商務智慧服務應用程式的 secure store ServiceSecure Store for Business Intelligence service applications

摘要:了解 Secure Store 如何使用 Excel Services、 PerformancePoint Services 及 Visio Services 來重新整理 SharePoint 伺服器上的資料。Summary: Learn how Secure Store works with Excel Services, PerformancePoint Services, and Visio Services to refresh data on SharePoint Server.

本文說明 SharePoint Server 商務智慧功能如何使用 Secure Store Service 來提供 SharePoint Server 使用者存取外部資料來源 (如 SQL 伺服器)。本文的目的,是 SharePoint Server 商務智慧服務應用程式:This article describes how SharePoint Server business intelligence features use the Secure Store Service to provide access to external data sources (such as SQL Server) for SharePoint Server users. For the purposes of this article, the SharePoint Server business intelligence service applications are:

  • Excel Services (僅限 SharePoint Server 2013)Excel Services (SharePoint Server 2013 only)

  • PerformancePoint ServicesPerformancePoint Services

  • Visio ServicesVisio Services

SharePoint Server 商務智慧服務應用程式提供兩種資料存取權的使用者:The SharePoint Server business intelligence service applications offer two methods of data access for users:

  • 使用 Kerberos 限制委派的整合式 Windows 驗證Integrated Windows authentication using Constrained Kerberos delegation

  • Secure Store Service (包括自動的服務帳戶)Secure Store Service (including an unattended service account)

Excel Services 及 PerformancePoint Services 也支援 SQL Server Analysis Services (SSAS) EffectiveUserName 功能的 Analysis Services 連線。Excel Services and PerformancePoint Services also support the SQL Server Analysis Services (SSAS) EffectiveUserName feature for Analysis Services connections.

本文涵蓋 Secure Store 和商務智慧服務應用程式及其關係。This article covers Secure Store and its relationship to the business intelligence service applications.

在 SharePoint 伺服器陣列設定特定案例的詳細資訊,請參閱下列文章:For information about configuring specific scenarios in your SharePoint Server farm, see the following articles:

Secure Store Service 與商務智慧的 SharePoint Server 中的服務應用程式Secure Store Service and the business intelligence service applications in SharePoint Server

Secure Store 允許商務智慧服務應用程式使用的一組認證 SharePoint 代表的資料存取權是可協助提供 SharePoint Server (例如 SQL Server 資料) 以外的資料存取的 SharePoint Server 中的功能伺服器使用者嘗試存取該資料。代表使用者的商務智慧服務應用程式的認證這類使用稱為模擬。Secure Store is a feature in SharePoint Server that helps provide access to data outside SharePoint Server (for example, SQL Server data) by allowing a business intelligence service application to use a set of credentials with data access on behalf of a SharePoint Server user who is attempting to access that data. Such use of credentials by business intelligence service applications on behalf of users is called impersonation.

Secure Store 提供此之間商務智慧服務應用程式、 使用者及透過目標應用程式的認證對應。安全認證儲存目標應用程式是認證的一組指定哪些使用者應允許存取特定的商務智慧服務應用程式存取外部資料時將使用進行模擬組的中繼資料。此中繼資料儲存在 Secure Store 資料庫以及認證本身,這會加密。Secure Store provides this mapping between business intelligence services applications, users, and credentials through the use of a target application. A Secure Store target application is a collection of metadata that specifies which users shall be allowed access to a particular set of credentials that a business intelligence service application will use for impersonation when accessing external data. This metadata is stored in the Secure Store database along with the credentials themselves, which are encrypted.

