在 SharePoint Server 中規劃 Visio Services 安全性Plan Visio Services security in SharePoint Server

摘要: 了解 Visio Services 中所轉譯之資料連線圖的安全性考量。Summary: Learn about security considerations for data-connected diagrams rendered in Visio Services.

除了部署 SharePoint Server 的安全性需求之外,您還應檢閱內含 Visio Services 之部署的安全性考量。Visio Services 可讓您轉譯瀏覽器視窗中的 Visio 圖表。這些圖表可連線至外部資料,並根據該資料更新圖表元素。安全性是啟用這些資料轉譯案例的重要元件。Visio Services 提供處理及顯示 Visio 圖表,以及其可連線之資料來源的重要細微程度控制。In addition to the security requirements to deploy SharePoint Server, you should also review security considerations for a deployment that includes Visio Services. Visio Services enables you to render Visio diagrams in a browser window. These diagrams can be connected to external data, and diagram elements can be updated based on that data. Security is an important component for enabling these data-rendering scenarios. Visio Services gives you a significant level of fine-grained control for the processing and displaying of Visio diagrams and what data sources they can connect to.

將 Visio 圖表儲存在 SharePoint 文件庫中Store Visio diagrams in SharePoint document libraries

Visio 圖表必須儲存在 Visio Services 會開啟的 SharePoint 文件庫中。SharePoint Server 維護包含在文件庫中之檔案的存取控制清單 (ACL)。正確設定文件庫規則,即可限制存取特定圖表。Visio diagrams must be stored in SharePoint document libraries to be opened by Visio Services. SharePoint Server maintains an access control list (ACL) for the files that are contained in the document library. By setting the library rules correctly you can limit access to a particular diagram.

連線到資料的 Visio 圖表Visio diagrams that are connected to data

Visio Graphics Service 可連線至資料來源,包括 SharePoint 清單 (包括外部清單)、SQL Server 這類資料庫,以及自訂資料來源。您可以明確定義信任的資料提供者,並在信任的資料提供者清單中予以設定,藉此控制特定資料來源的存取權。The Visio Graphics Service can connect to data sources. These include SharePoint lists (including external lists), databases such as SQL Server, and custom data sources. You can control access to specific data sources by explicitly defining the data providers that are trusted and configuring them in the list of trusted data providers.

注意

Visio Services 使用委派的 Windows 身分識別存取外部資料來源。因此,外部資料來源必須與 SharePoint Server 伺服器陣列位於相同網域,或是 Visio Services 必須設定成使用 Secure Store Service。若未使用 Secure Store,且外部資料來源不在相同的網域,則驗證外部資料來源將會失敗。Visio Services accesses external data sources by using a delegated Windows identity. Consequently, external data sources must reside within the same domain as the SharePoint Server farm or Visio Services must be configured to use the Secure Store Service. If Secure Store is not used and external data sources do not reside within the same domain, authentication to the external data sources will fail.

當 Visio Services 載入連線至資料的圖表時,該服務會檢查儲存在圖表中的連線資訊,以判斷指定的資料提供者是否為信任的資料提供者。若已在 Visio Services 信任的資料提供者清單上指定提供者,則會嘗試連線;否則,會略過連線要求。When Visio Services loads a data connected diagram, the service checks the connection information that is stored in the diagram to determine whether the specified data provider is a trusted data provider. If the provider is specified on the Visio Services trusted data provider list, a connection is tried; otherwise, the connection request is ignored.

管理員設定 Visio Services 以啟用特定資料來源的連線之後,根據資料來源類型,可能還有其他必須進行的安全性設定。Visio Services 支援下列資料來源:Once an administrator has configured Visio Services to enable connections to a particular data source, there are additional security configurations that must be made, depending on the kind of the data source. The following data sources are supported by Visio Services:

  • SharePoint 清單,包括透過 Microsoft Business Connectivity Services 啟用的外部清單SharePoint lists, including external lists enabled through Microsoft Business Connectivity Services

  • SQL Server 資料庫等資料庫Databases such as SQL Server databases

  • 自訂資料提供者Custom Data Providers

連線到 SharePoint 清單的 Visio 圖表Visio diagrams that are connected to SharePoint lists

Visio 圖表可連線至圖表所在之相同伺服器陣列上的 SharePoint 清單。檢視圖表的使用者,必須同時具有圖表及該圖表所連線之 SharePoint 清單的存取權。SharePoint Server 負責管理這些權限與認證。Visio diagrams can be connected to SharePoint lists on the same farm that the diagram is hosted on. The user viewing the diagram must have access to both the diagram and the SharePoint list that the diagram is connected to. These permissions and credentials are managed by SharePoint Server.

Visio 圖表也可以使用 Microsoft Business Connectivity Services 連線到外部清單。透過 Microsoft Business Connectivity Services 外部內容類型公開的外部清單可連線到 Visio 中的 Visio 圖表,而資料可透過 Visio Services 重新整理。為了讓使用者存取外部清單中的資料,使用者必須擁有外部內容類型的存取權以及外部資料來源的存取權。Visio diagrams can also be connected to external lists by using Microsoft Business Connectivity Services. External lists exposed through a Microsoft Business Connectivity Services External Content Type can be connected to a Visio diagram in Visio and the data can be refreshed through Visio Services. In order for a user to access data in an External List, the user must have permissions to access the External Content Type and permissions to access the external data source.

