312 Part II Administrating and Configuring Your Implementation Adding Documents to the Library Once you've opened the specific library you want to work with, you can add documents to the library using several different methods: ■ Using the upload commands ■ Using Explorer View ■ Using WebDav Adding Documents by Using the Upload Commands There are several ways available to you to add documents to a library The two most common methods used are the Upload Document and Upload Multiple Documents options, which are available from the main Upload menu, as shown in Figure 9-2 Figure 9-2 Uploading commands The Upload Document command allows you to upload a single file at a time and, if you have versioning turned on, to add a version comment to the file This page recognizes any custom columns created on the document library and will present the user with a data entry form to populate any required values Selecting the Upload Multiple Documents command opens the Upload Document page with an embedded tree view control that allows you to upload multiple files from the same folder and appears as shown in Figure 9-3 A limitation of the control is that it does not support uploading entire folders or uploading files from multiple folders This page makes use of the Microsoft Office Multiple Upload Control (STSUPLD.DLL), an ActiveX control that is installed with the Microsoft Office system Therefore, the command will not normally be available if you are using the Web browser on a machine that does not have Microsoft Office 2003 or the 2007 Microsoft Office system installed Chapter Figure 9-3 Document Management Upload Multiple Documents command Internet Explorer security settings can also affect the behavior of this control If the Script ActiveX Controls Marked Safe For Scripting option (found under Tools\Internet Options\Custom Level) is set to Disable, SharePoint removes the command from the Upload menu of the document library because it would not be able to load on the page displayed to the user One disadvantage of this ActiveX control is that it is not aware of custom columns in SharePoint libraries, and as a result it will not prompt you to fill in these values during the upload The columns will either be populated with default values or remain blank You will have to go back to the library after the documents are uploaded and retroactively update the metadata Important If you have custom columns that are marked as “required,” warn users about using any of the multiple document upload techniques because they will not be prompted to enter the required data during upload Adding Documents by Using Explorer View The Explorer View, shown in Figure 9-4, is available from the View menu on the right side of the document library and provides another way of uploading documents to the library In Explorer View, users can drag files from the file system on their local computer and drop them into the library Explorer View requires that the client computer has installed Internet Explorer 5.0 or later and Web Folders, which are installed by default on Windows XP Professional and all versions of Microsoft Office beginning with Microsoft Office 2000 313 314 Part II Administrating and Configuring Your Implementation Figure 9-4 Explorer View Note The Explorer View also supports many drag-and-drop features, allowing users to move and copy documents between folders as they would in Windows Explorer To fully use these features, the security settings in Internet Explorer must be modified and the Launching Programs And Files In An IFRAME option must be set to Enable Choosing an Upload Method One consideration in selecting which technique to use for uploading large numbers of files would be how the interface responds to copy errors The Multiple Upload ActiveX control will stop uploading the moment it encounters an error, and there is not a mechanism to automatically resume where the upload left off You will usually have to attempt to determine the last file uploaded and start the upload from that point or start the upload from the beginning When using the Explorer View or WebDAV link, you will get a pop-up error message for each document that fails to copy, and the upload will pause until you click the OK button to continue The upload will then skip the problem file and continue on Another consideration is the relative performance of the upload process Uploading files through the Explorer View or WebDAV interfaces will support an upload rate of MB per second and sometimes more Using the Upload Multiple control results in an upload rate only slightly slower on average However, uploading individual files with the Upload Document command may take 50 percent longer than the other methods The actual performance you can expect will depend on the server workload and available network bandwidth Adding Documents by Using WebDAV The Windows Explorer also provides a built-in method for connecting to SharePoint libraries through the WebDAV (Web Distributed Authoring and Versioning) protocol This is the same protocol used by the Explorer View WebDAV is natively supported by Chapter Document Management SharePoint Server 2007 and allows you to view and work with the documents in the library as if they were folders on the file system The easiest way to invoke a WebDAV connection is to select the Open With Windows Explorer command from the Actions menu of the document library The window that appears will look much like the Explorer View window, but it is no longer embedded inside the Internet Explorer browser One of the features integrating SharePoint Server 2007 and Windows is that you will usually find, after accessing a document library through either Explorer View or the Open With Windows Explorer commands, that a shortcut to that library has been created for you under My Network Places If you want to create a shortcut manually, follow these steps: Open Windows Explorer, and click My Network Places Double-click Add Network Place Click Next Select the Choose Another Network Location option, and click Next Type the