Secure Store 目標應用程式可用於在 SharePoint Server 的多種方式,但 SharePoint Server 商務智慧案例的目的,目標應用程式包含下列可由伺服器陣列管理員設定:Secure Store target applications can be used in many ways within SharePoint Server, but for the purposes of SharePoint Server business intelligence scenarios, target applications consist of the following settings, configurable by the Farm Administrator:

  • 系統管理員目標應用程式管理員所需的管理特定的安全認證儲存目標應用程式的權限的使用者。這可以是伺服器陣列管理員或特定使用者或使用者,視您的需求而定。Administrators Target application Administrators are users who have privileges to administer a given Secure Store target application. This can be the Farm Administrator or a specific user or users, depending on your needs.

  • 成員目標應用程式的成員都是代表其商務智慧服務應用程式將模擬的目標應用程式的認證時加以存取外部資料的使用者。這可能是單一使用者、 多個使用者或 Active Directory 群組。成員也稱為認證擁有者。Members The Members of a target application are the users on behalf of whom the Business Intelligence Service Application will impersonate the target application Credentials when it accesses external data. This could be a single user, multiple users, or an Active Directory group. Members are also referred to as Credential Owners.

  • 認證目標應用程式認證包含資料來源的直接存取權的帳戶。(您必須直接授與此帳戶所需的資料存取 — 存取外部資料來源不 SharePoint 伺服器控制。這應該只允許存取資料的低權限帳戶)。它是以讓使用者能夠存取資料的商務智慧服務應用程式模擬此帳戶。Credentials Target application Credentials consist of an account with direct access to data sources. (You must grant the required data access to this account directly — access to external data sources is not controlled by SharePoint Server. This should be a low-privileged account that only allows data access.) It is this account that is impersonated by business intelligence service applications to give users access to data.

系統管理員、 成員及認證是可設定直接透過 Secure Store 的伺服器陣列管理員。此外,Excel Services 及 PerformancePoint Services 提供自動建立自動的服務帳戶使用的安全認證儲存目標應用程式] 選項。The Administrators, Members, and Credentials are configurable by the Farm Administrator directly through Secure Store. Additionally, both Excel Services and PerformancePoint Services provide an option to automatically create a Secure Store target application for use with the unattended service account.

商務智慧服務應用程式可以使用兩種方法之一來使用 Secure Store:The business intelligence service applications can use Secure Store by using one of two methods:

  • 指定目標應用程式指定特定的目標應用程式的 Excel 工作表、 Visio 圖表或 PerformancePoint 資料來源。當使用者存取工作表、 圖表或儀表板時、 Secure Store 會使用資料存取的目標應用程式相關聯的認證。Specified target application A specific target application is specified by the Excel worksheet, Visio diagram, or PerformancePoint data source. When a user accesses the worksheet, diagram, or dashboard, Secure Store uses the credentials associated with that target application for data access.

  • 沒有指定的目標應用程式 (自動的服務帳戶)自動的服務帳戶會指定由 Excel 工作表、 Visio 圖表或 PerformancePoint 資料來源。當使用者存取工作表、 圖表或儀表板連線至外部資料來源時,安全認證儲存使用中的 Excel Services 通用設定、 Visio Services 或 PerformancePoint Services 所指定的目標應用程式。商務智慧服務應用程式的全域指定目標應用程式之後,目標應用程式認證被稱為 「 自動的服務帳戶。No specified target application (unattended service account) The unattended service account is specified by the Excel worksheet, Visio diagram, or PerformancePoint data source. When a user accesses the worksheet, diagram, or dashboard connected to an external data source, Secure Store uses the target application specified in the Global Settings of Excel Services, Visio Services, or PerformancePoint Services. When a target application is specified globally for a business intelligence service application, the target application credentials are referred to as the unattended service account.

事件基本發生順序如下:The basic sequence of events that occurs is as follows:

  1. SharePoint Server 使用者存取資料連線物件,例如 Excel Services 的工作表、 Visio Services 圖表] 或 [PerformancePoint Services 儀表板。A SharePoint Server user accesses a data-connected object such as an Excel Services worksheet, Visio Services diagram, or PerformancePoint Services dashboard.

  2. 商務智慧服務應用程式會存取物件指定的目標應用程式。The Business Intelligence Service Application accesses the target application specified by the object.

