SharePoint Server 的 Business Connectivity Services 安全性工作概觀Overview of Business Connectivity Services security tasks in SharePoint Server

摘要:了解 SharePoint Server 2016 和 SharePoint Server 2013 中的 Microsoft Business Connectivity Services 安全性。Summary: Understand Microsoft Business Connectivity Services security in SharePoint Server 2016 and SharePoint Server 2013.

透過 Microsoft Business Connectivity Services (BCS) 提供您使用資料的安全性是每個 BCS 解決方案中重要的一環。不像一般的 SharePoint 資料會儲存在 SharePoint 內容資料庫,BCS 解決方案呈現的資料是位於 SharePoint 之外的外部系統。BCS 會提供管道供 SharePoint 用於取得外部資料。除了在如網站存取權限和清單權限等一般的 SharePoint Server 安全性控制內運作以外,BCS 解決方案還必須處理其他的通訊和安全性階層。舉例來說,外部系統可能使用不同的驗證機制或提供者,而需要與使用者用於存取 SharePoint Server 不同的認證。因為 BCS 解決方案中有更多的安全性階層,所以牽涉到更多的安全性設定工作。Providing security for the data that you work with through Microsoft Business Connectivity Services (BCS) is a critical part of every BCS solution. Unlike regular SharePoint data, which is stored in a SharePoint content database, the data that BCS solutions make visible live outside of SharePoint in external systems. BCS provides the channel that SharePoint uses to get to the external data. In addition to working within the usual SharePoint Server security controls such as site access permissions and list permissions, BCS solutions have to deal with additional communication and security layers. For example, the external system might use a different authentication mechanism or provider, and require different credentials than the ones your users use to access SharePoint Server with. Because there are more security layers in a BCS solution, there are more security configuration tasks involved.

Business Connectivity Services 安全性工作將由三種不同角色人員負責:IT 專業人員;網站集合管理員或網站擁有者;以及開發人員。以下範例說明各角色所負責的工作。The Business Connectivity Services security tasks fall to three different roles: the IT professional; the site collection administrator, or site owner; and the developer. The following examples describe what each role is responsible for.

  • IT 專業人員負責管理中繼資料存放區及其內容的安全性。他們同時也處理 Secure Store Service 中帳戶和群組管理以及認證對應。IT professionals have the responsibility of managing the security on the Metadata Store and its contents. They also handle account and group administration and credential mapping in the Secure Store Service.

  • 網站集合管理員及網站擁有者將負責了解外部系統所使用的安全性類型,以及如何設定無程式碼式 (又稱宣告式) 外部內容類型與其通訊。他們還負責規劃安全性並套用至外部清單和商務資料網頁組件。Site collection administrators and site owners are responsible for understanding the kind of security the external system uses and how to configure no-code, or declarative, external content types to communicate with it. They are also responsible for planning and applying security to external lists and business data Web Parts.

  • BCS 解決方案開發人員將負責了解外部系統所使用的安全性類型,以及如何設定 BDC 模型與其通訊,還負責 Office 與 SharePoint 相關應用程式的開發與部署的安全性。BCS solution developers are responsible for understanding the kind of security that the external system uses and how to configure the BDC model to communicate with it, and security around development and deployment of apps for Office and SharePoint.

Business Connectivity Services 安全性Business Connectivity Services security

* * 管理委派給 * * Business Data Connectivity service * * *Delegation of administration to the **Business Data Connectivity service**

委派為不同的帳戶,最好是服務的一個伺服器陣列管理員權限不是服務的伺服器陣列管理員應執行建立 Business Data Connectivity 服務執行個體之後的第一個工作。此最佳作法是遵循最低權限的原則。會授與委派的帳戶來開啟 SharePoint 管理中心網站和存取權的 Business Data Connectivity service 服務應用程式的必要權限。這應該是用來管理服務的主要帳戶。唯一權限可以授與或撤銷是完全控制The first task that the farm administrator should perform after creating an instance of the Business Data Connectivity service is to delegate administration of the service to a different account, preferably one without farm administrator rights. This best practice follows the principle of least-privilege. The delegated account will be granted the necessary permissions to open the SharePoint Central Administration website and access to the Business Data Connectivity service service application. This should be the primary account that is used to administer the service. The only permission that can be granted or revoked is Full Control.