URL to the document library in SharePoint Server 2007 (for example, http://contoso.msft/projects/documents), and click Next (You might be prompted for a user name and password.) Type in a name for the connection, and click Next Click Finish In addition to creating a shortcut under My Network Places, you can also use WebDAV to map a network drive to a library This is particularly useful for allowing document imaging and processing software to write to a target drive that deposits the files directly into SharePoint To map a network drive to a document library, follow these steps: Open Windows Explorer Click Tools, and then click Map Network Drive Select a drive letter from the drop-down list In the Folder box, type the path to the site and document library in the following format: \\server_name\site_name\document_library Click Finish A new window opens that displays the contents of the document library 315 316 Part II Administrating and Configuring Your Implementation Naming Web Folder Client Connections It is highly possible that your users will end up working in many different document libraries throughout the life of your deployment Because of this, we recommend that you consider implementing a naming convention for your document libraries The Web folder client’s name is built using the following convention: on If your users regularly use the default “Shared Documents” library, then they can expect to have duplicate iterations of “Shared Documents on ” in their My Network Places, which really doesn’t help them know, intuitively, which Shared Documents library they are trying to connect to Because the Web folder client name is built off of the document library’s object name, changing the display name in the properties of the document library will not solve the problem of users having duplicate Web folder client names Best practice, then, is to ensure that your site templates don’t create document libraries called “Shared Documents” and that users are forced to create new document libraries based on a naming convention that makes sense for your organization This way, the Web folder client names will not only make sense, you’ll have very little, if any, duplication Working With Documents in the Document Library Once you've added documents to the library, you can work with them in various ways including: ■ Checking them out to edit them ■ Checking them back into the library ■ Managing versioning and permissions ■ Marking documents final Checking Out and Editing Documents Document libraries support two modes of file locking: explicit and implicit Explicit locking occurs when you select the Check Out command from the document drop-down list, as displayed in Figure 9-5 The icon next to the file in the library changes to display a green arrow, and no other user can edit the document until it is checked in Implicit locking occurs when you open a document for editing by selecting the Edit In [program] com- Chapter Document Management mand from the document menu without explicitly checking out the file The file will automatically be locked by SharePoint, thus preventing others from saving changes to the file Although both forms of locking prevent other users from saving changes while the document is open, explicit check out has the following advantages: ■ Identification The Checked Out To column of the library can be used to see which documents are currently locked by another user and who to contact if the documents need to be unlocked ■ Privacy ■ Offline Sandbox Checking out a document puts a copy of it in the SharePoint While a document is explicitly checked out, changes made to the document, and new versions of it uploaded to the server, will not be seen by other users until the document is checked in again Drafts folder in the user’s My Documents directory Changes made to the document are saved to the local file until it is checked into SharePoint again, at which point the changes are copied to the server and the draft is deleted The location for files to be cached to can be changed by opening the 2007 Microsoft Office system application Options dialog box and selecting the Save tab The folder location can be edited in the Server Drafts Location box Checking In Documents When you have completed modifying a document and uploading it to the document library, you need to use the Check In command to remove the exclusive lock on the file and allow others to see your changes Some programs, such as Microsoft Office Word 2007, prompt you to check in your document when you close the application after saving the document to the library If a user leaves a document checked out, any user with the Override Check Out list right can either force the document to be checked in or discard the check out By default, the permission levels that have this right are Full Control, Design, Approve, and Manage Hierarchy Discarding the check out will cause any changes that have been saved to the file in the document library since the last check in to be lost Requiring Check Out Because explicit check out is such a valuable feature of SharePoint, there is an option to force an explicit check out any time a user edits or updates a document This option is found on the Versioning Settings page of the Document Library Settings, and it applies to all changes to the file regardless of how it is accessed Any time a user attempts to open a document, he will be prompted to choose between Read Only and Check Out And Edit (See Figure 9-5.) If the user chooses Read Only, most edit commands available in the document are disabled and the document cannot be saved back to the document library 317 318 Part II Administrating and Configuring Your Implementation Figure 9-5 The Check Out option When the document is open, the user will see an option on the Document Actions bar to check out the document for editing, if it isn’t already checked out If the Require Check Out option is not enabled, SharePoint will place an implicit lock on the document that is exclusive to the user who opens the document Other users