  3. 如果使用者的身分為該目標應用程式的成員,就會傳回該目標應用程式所儲存的認證,商務智慧服務應用程式於是會在存取資料時模擬該認證。If the user is a Member of that target application, the credentials stored in the target application are returned and the Business Intelligence Service Application impersonates the credentials while accessing the data.

  4. 資料會顯示在工作表、 Visio 圖表或儀表板內容的使用者。The data is displayed to the user within the context of the worksheet, Visio diagram, or dashboard.

資料連線檔案Data connection files

商務智慧服務應用程式的所有可用的資料連線檔案來指定驗證資訊。Excel Services 及 Visio Services 使用 Office 資料連線 (。ODC) 檔案和 PerformancePoint Services 使用 PerformancePoint Services 資料連線 (。PPSDC) 檔案。使用的這類檔案允許多個 Excel Services 工作表、 Visio Services 圖表或 PerformancePoint Services 儀表板共用一組通用的資料存取參數。All of the business intelligence service applications can use data connection files to specify authentication information. Excel Services and Visio Services use Office Data Connection (.ODC) files and PerformancePoint Services uses PerformancePoint Services Data Connection (.PPSDC) files. Use of such files allows multiple Excel Services worksheets, Visio Services diagrams, or PerformancePoint Services dashboards to share a common set of data access parameters.

SharePoint Server 商務智慧服務應用程式各有不同使用資料連線檔案。每個使用資料連線檔案的方式的說明,請參閱下方的 [] 區段中的每個服務應用程式。The SharePoint Server business intelligence service applications each use data connection files differently. For a description of how each uses data connection files, see the section for each service application, below.

從用戶端及伺服器進行資料存取Data access from client and server

Excel 2016 和 Visio 2016 所運作分別從 SharePoint Server 的用戶端應用程式。但是他們可以將文件發佈至 SharePoint Server、 他們無法使用 Secure Store 直接的資料來源的驗證。當您建立或編輯連線至資料工作表或圖表時,您必須從 Excel 2016 或 Visio 2016 連線至資料來源直接使用整合式 Windows 驗證] 或 [另一種適用的驗證方法。(您可使用其他驗證方法包含 SQL 驗證] 或 [OLEDB 連線字串)。一旦工作表或圖表發佈至 SharePoint Server、 Excel Services 或 Visio Services 可用於 Secure Store 連線至資料來源時它會對使用者顯示的內容。Excel 2016 and Visio 2016 are client applications that function independently from SharePoint Server. Though they can publish documents to SharePoint Server, they cannot use Secure Store directly for authentication to data sources. When you create or edit a data-connected worksheet or diagram, you must use Integrated Windows authentication or another applicable authentication method to connect directly to a data source from Excel 2016 or Visio 2016. (Other authentication methods you might use include SQL Authentication or an OLEDB connection string.) Once the worksheet or diagram is published to SharePoint Server, Excel Services or Visio Services can use Secure Store to connect to the data source when it displays the content to a user.

SharePoint Server 直接整合 PerformancePoint 儀表板設計工具。儀表板設計工具可以使用 Secure Store 直接使用自動的服務帳戶進行驗證。因此,儀表板設計工具的使用者不會需要直接存取資料來源整合式 Windows 驗證透過,提供自動的服務帳戶具有必要的存取。PerformancePoint Dashboard Designer is directly integrated with SharePoint Server. Dashboard Designer can use Secure Store directly to authenticate by using the unattended service account. As a result, users of Dashboard Designer do not need direct access to data sources through Integrated Windows authentication, provided the unattended service account has the required access.

另請參閱See also

概念Concepts

在 SharePoint Server 中設定 Secure Store ServiceConfigure the Secure Store Service in SharePoint Server

其他資源Other Resources

在 SharePoint Server 中規劃 Visio ServicesPlan for Visio Services in SharePoint Server