that everyone is mapped to the same credentials, an administrator cannot distinguish who accessed a data source.
為了讓驗證作業成功…For the authentication operation to succeed …
必須在 SharePoint 伺服器陣列上設定 Kerberos 限制委派。Kerberos constrained delegation must be set up on the SharePoint farm.
伺服器陣列必須佈建和設定 Secure Store。也必須包含特定連入使用者的適當對應資訊。此外,可能需要定期更新對應資訊,以反映對應帳戶的密碼變更。Secure Store must be provisioned and configured on the farm. It must also contain appropriate mapping information for a particular incoming user. Additionally the mapping information may need to be updated periodically to reflect password changes on the mapped account.
伺服器陣列必須佈建和設定 Secure Store。也必須包含自動服務帳戶的認證。此外,可能需要定期更新對應資訊,以反映對應帳戶的密碼變更。Secure Store must be provisioned and configured on the farm. It must also contain the credentials for the Unattended Service Account. Additionally the mapping information may need to be updated periodically to reflect password changes on the mapped account.
自動服務帳戶必須設定於 [Visio Service 全域設定] 中。The Unattended Service Account must be configured in Visio Services Global Settings.

Kerberos 限制的委派Kerberos constrained delegation

若要在支援 Windows 驗證的企業規模相關資料來源中獲得更安全且更快速的驗證,請選擇 Kerberos 限制委派。Choose Kerberos constrained delegation for more secure and faster authentication to enterprise-scale relational data sources that support Windows authentication.

Secure StoreSecure Store

若要向支援 Windows 驗證的企業規模相關資料來源進行驗證,請選擇 Secure Store。Secure Store 對於您要控制使用者認證對應的案例也非常有用。Choose Secure Store for authentication to enterprise-scale relational data sources that may support Windows Authentication. Secure Store is also useful in scenarios in which you want to control user credential mappings.

自動服務帳戶Unattended Service Account

為了簡化設定, Visio Graphics Service 提供一種特殊設定,讓管理員可以建立唯一的對應,以便將所有的使用者都對應到單一組認證。For ease of configuration the Visio Graphics Service provides a special configuration where an administrator can create a unique mapping where all users are mapped to a single set of credentials.

這個帳戶 (又稱為自動服務帳戶) 必須是低權限的 Windows 網域帳戶。Visio Services 代表圖表檢視者連線至資料來源時,會模擬此帳戶。This account, known as the Unattended Service Account, must be a low-privilege Windows domain account. Visio Services impersonates this account when it connects to a data source on behalf of a diagram viewer.

最佳作法是儘可能提供此帳戶愈少的網路權限愈好,通常只提供登入網路的存取權以及您要使用者連線資料來源的存取權。基於更好的安全性的考量,請務必確定「自動服務帳戶」沒有 SharePoint 設定與內容資料庫的存取權。It is a best practice to give this account as few network permissions as possible, typically only to log on to the network and to access the data source that you want users to connect to. For better security, be sure that the Unattended Service Account does not have access to the SharePoint Configuration and Content databases.

Visio Services 使用「自動服務帳戶」的時機:The Unattended Service Account is used by Visio Services in the following circumstances:

  • 當 ODC 檔案指定 Windows 或 SQL Server 驗證使用自動服務帳戶時When an ODC file specifies the use of the Unattended Service Account for either Windows or SQL Server Authentication

  • 若未使用 ODC,Kerberos 驗證會失敗When no ODC is used, and Kerberos authentication fails

注意

[!附註] 自動服務帳戶可以是 Windows 類型的本機電腦帳戶。如果將自動服務帳戶設定為本機電腦帳戶,請確定每部執行 Visio Services之應用程式伺服器的設定都相同。基於便於管理的考量,最佳作法是使用網域帳戶。The unattended account can be a local computer account of type Windows. If the unattended service account is configured as a local computer account, make sure that the configuration is identical on every application server that is running Visio Services. For manageability reasons, the best practice is to use a domain account

當連線至小型臨機操作部署 (較不重視安全性且部署的速度非常重要) 時,請選擇「自動服務帳戶」。Choose the Unattended Service Account when you connect to small ad-hoc deployments in which security is less important or for which speed of deployment is very important.