will not be able to overwrite the document while it is locked, but there will be no indication in SharePoint that the document is locked until another user tries to open it Managing Document Versioning SharePoint Server 2007 offers several options for versioning, as displayed in Figure 9-6 These settings can be controlled separately for each document library and are located on the Versioning Settings page under Document Library Settings A best practice is to configure the site templates for your organization to have predefined document libraries with the versioning setting already set according to your organization policies Figure 9-6 Versioning settings Chapter Document Management Understanding Major and Minor Versions Major and minor versioning was part of the workspace in SharePoint Portal Server 2001 Microsoft removed this feature in Windows SharePoint Services 2.0 but has brought it back as part of the collaboration feature set in Windows SharePoint Services 3.0 Major versions are intended to be “published” versions, while minor versions are intended to be “in draft” versions You can have a major version published, such as version 2.0, and be working on a new draft for the next published version New drafts for the next published version are incremented as 2.1, 2.2, and so forth The following settings are found on the Version Settings page: ■ None No previous versions of the document are saved When a new copy of a document is uploaded or saved to the server, it overwrites the existing copy of the document This option is useful for conserving space on the server, as only one copy of the document is saved When other versioning options are used, a copy of the entire document will be saved with each new version, increasing the storage requirements of the SQL Server database ■ Major Versions Only ■ Major And Minor Versions Versions of documents are numbered using a decimal notation scheme (for example, 1.0, 1.1, 1.2, 2.0, 2.1, and so on) Versions ending with are major versions, and all others are draft versions When the Major And Minor Versions option is selected, all users with Read permissions can access major versions of documents and you control which categories of users can view the minor versions—either those with Read permissions, those with Edit permissions, or only those with Approve permissions All versions are saved with a simple numbering scheme (for example, 1, 2, 3, and so on) No distinction is made between draft versions and published versions, so every time a new version of a document is saved to the server it is viewable by all site users To conserve space, you can set a limit on the maximum number of versions that will be saved on the server You can use the versioning feature of SharePoint Server 2007 to preserve the change history of a document as it moves through its life cycle of edits and revisions To view previous versions of a document, select Version History from the document drop-down menu From the Version History page, you can view and delete individual past versions of documents You can also use the Restore command to roll back to a previous version of the document by making a copy of it and setting it as the current version Setting Version Limits It is important to realize that SharePoint stores a complete binary copy of every version of your document in the SQL Server database To illustrate, if you have a document that is 250 KB in size and you create three past versions of it along with the current version, a total of 1000 KB will be stored in the database along with appropriate metadata for each version This formula applies equally to both major and minor versions 319 320 Part II Administrating and Configuring Your Implementation Important If the Require Check Out option is not enabled and a user forgets to check out the document first, a new version will be created every time a user saves the document to the server This can lead to hundreds of versions of a document over time If the document is checked out before it is edited, all changes will be saved to the same checked-out version To conserve the amount of space used by the content database, it might be a good idea to restrict the number of versions that will be saved over time You can specify how many major and minor versions will be retained in a document library as users make changes to documents The setting for minor versions does not limit the number of drafts that will be kept for each major version; it limits the number of major versions that will retain their draft copies That is, if you have minor versioning enabled, an unlimited number of minor versions will be retained for each major version, but you can limit how many major versions will retain the draft copies with them Comparing Versions While working with the current version of a document, you might want to know how it compares with a previous version of the same document Word 2007 has been enhanced to include an integrated comparison tool to allow you to quickly view the differences between documents The comparison feature uses the document’s connection to the SharePoint document library to retrieve information about previous versions so that users don’t have to browse to the file location By default, the comparison appears in a new document with the original and revised documents displayed in side windows and the changes identified by formatting marks There are five comparison options: ■ Compare With Most Recent Major Version This option provides a quick comparison between the current document and the last major (published) version on the server ■ Compare With Most Recent Version This option provides a comparison with the last minor (draft) version on the server ■ Compare With A Specific Version This option allows the user to select which previous version to compare with the current version ■ Compare Two Versions Of A Document (Legal Blackline) ■ Combine Revisions From Multiple Authors This option is an allpurpose comparison that allows the user to view a comparison between two different documents This option