在 SharePoint Server 中規劃 Business Connectivity Services 解決方案Plan a Business Connectivity Services solution in SharePoint Server

摘要:在 SharePoint Server 2016 或 SharePoint Server 2013 中建立 Microsoft Business Connectivity Services 解決方案的計劃。Summary: Create a plan for your Microsoft Business Connectivity Services solution in SharePoint Server 2016 or SharePoint Server 2013.

Microsoft Business Connectivity Services 解決方案將外部資料深入整合到 SharePoint Server 和 Office。每個 Business Connectivity Services 解決方案都是使用 Visual Studio 量身打造。沒有您可以使用的現成 Business Connectivity Services 設定或範本。Microsoft Business Connectivity Services solutions integrate external data deeply into SharePoint Server and Office. Each Business Connectivity Services solution is custom-built using Visual Studio. There are no out-of-the-box Business Connectivity Services configurations or templates that you can use.

本文列出五個問題,請先回答問題,然後再開始設計 Business Connectivity Services 解決方案。請務必將所有收集到的資訊傳達給專案的主要關係人進行審核及核准。這項動作有助於確保所有參與人員都了解專案的需求與解決方案未來的運作方式。This article takes you through five questions that you must answer before you can design your Business Connectivity Services solution. Be sure to collect all this information and communicate it to all the key stakeholders to review and approve. When you do this, you will help ensure that everyone involved has the same understanding of the needs of the project and how the solution will work.

資料位於何處?Where is the data?

規劃 Business Connectivity Services 解決方案的第一步,是先知道您所需要的外部資料位於何處。您必須從三個角度確認這項資訊。Your first step in planning your Business Connectivity Services solution is to understand where the external data that you want is. You need to understand this from three perspectives.

您必須知道誰會負責每日的外部資料來源管理工作。之後您將協同這個小組一起設定外部資料的連線。這些人員可以向您說明資料提供外部使用的方式,以及維護外部資料安全的方法等等。您可能會需要他們協助建立外部系統的認證供您使用。除此之外,您也必須要有萬全的準備,以回答您的 Business Connectivity Services 解決方案對其資料與外部系統所造成之影響的各項問題。You will need to know who has daily administrative responsibility over the external data source. This is the group that you will need to work with to help set up connectivity to the external data. They will be able to tell you how the data is made available for external consumption, how it is secured, and so on. You might need them to create credentials in the external system for you to use. Be prepared to answer their questions on the impact of your Business Connectivity Services solution on their data and their external system.

網路考量Network considerations

您也必須考慮外部資料來源與 Business Connectivity Services 和您使用者所在網路的相對位置。您可以利用繪圖顯示網路上的三個元件,然後確認它們的位置。例如確認這三個元件是否都位於內部網路及防火牆內;或是 Business Connectivity Services 基礎結構與外部資料來源之間是否隔有防火牆或周邊網路,以及兩者是否位於完全不同的網路上。您可以利用下列基本規則做為設計的準則:You also need to consider where the external data source is in relation to the network that Business Connectivity Services and your users will be on. To help you figure this out, draw a diagram of the three components on your network and see where they lie. For example, you can see whether they are all on your internal network and inside your firewall. Or, you could see that the Business Connectivity Services infrastructure and the external data source are separated by a firewall or boundary network and that they are on completely separate networks. Here are some basic rules that you can use to guide your design:

  • 如果外部資料來源在您的網路外部 (例如在網際網路上),Business Connectivity Services 必須透過您的公司防火牆與外部資料來源進行通訊,而且您必須規劃該流量。If the external data source is outside of your network, such as on the Internet, Business Connectivity Services will need to communicate with the external data source through your corporate firewall and you need to plan for that traffic.

  • 了解使用者會從何處存取 Business Connectivity Services 解決方案。您還必須確認用戶端與 Business Connectivity Services 解決方案之間的資料通訊是否需要加密、基準網路基礎結構是否能支援額外的負載,以及瀏覽器與 Office 用戶端是否支援解決方案所提供的功能。Look at where the users will be accessing the Business Connectivity Services solution from. Be sure to consider if the data communications between the client and the Business Connectivity Services solution need to be encrypted and whether the underlying network infrastructure can support the added load. Also, make sure that the browsers and Office clients support the functionality that the solution provides.