如需如何使用 Visio Services 自動服務帳戶的詳細資訊,請參閱商務智慧服務應用程式的 secure store ServiceFor information about how to use the Unattended Service Account with Visio Services, see Secure Store for Business Intelligence service applications.

SQL Server 驗證SQL Server Authentication

SQL Server 驗證需要 Visio Services 將 SQL Server 使用者名稱與密碼提供給 SQL Server 資料來源以進行驗證。Visio Services 會從資料連線的連線字串擷取此使用者名稱與密碼,並將它們傳遞給資料來源。SQL Server Authentication requires that Visio Services present a SQL Server user name and password to a SQL Server data source to authenticate. Visio Services extracts this user name and password from the data connection's connection string and passes it to the data source.

為了降低安全性風險,Visio Services 會在連線至這類資料來源時模擬「自動服務帳戶」。To reduce security risks, Visio Services impersonates the Unattended Service Account when it connects to such a data source.

針對 OLE DB/ODBC 資料來源的驗證Authentication against OLE DB/ODBC data sources

向協力廠商資料來源進行驗證時,通常需要 Visio Services 將使用者名稱與密碼提供給資料來源。與 SQL Server 驗證一樣,Visio Services 會從資料連線的連線字串擷取此使用者名稱與密碼,並將它們傳遞給資料來源。Authentication to third-party data sources typically requires that Visio Services present a user name and password to a data source. Like SQL Server Authentication, Visio Services extracts this user name and password from the data connection's connection string and passes them to the data source.

為了降低安全性風險,Visio Services 會在連線至這類資料來源時模擬「自動服務帳戶」。To reduce security risks, Visio Services impersonates the Unattended Service Account when it connects to such a data source.

Visio Service 資料重新整理Visio Services data refresh

Visio Services 支援重新整理連線至下列一或多個資料來源的圖表:Visio Services supports refreshing diagrams connected to one or more of the following data sources:

  • SQL ServerSQL Server

  • SharePoint 清單SharePoint lists

  • SharePoint Server 所裝載的 Excel 活頁簿Excel workbooks hosted in SharePoint Server

  • Oracle 9i、9iR2、10g、10gR2、11g、11gR2 及 DB2 9.2Oracle 9i, 9iR2, 10g, 10gR2, 11g, 11gR2, and DB2 9.2

注意

[!附註] 如果您計畫要連線的資料來源不在上述清單中,則可以建立 Visio 自訂資料提供者,為其新增支援。這項技術可讓您將現有的資料來源包裝為 Visio Services 可以使用的資料來源。If the data source that you plan to connect to is not in the list above, you can add support for it by creating a Visio Custom Data Provider. This technology enables you to wrap your existing data sources into one that Visio Services can consume.

重新整理可以透過下列其中一種方式從瀏覽器中觸發:Refresh can be triggered in one of following ways from the browser:

  • 使用者開啟圖表。The end-user opens the diagram.

  • 使用者在已經開啟的圖表上按一下重新整理按鈕。The end-user clicks on the refresh button on an already open diagram.

  • 使用者會載入頁面,其中包含網站設計者設定成自動重新整理的 Visio Web Access 網頁組件。The end-user loads a page that contains the Visio Web Access Web Part which was configured by a site designer to refresh automatically .

    注意

    [!附註] SharePoint 網站設計者必須將 Visio Web Access 網頁組件放在頁面上,並將它設定成定期重新整理。A SharePoint site designer must place the Visio Web Access Web Part on a page and configure it to refresh periodically.

如果沒有之前快取的圖表版本,這些動作的任何一項將會觸發重新整理並更新圖表。如需為 Visio Services 設定快取設定的詳細資訊,請參閱<設定 Visio Services>。If there are no previously cached versions of this diagram, any of these actions will trigger a refresh and update the diagram. For information about how to configure cache settings for Visio Services, see Configure Visio Services.