takes changes from multiple documents and merges them into one document Chapter Document Management To begin comparing documents, complete the following steps: Open the document that you want to compare with another version Click the Review tab in Word 2007 Click Compare If the document you have open has a connection to a SharePoint document library, you will see all five comparison options Otherwise, you will see only the last two Choose the comparison method you want to use Select the Comparison settings you want to use These settings allow you to specify exactly which types of changes you want to compare, such as Comments, Formatting, Case Changes, and so on Select the Show Changes settings you want to use These settings define whether the comparison will be performed at the word or character level and whether the resulting comparison will appear in the original document, the revised document, or a new document Approving and Publishing Documents The document approval process built into libraries allows you to place all documents into a Pending status until they are approved by a user with the Approver permissions When content approval is enabled, any changes made to documents are considered to be in a draft state and are not visible to users who have only Read permissions When an Approver approves the changes, all users can view the approved version The approval process can be used without document versioning, but when combined, they create a powerful mechanism to formalize document change management in your organization The Versioning settings, described in the following list, control how the approval process works: ■ No Versioning ■ Major Versioning Only ■ Major And Minor Versioning SharePoint makes a copy of the document when changes are saved so that users with Read permissions can still access it, and the document is marked as Pending When the new version of the document is approved, the old version of the document is discarded and all users can view the approved version When a document is edited and saved to the server, it is placed in a Pending state and only the previous version is available to users with Read permission When the document is approved, the current version becomes available and the previous version is retained Under this model, all changes to documents are automatically saved as draft (minor) versions with an incrementing decimal in the version number To start the approval process, you must select the Publish A Major 321 414 Part II Administrating and Configuring Your Implementation information about this topic in the Microsoft Office SharePoint Server 2007 Software Development Kit (http://msdn2.microsoft.com/en-us/library/ms400563.aspx ), which is excellent reading for both developers and administrators This chapter attempts to describe some key elements of the BDC from an administrator’s perspective You’ll learn about the BDC and how to use it You’ll look at the architecture of the BDC, including the security options Then you’ll take a look at managing the data connections and using the BDC features What Is the Business Data Catalog? The BDC is a shared service of SharePoint Server 2007 Enterprise Edition that bridges the gap between the various applications (from Siebel, Customer Relationship Management (CRM), and SAP to SharePoint sites, lists, search functions, and user profiles) that an organization uses for key business data The Information Bridge Framework (IBF) provided a standard way to integrate business application data with Microsoft Office desktop programs, using the smart tag and smart document functionality IBF is targeted at users of Microsoft Office desktop applications and requires developers to define both the method of displaying the business data, as well as its format Therefore it is complex to implement The BDC is the next evolution of IBF and provides an alternative method of exposing business data using SharePoint Server 2007 through the BDC application program interfaces (APIs) SharePoint Server 2007 provides a browser interface and a number of related Business Data Web Parts and therefore is not as complex to implement or deploy The BDC is Microsoft’s strategic integration technology, and it plans to expand BDC further .More information on IBF can be found at http://msdn.microsoft.com/office /tool/ibf/default.aspx and information on Line of Business Interoperability (LOBi) for Office SharePoint Server 2007 can be found at http://msdn.microsoft.com/office/tool /OBA/default.aspx By using BDC, an organization can accomplish the following objectives: ■ Reduce or eliminate the code required to access Line-of-Business (LOB) systems ■ Achieve deeper integration of data into places where a user works ■ Centralize deployment of data source definitions An organization typically will not define all the data it uses, only the most important data in the BDC ■ Reduce latency to data, because once a data source is defined in the BDC it will be immediately available on the Web farm ■ Centralize data security auditing and connections ■ Perform structured data searches Chapter 12 Administrating Data Connections Understanding the Business Data Catalog Architecture The BDC uses ADO.NET, OLEDB, or ODBC drivers to connect to practically all popular databases, and it can also use Web services to connect to business applications that support that method of retrieving data For example, using the BDC, you can display data from SAP or Siebel applications using Web services Before the business data can be used within SharePoint Server 2007, it must be declared A single XML file details the data connection and data formats, known as metadata, for a data source or business application—that is, the metadata describes the APIs of the data source or business application Administrators use this XML file, known as the application definition file (ADF), to register the data source in the BDC Thereafter, SharePoint Server 2007 uses the declared APIs to access data from the data sources or business applications Note The BDC is not the only