管理中繼資料存放區及其內容的權限Managing permission on the Metadata Store and its contents

中繼資料存放區儲存了 Business Data Connectivity Service 應用程式所使用的外部內容類型、外部系統及 BDC 模型定義。BCS 服務管理員的一項主要工作是管理中繼資料存放區及其所含之全部項目的安全性。中繼資料存放區的項目取得權限的方式有二種。第一種方式是可以直接將權限套用至中繼資料存放區、BDC 模型、外部系統或外部內容類型。第二種方式是從較高層級項目繼承權限。兩種方式都顯示於下圖中。The Metadata Store holds the external content type, the external system, and the BDC model definitions that the Business Data Connectivity service application uses. One of the main jobs of the BCS Services administrator is to manage security of the Metadata Store and all the items it contains. Items in the Metadata Store get their permissions in two ways. First you can directly apply the permissions to the Metadata Store, BDC models, external systems, or external content types. The second way is by inheriting them from a higher level item. Both methods are shown in the following figure.

圖:中繼資料存放區權限Figure: Metadata Store permissions

Diagram of metadata store permissions

  • 繼承繼承發生兩種方式。先當任何項目加入至中繼資料存放區,它會繼承的權限設定的中繼資料存放區本身擷取。其次,中繼資料儲存區、 外部系統和外部內容類型的項目可以強制覆寫項目下方它們在階層中的權的限。會發生這種情況是當您選取將權限傳播至所有...並時您要設定權限父項目上按一下 [確定]Inheritance Inheritance happens in two ways. First when any item is added to the Metadata Store, it inherits the permissions configuration of the Metadata Store itself. Second, the Metadata Store, external system, and external content type items can forcibly overwrite the permissions of items that are below them in the hierarchy. This happens when you select the Propagate permissions to all… and click OK when you are setting permissions on the parent item.

  • 直接應用 如果項目的權限不符合您的需求,則可以手動進行調整。Direct Application If the permissions that an item do not meet your needs, you can manually adjust them.

可直接套用四種權限:You can directly apply four permissions:

  • 編輯:這讓使用者或群組可編輯該項目。Edit This allows the user or group to edit the item

  • 執行:這讓使用者或群組可對中繼資料存放區的外部內容類型執行各項操作 (建立、讀取、更新、刪除、查詢)。BCS 解決方案的所有使用者都必須擁有相關外部內容類型的執行權限。Execute This allows the user or group to execute the operations (create, read, update, delete, query) of external content types in the Metadata Store. All users of a BCS solution must have execute permission on the associated external content type.

  • 可在用戶端選取:透過使外部清單的外部內容類型,以及 SharePoint 應用程式可在外部項目選擇器中取用,讓使用者或群組可加以使用Selectable in Clients This allows the user or group to use the External Content Type for External Lists, and apps for SharePoint by making them available in the external item picker

  • 設定權限:這讓使用者或群組可設定項目的權限。每個項目都至少必須有一個具備「設定權限」權限的使用者或群組。Set Permissions This allows the user or group to set permissions on the item. Every item must have at least one user or group that has the Set Permissions permission.

    管理中繼資料存放區權限的建議Recommendations for managing Metadata Store permissions

  1. 選擇一個帳戶,可能是您 Business Connectivity Services 管理員的帳戶,並授與設定權限層級的中繼資料存放區的權限。這會滿足需求每個項目有一個使用者或群組具有設定權限與安全地受管理的系統管理帳戶的權限。如果您未明確設定帳戶預設會使用伺服器陣列帳戶。請勿選取將權限傳播至所有選項。您不需要因為每個項目將會繼承這個設定新增至中繼資料存放區時選取將權限傳播至所有選項。這也會防止不必要的帳戶取得任何外部系統、 BDC 模型或不應該有的外部內容類型的存取權。Pick one account, probably your Business Connectivity Services administrator account, and grant it Set Permissions permissions at the Metadata Store level. This will satisfy the requirement that every item has one user or group that has Set Permissions permissions with a securely managed administrative account. If you don't explicitly set an account, the farm account is used by default. Do not select the Propagate permissions to all option. You don't have to select the Propagate permissions to all option because every item will inherit this configuration when it is added to the Metadata Store. This also prevents unnecessary accounts from gaining access to any external systems, BDC models, or external content types that they shouldn't have.

  2. 使用直接應用程式的方法,一次未選取將權限傳播至所有選項的個別項目上設定的權限。這可讓您維護每個物件上的唯一權限設定。Use the direct application method, configure the permissions on the individual items, again not selecting the Propagate permissions to all option. This will allow you to maintain unique permissions configuration on each object.