資料要如何呈現?How is the data surfaced?

Business Connectivity Services 解決方案可以經由 OData、SQL Server、Windows Communication Foundation (WCF) 服務及 .NET 組件連接到外部資料來源。您必須知道如何呈現資料供外部使用 (您可以向外部系統管理員洽詢這方面的資訊)。外部資料的呈現方式決定了建立外部內容類型時所要使用的開發工具。下表列出外部資料來源所適用的工具。Business Connectivity Services solutions can connect to an external data source through OData, SQL Server, Windows Communication Foundation (WCF) service, and .NET Assemblies. You need to know (and you can find this out from the external system administrators) how the data is surfaced for external consumption. How the external data is surfaced determines what development tools you will use to create the external content type. The following table shows you which tools to use based on the external data source.

如何維謢資料的安全?How is the data secured?

Business Connectivity Services 會處理其本身與外部系統之間所有的通訊驗證。Business Connectivity Services 會對外部系統顯示允許外部系統驗證 (判別您是否確為您所表示的身分) 要求後再授與外部系統資料存取權的資訊。Business Connectivity Services 支援多種驗證類型。Business Connectivity Services handles all authentications for communications between itself and the external system. Basically, Business Connectivity Services presents the external system with information that allows the external system to authenticate (determine whether you are who you say you are) the request and then authorize access to data in the external system. Business Connectivity Services supports many types of authentication.

設定 Business Connectivity Services 解決方案時,您必須了解外部系統要求何種驗證機制,以將 Business Connectivity Services 設定為可以外部系統所要求的方式出示驗證資訊。Business Connectivity Services 支援下列三種驗證模型:For your Business Connectivity Services solution design, you have to know what authentication mechanism the external system requires. This way, you will know how to configure Business Connectivity Services so that it presents the authentication information in the manner that the external system requires. Business Connectivity Services supports three authentication models:

  • 認證型驗證 在認證型驗證模型中,認證會從 Business Connectivity Services 傳送到外部系統。認證包含了使用者名稱與某種特定形式的密碼。Business Connectivity Services 有多種方法可以達成此目的,包括傳送認證給登入的使用者、傳送發出要求之服務的認證,或是將登入使用者的認證對應到外部系統所認可的其他認證集合。Credentials-based authentication In credentials-based authentication models, credentials are passed from Business Connectivity Services to the external system. Credentials are a combination of a user name and some form of password. Business Connectivity Services has a number of ways of doing this, including passing the credentials of the user who is logged on, passing the credentials of the service that is making the request, or mapping the credentials of the user who is logged on to a different set of credentials that the external system recognizes.

  • 宣告式驗證 在某些驗證情況下,外部系統不會接受直接從 Business Connectivity Services 而來的認證,但會接受其所信任之第三方驗證服務核發的認證。第三方驗證服務 (安全性 Token 提供者) 接受一組有關於要求者的資訊 (稱為主張)。這整組資訊稱為宣告;宣告可以包含較使用者名稱與密碼之外更多有關於要求者的資訊。例如宣告可以包含要求者的中繼資料,例如要求者的電子郵件地址或要求者所屬的安全性群組。第三方驗證服務根據宣告中的主張驗證要求者,並建立安全性 Token 供要求者使用。要求者 (Business Connectivity Services) 接著向外部系統出示安全性 Token,然後外部系統再確認要求者有權存取哪些資料。Claims-based authentication In some authentication scenarios, the external system will not accept credentials directly from Business Connectivity Services. However, the external system will accept them from a third-party authentication service that it trusts. The third-party authentication service (a security token provider) accepts a grouping of information (known as assertions) about the requestor. The whole grouping is known as a claim, and a claim can contain more information about the requestor than just the user name and password. For example, a claim can contain metadata about the requestor, such as the requestor's email address or the security groups to which the requestor belongs. The third-party authentication service performs the authentication of the requestor based on the assertions in the claim and creates a security token for the requestor to use. The requestor (Business Connectivity Services) then presents the security token to the external system, and the external system looks to see what data the requestor has been authorized to access.