Microsoft technology with which you use an ADF file You use an ADF to build a notification application on the SQL Server 2005 Notification Services platform Each ADF at the moment conforms to a different schema The BDC is a shared service—ust as user profiles, My Site, audiences, and Excel Services are—and therefore, it stores the metadata defined in the ADF within a set of SQL Server tables in a Shared Services database All the tables associated with the BDC are prefixed with the two characters AR, which stand for Application Registry, the initial name for the BDC After the metadata is imported into SharePoint Server 2007, the LOB data is made immediately available to any Web applications associated with that Shared Services Provider (SSP) by using one of the following features: ■ Business Data Web Parts, of which there are six included with SharePoint Server 2007 ■ Business Data in lists and libraries ■ Business Data actions This feature allows you to use the business application user interfaces and forms that you might already use and don’t want to rewrite ■ Links to business data Wherever business data is exposed, it is possible to display a link to it ■ Business Data search SharePoint Server 2007 can index LOB systems registered in the BDC, and therefore, users can search from data held in any business application This makes the search function more powerful without a great deal of work ■ Business Data in user profiles For the very first time, with SharePoint Server 2007, you can now place enterprise data in the user profile store 415 416 Part II ■ Administrating and Configuring Your Implementation Custom code developed by using the administrator or runtime application programming interfaces (APIs) If custom Web Parts are required, developers can develop code against the BDC API instead of a multitude of APIs Figure 12-1 shows the high-level interaction between the data sources, metadata, features, and applications Business Data Web Parts Lists User Profiles Search List Store Search Index Custom Applications Profile Store Features and Applications Business Data Catalog Runtime API Application Definition File Administration API SSP Database Metadata Web Service Proxy Data Source Line-of-Business Application ADO.NET Providers OLEDB ODBC Drivers Web Service SQL 2005 Oracle SQL 2000 Older Databases Figure 12-1 High-level architecture of the Business Data Catalog Although this book is focused on administrator tasks, it is important you understand the administrative tasks in relationship to the other tasks that need to be completed for a successful solution based on the BDC In the SDK, a development life cycle is described that involves four roles: a business analyst, metadata author, administrator, and developer Administrators take over the ADF when a metadata author has finished creating and testing the ADF They will also be involved with the developer if any applications, Web Parts, or formatting of search results are required Therefore, administrators will need a highlevel understanding of at least the metadata and the BDC APIs Metadata Writing the metadata is a key activity Metadata is usually created by a business analyst together with a metadata author, who can be the business analyst, a developer, or database administrator (DBA) Between the two of them, the business analyst and metadata Chapter 12 Administrating Data Connections author have knowledge of the business application or database as well as how the data will be used They not need to be able to code After the metadata is defined, a user with administrator rights then imports the metadata into SharePoint Server 2007 at the SSP level One purpose of the metadata is to describe how the BDC shared service will obtain the data from the business system—that is, it describes the API Another purpose of the metadata is to add meaning to the API and data It describes what can be done with the API and the relationship between the data entities The metadata is described in an XML file, called the application definition file (ADF), and looks similar to that shown in Figure 12-2, which illustrates the main metadata object definitions The administrative Web pages also use some of the same terminology, and therefore, you need to become familiar with them Figure 12-2 A sample application definition file 417 418 Part II Administrating and Configuring Your Implementation Note To get started with the BDC, you can find sample ADFs for mini-scenarios that use the Adventure Works SQL sample database in the Office SharePoint Server 2007 SDK There are also two utilities that will help you create the XML tags for the ADFs, both unsupported First, there is the SQL database metadata generator available with Codeplex, http://www.codeplex.com/Wiki /View.aspx?ProjectName=DBMetadataGenerator, which will produce a simple ADF Second, there is the MOSS BDC MetaData Manager, which can be found at www.mossbdcmetadatamanger.com Although dated, XML files for the pubs SQL sample database, can be found in the “B1TR Definitions” download at: http:// www.gotdotnet.com/codegallery/codegallery.aspx?id=5e078686-a05c-4a44-a13188d75e550be8 This site also has an active discussion forum The ADF contains a hierarchy of XML elements, each containing text or other elements that specify the application settings and structure The ADF must conform to the standards for well-formed XML, so all element names are case sensitive The ADF must also conform to the schema described in bdcmetadata.xsd, which is in the Microsoft Office Servers\12.0\Bin folder Note To configure Microsoft Visual Studio 2005 to use the bdcmetadata.xsd for IntelliSense, place a file named, for example, bdschema.xml in the folder %ProgramFiles%\Microsoft Visual Studio 8\XML\Schemas, with the following lines of code: The metadata hierarchy can be seen by reviewing the XML tags of the ADF, which defines a single LOB system and consists of an XML root node, LobSystem Following is a list of the main met adat a XML t ags: (For a list of all met adat a t ags, refer to h t t p : / / msdn2.microsoft.com/en-us/library/ms544699.aspx.) ■ LOBSystemInstance This object provides authentication and the connection string information ■ Entity This is the key object of the metadata An entity relates to a real-world object, such as an author, a customer, a sales order, or a product An entity belongs to a single LOB system and must have a unique name Entities contain identifiers, methods, filters, and actions Each entity should define two properties: an identifier (which, in database terms, is the primary key) and a default column An identifier is used to uniquely identify a particular instance of an entity In SQL terms, this is the Chapter 12 Administrating Data Connections column designated as the primary key Each entity also consists of a number of child XML element tags Following is a description of the key components of or related to entities: ■ These are operations related to an entity A method is a function that makes calls on the data source to locate an instance or instances of a particular entity If the data source is a database, the method is a stored procedure or a SQL statement; if the data source is a Web service, the method is a Web method The metadata must detail everything that SharePoint Server 2007 needs to know to call that method and, therefore, can be likened to interface descriptions For each method, you should create at least two MethodInstance XML tags A method instance defines the way to call the method plus default values for its parameters Some systems, such as SAP, have methods that can be called in multiple ways, depending on the parameters passed A method instance eliminates the need to duplicate the metadata Using a method instance, you can define a method as a Finder method, which will return one or more instances of an entity, or as a SpecificFinder method, which will return a specific instance of an entity Methods If you want the data source to be indexed by SharePoint Server 2007, there must be a method of type IDEnumerator This method allows the indexer to crawl all instances of the entity that are exposed by the IDEnumerator method If an incremental crawl of the data source is also required, a LastModifiedDate property must be one of the return fields in the SpecificFinder method This abstraction provides the ability to create generic business data Web Parts, business data searches, and user profiles; it also adds business data features such as lists and libraries ■ Filters These limit the number of entities returned from a method ■ Actions These provide a link to the back-end data source and can be used to pro- vide write-back scenarios—for example, sending an e-mail, opening a Microsoft Office InfoPath form that writes back to the LOB application using a writable Web service, or opening a new browser window pointing to the LOB application’s Web site Actions are associated with an entity, and therefore, wherever the entity is displayed the action will be visible ■ These link related entities within an LOB system For example, if there are two entities, named Authors and Books, an association should be created to link authors to the books they have written Associations Business Data Catalog APIs The Business Data Catalog (BDC) provides two sets of APIs Administrators need to have a high-level understanding of when these APIs are used, as that knowledge will help them 419 420 Part II Administrating and Configuring Your Implementation predict network bandwidth usage The built-in features of the BDC use the following two APIs: ■ Administration This API creates, reads, updates, and deletes objects within the metadata All of the SharePoint Server 2007 built-in features use this API For example, the BDC Shared Services administration Web pages use this object model to import the ADF, as does the business data picker in any of the business data Web Parts The BDC caches all the metadata objects, so most of the time a call to the Administration API will result in manipulating metadata objects from the cache instead of making round-trips to the Shared Services database The caching of the metadata provides faster access to metadata If the BDC sees a change to a metadata object, it clears and then loads the cache Note After you change metadata, you must wait up to a minute for changes to propagate to all the servers in the farm The changes take effect immediately on the computer on which you make them ■ Runtime This API abstracts the interface between the application solutions and the data sources Therefore, developers need to understand only one object model to extract data from the business sources The runtime object model calls the administration object model to find the location and format of the data so that it can call the appropriate provider, which in turn gets the business data This process causes network traffic between the Web front ends and the business application server Examples of the built-in features that use this API are business data Web Parts, the Retrieve data link, and the refresh icon in the business data column of a list or library Implementing BDC Security Options This section introduces the security options that are available when you use the BDC—in particular, authentication, authorization, and access control Authentication is the process by which you verify that a user is who he or she claims to be; authorization is the process of finding out whether the user, once authenticated, is permitted to access the data; and access control is how you will manage access to the business data exposed using the BDC To understand the BDC security options, it is important to understand the roles of the application pool and the search content access accounts The following list summarizes key points to keep in mind about the BDC: Chapter 12 Administrating Data Connections ■ When the business data is exposed through the BDC on a Web page, the BDC runs within the Internet Information Services (IIS) worker process (w3wp.exe), and therefore, it’s using the IIS application pool user account ■ When the BDC is used for crawling