  3. 在維護和作業計畫中,定期檢閱權限設定,從中繼資料存放區階層開始,一層一層往下,確保每個項目的權限設定正確。若權限設定偏離正軌,則應手動重新設定。Periodically, as part of your maintenance and operational plans, review the permissions configuration starting from the Metadata Store level and moving down the hierarchy to ensure that each item has the correct permissions configuration. If the permissions configuration has drifted from what it should be you should manually reconfigure them.

  4. 您只應該使用 [將所有的權限傳播] 選項時必須完全重設上層項目上的所有權限及其所有子系。請注意這是破壞性程序,會遺失所有子項目上的自訂權限。此巨集指令可以自動換行 BCS 解決方案會失去及其權限的使用者或群組。You should only use the Propagate all permissions option when you must completely reset all the permissions on the parent item and all its children. Note that this is a destructive process and all custom permissions on child items are lost. This action can break BCS solutions for users or groups that lose their permissions.

    對應 Secure Store Service 中的帳戶和群組Mapping accounts and groups in Secure Store Service

除非您設定「Kerberos 限制委派」,否則 BCS 無法將 SharePoint Server 伺服器陣列外部的使用者認證傳遞至資料所在的外部系統。Kerberos 限制委派可能不容易設定和維護。您也可以改成使用 Secure Store Service。使用 Secure Store 時,您可以將一群使用者對應到 BCS 可用來存取外部系統的一組認證。BCS cannot pass a user's credentials outside of the SharePoint Server farm to the external system where the data resides unless you've configured Kerberos Constrained Delegation. Kerberos Constrained Delegation can be challenging to configure and maintain. As an alternative, you can use the Secure Store Service. With Secure Store, you can map a group of users to a set of credentials that BCS can use to access the external system.

有兩種方式可設定您的對應:There are two ways to configure your mappings:

  • 群組對應 在群組對應目標應用程式中,將 AD DS 使用者帳戶和安全性群組新增至 Secure Store,然後將它們對應至外部系統的一組認證。這是管理 BCS 解決方案存取權的最簡單方法。Group mapping In group mapping target application, you add AD DS user accounts and security groups to Secure Store and then map them to a single set of credentials for the external system. This is the easiest way to manage access to a BCS solution.

  • 個別對應 在個別對應目標應用程式中,只可將單一 AD DS 使用者帳戶對應至外部系統的一組認證。這基本上為 1:1 對應。若只要管理很少數的帳戶,或者要追蹤對外部系統的存取和活動,一般會使用此方式。Individual mapping In an individual mapping target application you can only map a single AD DS user account to a single set of credentials for the external system. Basically, this is a 1:1 mapping. You would generally do this if you have very few accounts to manage or if you want to track access and activity on the external system.

    管理 Business Data Connectivity Service 應用程式的權限Managing permissions on the Business Data Connectivity Service application

根據預設,系統會授與伺服器陣列中的每個 Web 應用程式透過伺服器陣列帳戶來存取 Business Data Connectivity Service 應用程式的權限。若要限制只有某些 Web 應用程式能夠存取,只要移除伺服器陣列帳戶,然後新增所需 Web 應用程式的應用程式集區身分識別帳戶,即可做此變更。此作法可控制哪些 Web 應用程式可以存取 Business Data Connectivity Service 應用程式。如需詳細資訊,請參閱在 SharePoint Server 中設定已發佈之服務應用程式的權限By default, every Web Application in your farm is granted access to the Business Data Connectivity Service application through the server farm account. If you want to restrict access to only certain web applications, you can change this by removing the server farm account and then adding the Application Pool Identity account of desired the web applications. By doing this you control which web applications have access to the Business Data Connectivity Service application. For more information, see Set permissions to published service applications in SharePoint Server.

如果您要將 Business Data Connectivity Service 應用程式發佈到其他伺服器陣列,則必須新增使用伺服器陣列的伺服器陣列識別碼。如需詳細資訊,請參閱跨 SharePoint Server 伺服器陣列共用服務應用程式If you are publishing the Business Data Connectivity Service Application to other farms, you have to add the Farm IDs of the consuming farms. For more information, see Share service applications across farms in SharePoint Server.

另請參閱See also

概念Concepts

SharePoint Server 中的 Business Connectivity Services 概觀Overview of Business Connectivity Services in SharePoint Server