  • 自訂驗證 您使用的外部系統若不支援認證型或宣告式驗證,您便須開發、測試及施行自訂解決方案,使之可以接受 Business Connectivity Services 所產生的認證,並將其轉譯成外部系統所能接受的格式。由內部部署中之 OAuth 或自訂 ASP.NET HTTP 模型維護安全性的 OData 資料來源,可以施行自訂驗證解決方案。Custom authentication If the external system that you are working with does not support credentials-based or claims-based authentication, then you will have to develop, test, and implement a custom solution that takes the credentials that Business Connectivity Services can produce and translates them into a format that the external system will accept. You can implement a custom authentication solution for OData data sources that are secured either by OAuth or a custom ASP.NET HTTP module and are on premises.

資料如何使用?How will the data be consumed?

在收集各種需求的同時,您也必須了解貴公司專案關係人期望解決方案有哪些功能,以及使用者與解決方案的互動方式。他們可能會希望使用者能透過外部清單、外部網頁組件,以及能在 Office 2016 用戶端中,與 SharePoint Server 互動。另外他們也可能會希望解決方案能夠在 SharePoint Online 的 Office 與 SharePoint 相關應用程式 或內部部署的 SharePoint Server 中安裝呈現資料。如需 Office 與 SharePoint 相關應用程式 的詳細資訊,請參閱<(OLD) Overview of apps for SharePoint 2016>。解決方案也可能需要其他瀏覽器、用戶端或應用程式對於外部資料的權限組合。As part of your requirement gathering, you need to find out from your business stakeholders what they need the solution to do and how they need users to interact with it. They might need the users to interact with the data in SharePoint Server, via external lists, and external Web Parts and in Office 2016 clients. Or, they might need the solution to surface data through an apps for Office and SharePoint application in SharePoint Online or an on-premises SharePoint Server installation. For more information about apps for Office and SharePoint, see (OLD) Overview of apps for SharePoint 2016. Or, the solution might require some other combination of browser, client, and application access to the external data.

使用者存取資料的方式會影響您如何限定 Business Connectivity Services 用來存取外部資料的外部內容類型。如果您的 Business Connectivity Services 解決方案需要 Office 與 SharePoint 相關應用程式 應用程式,則外部內容類型必須限定為該應用程式。如果您的 Business Connectivity Services 解決方案將不使用 Office 與 SharePoint 相關應用程式 來存取外部資料,則外部內容類型必須限定為 Business Data Connectivity Service 應用程式。How users access the data affects how you will scope the external content type that Business Connectivity Services uses to access the external data. If your Business Connectivity Services solution requires an apps for Office and SharePoint application, then the external content type must be scoped to that application. If your Business Connectivity Services solution will not use apps for Office and SharePoint to access external data, then the external content type must be scoped to the Business Data Connectivity service application.

範圍限定在 Business Connectivity Services 的外部內容類型會集中儲存在 BDC 中繼資料存放區中,而伺服器陣列管理員會管理其安全性。您可以與多個 Business Connectivity Services Web 應用程式共用這些外部內容類型。Business Connectivity Services-scoped external content types are stored centrally in the BDC Metadata Store and a farm administrator manages security on them. You can share these external content types with multiple Business Connectivity Services web applications.

範圍限定在 Office 與 SharePoint 相關應用程式 的外部內容類型會儲存為 Office 與 SharePoint 相關應用程式 應用程式本身的 XML 檔案。任何其他 Office 與 SharePoint 相關應用程式 應用程式都無法使用這些外部內容類型。The apps for Office and SharePoint-scoped external content types are stored as an XML file in the app for Office and SharePoint application itself. They cannot be used by any other apps for Office and SharePoint applications.