to index content to which it is connecting, it runs in the filter daemon process (msadmn.exe), and therefore, it’s using the search content source account Unlike the NTFS file system, which consistently uses the same protocol for authentication and authorization, business applications will either use Windows authentication or a proprietary method of authentication and authorization Hence, when the BDC indexes the business application, it cannot acquire security information from the back end Therefore, if a business application is crawled, result sets from a keyword search will not take into account any access control The rest of this section details the BDC security options when data is exposed using the BDC APIs Authentication Methods The two authentication models in BDC are as follows: ■ Trusted Subsystem ■ Impersonation and Delegation The SharePoint Server 2007 Web front-end (WFE) servers control authentication and authorization and retrieve data from the business application servers using a fixed identity SharePoint Server 2007 servers primarily supports the trusted system model for access services and resources In the trusted system model, a system account is used to access services and resources on behalf of all authenticated users so that administrators not have to specify access for each user The fixed identity is the application pool ID or a group ID retrieved from the Single Sign-On (SSO) database In this authentication model, the business application delegates authentication to the WFEs and the application pool ID impersonates the user The application pool ID then connects to the business application servers on the user’s behalf by using Kerberos or SSO, or by passing the user’s name as a parameter Use this model if you want application-level authorization of the business data Security Alert In any system where credentials are sent between servers, an attacker can possibly compromise the security solution Ensure that you secure your infrastructure appropriately—for example, by using Kerberos, Secure Sockets Layer (SSL), or IPSec Table 12-1 summarizes the reasons for choosing one authentication model over another 421 422 Part II Administrating and Configuring Your Implementation Table 12-1 Authentication Models: Trusted Subsystem vs Impersonation and Delegation Trusted subsystem Impersonation and delegation Connection pooling Yes No Reduces licensing costs on the back-end LOB system Yes No Less complex Yes No Provides a single model for authorization Yes No Support scenarios in which there is per-user authorization at the back end No Yes Enable auditing at the back end No Yes There are four authentication modes, which are defined on the LOBSystemInstance XML tag in the ADF: ■ The user’s authentication information is passed through to the back-end server, which makes this the least desirable option from a security and administrator viewpoint ■ RevertToSelf If a user logs on with Windows authentication, the application pool ID is used to impersonate that particular account when using SharePoint Server 2007 RevertToSelf authentication allows SharePoint Server 2007 to revert back to the IIS application pool ID before requesting data from the back-end LOB system This is the default option if no authentication mode is specified ■ If the data source is a database, SharePoint Server 2007 authenticates by using database credentials from the default SSO service The XML tag RdbCredentials can also be used for this authentication mode If the data source is a Web service, non-Windows credentials from the SSO are used for basic or digest authentication, depending on the configuration of the Web service ■ WindowsCredentials SharePoint Server 2007 authenticates by using Microsoft Windows credentials from its default SSO service PassThrough Credentials Table 12-2 shows the relationship between the authentication models and authentication modes Chapter 12 Administrating Data Connections Table 12-2 Relationship Between Authentication Models and Modes Mode Trusted subsystem model PassThrough Impersonation and delegation model X RevertToSelf X Credentials, Windows Credentials (SSO group account) X Credentials, Windows Credentials (SSO user account) X Authorization There are two methods of controlling user access to data managed by the BDC: ■ Back-end authorization, if the business application can perform per-user authorization ■ Middle-tier authorization, which provides central security and auditing abilities using the BDC permission settings and SharePoint list/library security configuration options Central Security and Auditing After the ADF is imported into the BDC, you can manage permissions centrally using the Shared Services Administration Web page to define permissions at the BDC level, application level, or entity level You cannot define permissions at the entity instance level If you add a business data column to a list or library, a copy of the data is placed in that list or library and you exploit the item-level security available in lists and libraries In the ADF, if an entity contains an Audit property set to true, an entry is written to the SSP audit log every time one of the entity’s methods is executed If a business data column is added to a list or library, the default auditing features in SharePoint Server 2007 are available to you Each object in the BDC hierarchy of metadata objects (LobSystem, Entity, Method, MethodInstance, and so on) has an access control list (ACL) that specifies which principals have which rights on the object Out of the 13 metadata objects, only LobSystem, Entity, Method, and MethodInstance have their own individually controllable ACL These objects are referred to as individually securable metadata objects Other metadata objects inherit the ACL from their immediate parent and are referred to as access-controlled metadata objects Table 12-3 shows the rights that can be set by the administrator or someone with the Manage Permissions right 423 424 Part II Administrating and Configuring Your Implementation Table 12-3 BDC Permissions