All geek questions in one place

Embedding security in a custom BCS / .net class?

I use the BCS custom model to get data from the backend system. Since the backend uses its own user management, I access it through the service account.

All this works well and allows me to retrieve data in SharePoint. However, since it is routed through a service account, anyone can access it, which is bad.

Can someone give me some advice on which method to implement? The backend does not give me the NT ACL, but I wonder if I can somehow "fake" them? (Essentially, “this NT group has read access” is pretty good).

I know about ISecurityTrimmer2 for search results, but ideally I want to encompass security inside the BCS model so that it applies to external lists as well. I want to avoid using secure storage and mapping each individual user to the backend.

+4
source share
3 answers

Got an answer here . I can set the field in the BCS model as WindowsSecurityDescriptorField, and then I can use the native code in my BCS methods to create ACLs:

Byte[] GetSecurityDescriptor(string domain, string username) { NTAccount acc = new NTAccount(domain, username); var sid = (SecurityIdentifier)acc.Translate(typeof(SecurityIdentifier)); CommonSecurityDescriptor sd = new CommonSecurityDescriptor(false, false, ControlFlags.None,sid,null, null, null); sd.SetDiscretionaryAclProtection(true, false); //Deny access to everyone SecurityIdentifier everyone = new SecurityIdentifier( WellKnownSidType.WorldSid, null); sd.DiscretionaryAcl.RemoveAccess(AccessControlType.Allow, everyone, unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None); //Grant full access to specified user sd.DiscretionaryAcl.AddAccess(AccessControlType.Allow, sid, unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None); byte[] secDes = new Byte[sd.BinaryLength]; sd.GetBinaryForm(secDes, 0); return secDes; }

This works well and allows me to create custom ACLs after I have transferred users between the backend system and Active Directory.

I'm still curious to find out if anyone has any other way if you have security as part of the BCS model.

+2
source

If you want to avoid safe storage, this sounds like your only choice is PassThrough. The trick is that you cannot use NTLM. You must use Kerberos because NTLM does not allow delegated authentication because you are transferring credentials from the user to the SharePoint server to the external system. When using Kerberos to delegate authority, you need to create an SPN (service principle name) for your service so that AD knows that it is allowed to delegate identifiers.

Authentication of your external system

See Create primary principal names for web applications using Kerberos authentication in this article to create an SPN.

0
source

I use a slightly different approach. If you code .NET objects to retrieve data from your external system, you can access the SPContext object to check which site you are on, or which user is requesting data. In the code, you can use this information to filter the data by whatever you like.

Thus, the same instance of the external list on your SharePoint site can return 5 results for using A, but 10 results for user B based on the username or possibly group membership. Not so difficult to implement and actually works very well.

Check out http://jsiegmund.wordpress.com/2010/05/19/creating-secured-bcs-objects-with-bcs-meta-man/ .

0
source

Source: https://habr.com/ru/post/1306311/

More articles:


All Articles