連線設定物件只可與 OData 資料來源搭配使用。它們包含連線資訊,例如呈現外部資料之服務的服務位址、所要使用的驗證類型、網際網路對應 URL,以及任何所需憑證的名稱。連線設定物件是不同於外部內容類型的物件。當 Business Connectivity Services 解決方案需要連線到外部系統時,即會使用連線設定物件中的資訊。當外部內容類型開發人員在開發外部內容類型時不知道或無法存取必要的連線資訊時,一般會選擇個別定義連線資訊與外部內容類型。範圍限定在應用程式與限定在服務的外部內容類型,都可以使用連線設定物件。多個解決方案可以使用連線設定物件。連線設定物件可供多個 Business Connectivity Services 解決方案使用。所有解決方案都必須獲授與使用連線設定物件的權限。Connection settings objects can only be used with OData data sources. They contain connection information, such as a service address for the service that surfaces the external data, the type of authentication to use, the Internet-facing URL, and the names of any required certificates. Connection settings objects are separate objects from an external content type. When a Business Connectivity Services solution needs to connect to an external system, it uses the information in a connection settings object. You would typically choose to define the connection information separately from the external content type when the external content type developer doesn't know, or doesn't have access to, the necessary connection information when the external content type is developed. Both app-scoped external content types and service-scoped external content types can use connection settings objects. Connection settings objects can be used by multiple Business Connectivity Services solutions. Each solution must be granted permissions to use a connection settings object.

如何指派權限給解決方案?How will you assign permissions to the solution?

每項 Business Connectivity Services 解決方案都必須針對不同的物件規劃不同使用者的存取權限。這是限制及授與使用者存取權最恰當的方式。您必須與外部系統管理員以及 SharePoint Server 伺服器陣列管理員、網站集合管理員和網站管理員合作設定權限。規劃至少應考慮下列事項。In every Business Connectivity Services solution, you must plan who will have which permissions on which objects. This is how you both restrict and grant access to the solution to the appropriate users in the appropriate way. You will have to work with the external system administrator and the SharePoint Server farm administrators, site collection administrators, and site administrators to configure permissions. At the most fundamental level however, here is what you must consider during your planning.

每項 Business Connectivity Services 解決方案都應具備三個基本角色:There are three fundamental roles that are involved with every Business Connectivity Services solution:

  • 管理角色 這類角色負責管理外部系統的權限、建立及管理 Business Data Connectivity Service 應用程式、將 Business Data Connectivity (BDC) 模型匯入 BDC 中繼資料存放區,以及管理 BDC 中繼資料存放區與其中所有物件的權限。SharePoint 應用程式 如有使用 Business Connectivity Services,則 SharePoint Server 伺服器陣列管理員也必須負責發佈應用程式及建立和管理連線物件。一般來說,這些工作會由擔任 SharePoint Server 伺服器陣列管理員、外部系統管理員的人員,以及獲委派這些管理權限的人員負責執行。Administrative roles These roles are responsible for managing permissions on the external system, creating and managing the Business Data Connectivity service application, importing Business Data Connectivity (BDC) models into the BDC Metadata Store, and managing permissions on the BDC Metadata Store and all the objects in it. If apps for SharePoint are using Business Connectivity Services, then the SharePoint Server farm administrators will also be involved with publishing the application and creating and managing connection objects. Generally, these duties are performed by people who are SharePoint Server farm administrators, people who are administrators of the external system, and anyone who has delegated administrative rights.

  • 開發人員或設計人員角色 這些角色負責建立外部內容類型、BDC 模型,以及使用 Business Connectivity Services 的 SharePoint 應用程式。這些人員的主要工作在負責了解解決方案的所有商務需求。Developer or designer roles These roles are responsible for creating the external content types, the BDC models, and the apps for SharePoint that use Business Connectivity Services. They are the ones who are primarily responsible for understanding all the business needs for the solution.

  • 使用者角色 這類角色的人員會使用及操作 Business Connectivity Services 解決方案中的外部資料。解決方案中可有多種使用者角色,每一種各有不同的權限等級。例如,在使用 Business Connectivity Services 將外部資訊整合到解決方案中的票證系統中,第一層服務台技術人員可授與其讀取與啟動票證工作流程的能力,第二層及第三層的技術人員則可授與其更新票證的能力。User roles People in these roles consume and manipulate the external data in the Business Connectivity Services solution. There can be multiple user roles in your solution, each with different levels of permissions. For example, in a support-ticketing system scenario that uses Business Connectivity Services to integrate external information into the solution, the Tier I Help Desk technicians might be granted only the ability to read and start workflows on a ticket, while Tier II and Tier III technicians have the ability to update tickets.

