SharePoint 2010: Business Connectivity Services - The Secure Store Service (part 2) - Creating a Secure Store Service Application for Impersonating

2. Creating a Secure Store Service Application for Impersonating

For the Secure Store Service to be able to apply the stored credentials, an application must be created that uses these credentials. In SharePoint, this is called a Secure Store Target Application. In essence the impersonation of the securely stored credentials is done through this application.

1. Go to the Secure Store Service application.

2. Click New on the ribbon, as shown in Figure 5. This opens the Create New Secure Store Target Application page.

Figure 5. Secure Store Service application overview

On the Create New Secure Store Target Application page, the target application settings are specified. In the example in Figure 6, Group is chosen as the target application type. This allows members to be defined whose accounts can be impersonated by another account. This is the most often used scenario. Other options include tickets with a limited valid lifetime. On the target application page, do the following:

1. Enter a unique name for the application. This is not changeable after the application is created.

2. Enter a screen-friendly name and the e-mail address of the administrator, which typically is the creator.

3. Choose the Target Application Type, as described before.

4. Select a Target Application Page URL. A custom URL can be specified to allow mapping this application to a custom page for users to assign accounts, if there is an organizational need for doing so.

Figure 6. Secure Store Service application creation

To alter the fields and thereby information used by this application, add additional fields that the user will have to fill out to authenticate. The default fields are Windows username and password, as shown in Figure 7.

1. Change fields as required.

2. Click Next to go to the credentials mapping page.

Figure 7. Secure Store Service application field mapping

On the user mappings page, the administrators and members are configured. These are then the members and administrators of the target application. In Figure 8, one administrator and two users are added: SP_TestUser1 and SP_TestUser2. It will be explained how to add specific permissions to individual users in the "Setting Permissions" section.

Figure 8. Secure Store Service credentials mapping

Finally click the OK button, and the target application will be created. SharePoint now automatically navigates to the Secure Store Service Application page where the target applications are shown, as in Figure 9. It lists the target applications by ID, their types, and display name.

Figure 9. Secure Store Service application overview

3. Setting the Application Impersonation Credentials

Now, the Secure Store Target Application is configured and administrators, members, and credentials type have been defined. At this point, the application impersonation credentials are configured for the members of the target application, as shown in Figure 10.

1. Provide one or more credential owners, which are the credentials that map to the custom defined credentials.

2. Enter the Windows username and password(s) to be used when impersonating in the Secure Store Target Application.

Figure 10. Setting the Secure Store Target Application credentials

With everything configured relating to credentials, the Secure Store Target Application can be used by BCS when creating connections to its data sources, as shown in Figure 9-49.

1. Select a connection type.

2. Enter proper connection details (here it is a SQL Server connection, as shown in Figure 11).

3. Enter the target application name at the time of creating a connection to the back end. Given the example data used in the section "Creating an External Content Type," now select the Secure Store Application ID option and enter the application name.

   Figure 11. Map BCS connection to Secure Store Application ID

   

As mentioned earlier in this example, two users were added as members. These users can be delegated individual rights. When these users open an external list based on this external content type, they should be able to see the data pulled from the BDC using the impersonation. For this to work, the users must be members of the BCS application, as the BCS checks permissions using the incoming user account before doing the impersonation and getting the data from the back end. This means that the impersonation is not for communicating with the BCS application itself, but for allowing BCS to get data from its data source. Users still need permissions to access the external content type objects.

4. Setting Permissions

Based on the data source created in the previous section, setting permissions on external content type objects is done by doing the following:

1. Going to Central Administration site => Manage service applications

2. Selecting the BCS service application just created

3. Setting permissions on the external content type, as shown in Figure 12
   

   Figure 12. Accessing external content type permissions settings

   

In this case, the users are granted Edit and Execute permissions on the customers external content type object, as shown in Figure 13.

Figure 13. Setting external content type permissions

At this point, the external content type permissions are fully configured and can now be used in BCS Web Parts, external lists, etc. by persons with the appropriate credentials.