Permission Applies to Description Edit Access-controlled metadata objects Person with this permission can perform the following actions: * Update * Delete * Create child object * Add property * Remove property * Clear property * Add localized display name * Remove localized display name * Clear localized display name Set Permissions Individually securable metadata objects Person with this permission can manage BDC permissions Execute (View) MethodInstance objects Person with this permission can execute the MethodInstance via various run-time API calls, that is, they can view the instances of a entity that are returned from a finder method Selectable in Clients Application and Entity objects Persons with this permission can use the business data picker to configure Web Parts and lists to use the BDC To set permission at the BDC level, follow these steps: On the SharePoint 3.0 Central Administration Web site, in the left navigation pane, click the name of the Shared Services Provider where you want to import the metadata package In the Business Data Catalog section, click Business Data Catalog permissions, and then on the Manage Permissions: Business Data Catalog page, click Add Users/ Groups On the Add Users/Groups page, shown in Figure 12-3, enter the appropriate users or groups and assign the appropriate permissions You can configure rights to managing the BDC that are independent of the rights in the rest of the Shared Services Provider Permissions set at this level can copied to any LOB system and entity imported into the BDC Click OK Chapter 12 Administrating Data Connections Figure 12-3 Add Users/Groups: Business Data Catalog page Note When the SSP is created, the userid of the person who creates the SSP is given Edit, Execute, Selectable In Clients and Set Permission rights Subsequently, if any users are given rights to the SSP Web site, by default they not receive any rights to the BDC Hence, only the SSP creator is able to manipulate the BDC or see data returned from the data sources Therefore, using the procedure above, you should give appropriate BDC permissions to a group of users, who are to administer the BDC, and you should give the Execute (View) right to, for example, the Domain Users or some similar group Ensure that your crawl account also has the Execute (View) right Managing Data Connections The BDC allows you to connect your data sources to all Web applications without writing any code To manage the BDC data connections, you need to perform the following administrator tasks: ■ Deploy the metadata package 425 426 Part II Administrating and Configuring Your Implementation ■ Set access permissions, auditing, and authentication settings (Security was detailed in the previous section.) ■ Configure Single Sign-On if required ■ Deploy custom business data solutions if any have been created To complete the first two administrator tasks, you will use the Shared Services Administration Web page, shown in Figure 12-4, to view, add, modify, and delete application definitions, as well as to configure permissions and edit the profile page template Figure 12-4 Shared Services Administration Web page Note that the administrative interface describes business data sources as applications, although the metadata describes data sources as LOB systems Deploying Metadata Package As already stated, the key to a successful solution based on the BDC is the metadata defined in the ADF, which you upload into a Shared Services database The data then becomes available to all the Web applications To import a metadata package, also known as adding an application definition, follow these steps: On the Office SharePoint Server 2007 Central Administration Web site, in the left navigation pane, click the name of the Shared Services Provider where you want to import the metadata package Chapter 12 Administrating Data Connections In the Business Data Catalog section, click Import application definition to display the Import Application Definition page shown in Figure 12-5 Figure 12-5 Import Application Definition page Either click the Browse button to navigate to the ADF or type the location of the ADF in the text box and then click the Import button The Application Definition importing Web page is displayed The import process parses the file and validates it If errors are found during the import process, the Web page will display additional information Information can be found in the Windows event logs and the Windows SharePoint Services log file located at %ProgramFiles%\Common Files\Microsoft Shared\web server extensions\12 \LOGS, where the relevant messages will be in the Business Data category You might have to pass this information back to the developer of the ADF The SDK contains more information on troubleshooting metadata exceptions and interpreting the log files A successful import will result in an “Application definition was successfully imported” message The import process can identify deficits that the ADF may have, in which case, an “Application definition was successfully imported” message appears, together with any warnings issued, similar to the Web page shown in Figure 12-6 427 428 Part II Administrating and Configuring Your Implementation Figure 12-6 Application definition imported successfully with warnings Click OK to display the View Application: Web page, as shown in Figure 12-7 On this page, you manage permissions, export the application definition, or delete the application ... Management in Microsoft Office SharePoint Server 2007 SharePoint Administrators Administrators are responsible for the installation and configuration of the SharePoint Server 2007 servers that... management features of SharePoint 2007 Chapter 10 Records Management in Microsoft Office SharePoint Server 2007 Introduction to Enterprise Records Management 348 Representative... generate a Microsoft Office Excel–based report of the audit log data Chapter 10 Records Management in Microsoft Office SharePoint Server 2007 Labeling The Enable Labels policy feature enables SharePoint