您要管理權限的 Business Connectivity Services 解決方案分為四大部分:There are also four main aspects to every Business Connectivity Services solution for which you will manage permissions:

  • 外部系統 每個外部系統各有其執行驗證及授權的方法 (如需詳細資訊,請參閱本文前面的< 如何維謢資料的安全?>)。您必須與外部系統管理員合作,以「最低權限」準則,制定出對解決方案使用者授與存取權的方法。常見的作法會將 Business Connectivity Services 端的一群使用者對應到外部系統端的單一帳戶,再藉由這單一外部系統帳戶限制存取權。另一種作法是 1:1 地對應每個系統上的各個帳戶。無論何種作法,除非外部系統可以直接接受使用者出示給 SharePoint Server 進行驗證的認證,否則都必須使用 Secure Store Service。如需 Business Connectivity Services 所支援之驗證模型的深入資訊,請參閱<Business Connectivity Services 安全性概觀 (SharePoint 2010)>。External system Every external system will have a method for performing authentication and authorization. (For more information, see How is the data secured? earlier in this article.) You need to work with the external system administrator to identify how to grant access to the solution users according to the principle of least privileges. In general, you will map a group of users from the Business Connectivity Services side to a single account on the external system side and use the single external system account to restrict access. Another way is to do a 1:1 mapping between individual accounts on each system. In either case, unless the external system can directly accept the credentials with which the user authenticates to SharePoint Server, you will need to use the Secure Store Service. For more in-depth information about the authentication models that Business Connectivity Services supports, see Business Connectivity Services security overview (SharePoint 2010).

  • Business Connectivity Services 中央基礎結構 在 管理中心 中,您可以管理如何將權限指派給 BDC 中繼資料存放區。在 BDC 中繼資料存放區中,您可以管理 BDC 模型、外部系統和外部內容類型。您必須將外部內容類型的執行權限指派給將使用 Business Connectivity Services 解決方案的所有使用者。下列各表提供能力、權限和物件的詳細對應。Business Connectivity Services central infrastructure In Central Administration, you manage the assignment of permissions to the BDC Metadata Store. In the BDC Metadata Store, you manage BDC models, external systems, and external content types. You must assign execute permissions on an external content type to all users who will be using the Business Connectivity Services solution. The following tables provide a detailed mapping of abilities, permissions, and objects.

    BDC 中繼資料存放區 此 SQL Server 資料庫可以儲存模型定義、外部內容類型及外部系統定義。The BDC Metadata Store This SQL Server database that stores the model definitions, external content types, and external system definitions.

    表格:BDC 中繼資料存放區的權限對應Table: Mapping permissions on the BDC Metadata Store

若要允許使用者或群組…To allow a user or group to… 請授與下列權限…Give them the following permissions… 權限對象…On…
藉由傳播的方式設定 BDC 中繼資料存區所含物件的權限Set permissions on any object contained in the BDC Metadata Store via propagation
SetPermissionsSetPermissions
BDC 中繼資料存放區The BDC Metadata Store
**The model** A model is a XML file that contains sets of descriptions of one or more external content types, the related external systems, and information that is specific to the environment, such as authentication properties. 

表格:模型的權限對應Table: Mapping permissions on the model

若要允許使用者或群組…To allow a user or group to… 請授與下列權限…Give them the following permissions… 權限對象…On…
建立新模型Create new models
編輯Edit
BDC 中繼資料存放區The BDC Metadata Store
編輯模型Edit a model
編輯Edit
模型The model
設定模型的權限Set permissions on a model
SetPermissionsSetPermissions
模型The model
匯入模型Import a model
編輯Edit
BDC 中繼資料存放區The BDC Metadata Store
匯出模型Export a model
編輯Edit
模型與模型中的所有外部系統The model and all external systems in the model
**The external system in the BDC Metadata Store** An external system is the metadata definition of a supported source of data that can be modeled, such as a database, web service, or .NET connectivity assembly. 

