I'm implementing a custom BCS Model to get data from a backend system. As the backend uses it's own user management, I'm accessing it through a service account.
All of this works well and allows me to pull data into SharePoint. However because it's channeled through the service account, everyone can access it, which is bad.
Can anyone give me some tips which method to implement? The backend does not give me NT ACLs, but I wonder if I could just "fake" them somehow? (Essentially saying "This NT Group has Read Access" is good enough).
I am aware of ISecurityTrimmer2 for Search Results, but ideally I want to cover security inside the BCS Model so that it applies to external lists as well. I want to avoid using Secure storage and mapping each individual user to the backend.
Got an answer here. I can set a field in the BCS Model to be the WindowsSecurityDescriptorField and then I can use custom code in my BCS methods to create a ACLs:
Byte[] GetSecurityDescriptor(string domain, string username)
{
NTAccount acc = new NTAccount(domain, username);
var sid = (SecurityIdentifier)acc.Translate(typeof(SecurityIdentifier));
CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false,
ControlFlags.None,sid,null, null, null);
sd.SetDiscretionaryAclProtection(true, false);
//Deny access to everyone
SecurityIdentifier everyone = new SecurityIdentifier(
WellKnownSidType.WorldSid, null);
sd.DiscretionaryAcl.RemoveAccess(AccessControlType.Allow, everyone,
unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
//Grant full access to specified user
sd.DiscretionaryAcl.AddAccess(AccessControlType.Allow, sid,
unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
byte[] secDes = new Byte[sd.BinaryLength];
sd.GetBinaryForm(secDes, 0);
return secDes;
}
This works well and allows me to create custom ACLs once I translated users between the backend system and Active Directory.
I'm still interested to hear if someone has another way if having security as part of the BCS Model.