Assigning Permission to External Content Type in SP2010 BCS RRS feed

  • Question

  • We are connecting to external Oracle DB (with separate Conn String) using SP2010 BCS feature.

    Now, our query is regarding assigning permissions to that ECT object in Central Adminsistration.

    Is is possible to put access restriction such that the App Pool Account (or a service account) is able to create and access a external list using the External Content Type,
    ..  but
    other users are only able to view the items from that external list (i.e. they are not allowed to see and use the ECT to create a External List anywhere else).

    We tried using Impersonation using RunWithElevatedPriveleges (and SPUserToken for App Pool Account) but we get below error when we try to access the list. And we are able to browse the list with App Pool account without issues.
    "Microsoft.SharePoint.SPException: Access denied by Business Data Connectivity. ---> Access Denied for User 'domain\userid', which may be an impersonation by 'domain\userid'."

    Due to organizational restrictions we cannot provide Execute permision on ECT to 'All Authenticated Users'. We also do not want to use AD group and provide permissions to it, as it incurs additional overhead of updating AD Group membership, each time a new user is added to site.

    Please suggest your solution. It would also be fine if we could restrict the visibility of the ECT to a particular site collection.

    Friday, March 22, 2013 10:58 AM


  • Hi,

    In order to set permission for external content type, you can edit the permission in Central Administration or grant the user permission using powershell. Since you can’t grant execute permission for All Authenticated Users, you need to grant each user permission manually. When a new user is added to a site, you need to edit the permission for the content type in Central Administration, or you can run the powershell script:






    #--------------Set Permissions to External Content Type----------------

    $ECT = Get-SPBusinessDataCatalogMetadataObject -BdcObjectType "Entity" -ServiceContext $serviceContextURL -Name $ECTName -Namespace


    if($ECT -ne $null)


         $user = New-SPClaimsPrincipal -Identity $userId -IdentityType WindowsSamAccountName

         Grant-SPBusinessDataCatalogMetadataObject -Identity $ECT -Principal $user -Right $permissions




         write-host -f Yellow $ECTName external content type does not exists


    For more information, please refer to this site:

    Set Permissions to External Content Type using Powershell: http://www.c-sharpcorner.com/uploadfile/anavijai/set-permissions-to-external-content-type-using-powershell/


    EnTan Ming

    Entan Ming
    TechNet Community Support

    Monday, March 25, 2013 7:54 AM