表格:BDC 中繼資料存放區中之外部系統的權限對應Table: Mapping permissions on the external system in the BDC Metadata Store

若要允許使用者或群組…To allow a user or group to… 請授與下列權限…Give them the following permissions… 權限對象…On…
建立新的外部系統Create new external systems
編輯Edit
BDC 中繼資料存放區The BDC Metadata Store
編輯外部系統Edit an external system
編輯Edit
外部系統物件The external system object
設定外部系統的權限Set permissions on the external system
SetPermissionsSetPermissions
外部系統物件The external system object
**External content type** An external content type is a reusable collection of metadata that defines a set of data from one or more external systems, the operations available on that data, and connectivity information related to that data. 

表格:外部內容類型的權限對應Table: Mapping permissions on the external content type

若要允許使用者或群組…To allow a user or group to … 請授與下列權限…Give them the following permissions … 權限對象…On …
建立新的外部內容類型Create new external content types
編輯Edit
外部系統The external system
對外部內容類型執行作業Execute operations on an external content type
執行Execute
外部內容類型 (作業的方法執行個體)The external content type (method instances of the operation)
建立外部內容類型的清單Create lists of the external content type
可從用戶端選取Selectable in clients
外部內容類型The external content type
設定外部內容類型的權限Set permissions on the external content type
SetPermissionsSetPermissions
外部內容類型The external content type
**The method** A Business Data Connectivity method is an XML definition of how Business Connectivity Services can interact with an external data source. 

表格:方法的權限對應Table: Mapping permissions on the method

若要允許使用者或群組…To allow a user or group to … 請授與下列權限…Give them the following permissions … 權限對象…On …
編輯方法Edit a method
編輯Edit
方法The method
設定方法的權限Set permissions on a method
SetPermissionsSetPermissions
方法The method
**The method instance** A method instance describes, for a particular method, how to use a method by using a specific set of default values. 

表格:方法執行個體的權限對應Table: Mapping permissions on the method instance

若要允許使用者或群組…To allow a user or group to… 請授與下列權限…Give them the following permissions… 權限對象…On…
編輯方法執行個體Edit a method instance
編輯Edit
方法執行個體The method instance
執行方法執行個體Execute a method instance
執行Execute
方法執行個體The method instance
設定方法執行個體的權限Set permissions on a method instance
SetPermissionsSetPermissions
方法執行個體The method instance
  • 開發環境 當您開發 Business Connectivity Services 解決方案 (包括外部內容類型) 以及任何 SharePoint 應用程式 和連線設定物件時,最好使用與實際執行環境不同的開發環境。在開發環境中,您可以將更高層級的權限授與開發人員,而這些權限與在實際執行環境中授與的權限不同。The development environment When you are developing a Business Connectivity Services solution, including the external content type, and any apps for SharePoint and connection settings objects, it is a best practice to use a development environment that is separate from your production environment. In the development environment, you can grant higher levels of permissions to the developers than you would usually do in your production environment.

  • 使用者環境 所有外部資料的存取都必須透過外部清單、外部資料欄、商務資料網頁組件、SharePoint 應用程式或 Office。對於 SharePoint 應用程式,您可以選擇由 Office 與 SharePoint 相關應用程式來施行權限。在此情況下,若使用者可以存取 Office 與 SharePoint 相關應用程式,便可以存取 Office 與 SharePoint 相關應用程式中呈現的所有外部資料。您必須與網站集合管理員合作,共同規劃及實作解決方案中外部資料的權限。The user environment All external data will be accessed through external lists, external data columns, Business Data Web Parts, apps for SharePoint, or Office. For apps for SharePoint, you can choose to let the app for Office and SharePoint enforce permissions. In this case, if the users can access the app for Office and SharePoint, then they can access all the external data that is surfaced in the app for Office and SharePoint. You will have to work with site and site collection administrators to plan and implement permissions to the external data in your solution.

另請參閱See also

概念Concepts

SharePoint Server 中的 Business Connectivity Services 概觀Overview of Business Connectivity Services in SharePoint Server