連線至 SQL Server 資料庫的 Visio 圖表Visio diagrams that are connected to SQL Server databases

將 Visio 圖表連線至 SQL Server 資料庫時,Visio Services 會使用其他安全性設定選項,建立 Visio Graphics Service 與資料庫之間的連線。When a Visio diagram is connected to a SQL Server database, Visio Services uses additional security configuration options to establish a connection between the Visio Graphics Service and the database.

Visio Services 支援的驗證方法如下:The authentication methods supported by Visio Services are as follows:

  • 整合式 Windows 驗證 在此安全性模型中,Visio Graphics Service 使用圖表檢視者的身分識別對資料庫進行驗證。使用 Kerberos 限制委派的整合式 Windows 驗證,比清單中所示的其他驗證方法,更有助於增加安全性。此設定需要在執行 Visio Graphics Service 的應用程式伺服器與資料庫伺服器之間,啟用 Kerberos 限制委派。資料庫本身可能還需要其他設定才可啟用 Kerberos 驗證。Integrated Windows authentication In this security model the Visio Graphics Service uses the diagram viewer's identity to authenticate with the database. Integrated Windows authentication with Kerberos constrained delegation is more helpful for increasing security than the other authentication methods shown in this list. This configuration requires constrained Kerberos delegation to be enabled between the application server that is running the Visio Graphics Service and the database server. The database itself might require additional configuration to enable Kerberos-based authentication.

  • Secure Store Service 在此安全性模型中,Visio Graphics Service 使用 Secure Store Service 將使用者的認證對應至具有資料庫存取權的其他認證。Secure Store 支援整合式 Windows 驗證及其他驗證形式 (例如 SQL Server 驗證) 的個別及群組對應。這方便管理員更靈活地定義一對一、多對一或多對多的關聯性。Secure Store Service In this security model the Visio Graphics Service uses the Secure Store Service to map the user's credentials to a different credential that has access to the database. Secure Store supports individual and group mappings for both Integrated Windows authentication and other forms of authentication such as SQL Server Authentication. This gives administrators more flexibility in defining one-to-one, many-to-one, or many-to-many relationships.

  • 自動服務帳戶 為方便設定,Visio Graphics Service 提供特殊設定,管理員可透過該設定建立唯一的對應,將所有使用者與使用 Secure Store 目標應用程式的單一帳戶建立關聯。此對應的帳戶又稱為自動服務帳戶,必須是授與資料庫存取權的低權限 Windows 網域帳戶。若未指定其他驗證方法,Visio Graphics Service 連線至資料庫時,會模擬此帳戶。請注意,此方法不會啟用對資料庫進行個人化查詢的功能,也不會提供資料庫呼叫的稽核功能。此驗證方法是您連線至 SQL Server 資料庫時所使用的預設驗證方法;若 Visio 圖表中沒有使用指定其他驗證方法的 ODC 檔案,則 Visio Services 會使用自動帳戶所指定的認證連線至 SQL Server 資料庫。Unattended Service Account For ease of configuration the Visio Graphics Service provides a special configuration where an administrator can create a unique mapping associating all users to a single account by using a Secure Store target application. This mapped account, known as the unattended service account, must be a low-privilege Windows domain account that is given access to databases. The Visio Graphics Service impersonates this account when it connects to the database if no other authentication method is specified. Note that this approach does not enable personalized queries against a database and does not provide auditing of database calls. This authentication method is the default authentication method that is used when you connect to SQL Server databases: if no ODC file is used in the Visio diagram that specifies a different authentication method, then Visio Services uses the credentials specified by the unattended account to connect to the SQL Server database.

在較大型的伺服器陣列中,Visio 圖表很有可能會混合使用此處所描述的驗證方法。請務必注意以下幾點:In a larger server farm it is likely that Visio diagrams will use a mix of the authentication methods described here. It is important to be aware of the following things:

  • Visio Services 支援在相同的伺服器陣列中同時使用 Secure Store 與自動服務帳戶。在連線至 SQL Server 資料但不使用 ODC 檔案的圖表中,需要自動帳戶且一律會使用該帳戶。Visio Services supports usage of both Secure Store and the unattended service account in the same farm. In diagrams that are connected to SQL Server data but do not use ODC files, the unattended account is required and always used.

  • 如果選取整合式 Windows 驗證,但資料來源驗證失敗,Visio Services 就不會嘗試使用自動服務帳戶呈現圖表。If Integrated Windows authentication is selected, and authentication to the data source fails, Visio Services will not attempt to render the diagram using the unattended service account.

  • 將需要特定認證的圖表設為使用 Secure Store 目標應用程式,整合式 Windows 驗證便可與 Secure Store 一起使用。Integrated Windows authentication can be used together with Secure Store by configuring diagrams to use a Secure Store target application for those diagrams that require specific credentials.

另請參閱See also

其他資源Other Resources

商務智慧服務應用程式的 secure store ServiceSecure Store for Business Intelligence service applications