BCS : How to assign permissions on external content types so that it has the same permissions as the List created from it. RRS feed

  • Question


    Environment :
    sharepoint 2010
    Active directory authentication


    I been assigned a new role of administrating sharepoint and been juggling with the best way to manage permissions in BCS. here is an overview

    I gave certain users edit\ execute\ selectable in clients\ set permissions on the BCS MetaData catalog. These users created the external System and external content types and created lists from these content types, all nice and good. But the problem i am facing now is the BCS list is inherirting permissions from the site ( which is how i want it) but whe these users try to access the BCS List they get the error message "Accces denied by BCS", i can fix this issue by assigning Active directory users\groups Execute\ selectable in client permissions on the extenal content type in BCS but i dont want to do it becasue i cannot select the same sharepoint groups that have permission for the BCS list from here, all i can select from here is AD users and groups. In short what i want to do is assign all those sharepoint groups which has access to the BCS list( which inherits it's permissions from the site) access to the external content type and i want to do this without duplicating the same permissions on external content type and the list. What would be the best way to do it.

    Sounds complicated but i guess this will be a frequent configuration.


    Monday, September 13, 2010 8:31 PM

All replies

  • I understand your issue; i believe. The only way i can see you doing that is to edit the resultant XML file and add the security roles directly via the AccessControlList element.

    Connect with Me!

    Fabian G. Williams | Twitter @FabianWilliams | Blog | Email:

    Saturday, September 18, 2010 1:25 AM
  • My understanding is that you think the permission on both External List and External content type are redundant.


    So, you want to omit the permission setting on External content type, by, for example, giving all users full permission on the External Content Type.


    However, you should also make sure that user don’t have permission to create a new external list based on external content type.


    And most important, what about search external data? According to ,SharePoint Enterprise Search in SharePoint Server uses the Business Data Connectivity (BDC) service to crawl and index external data, and offers full-text search on structured and unstructured data. Search also uses the BDC to perform query-time security trimming of external data.



    • Marked as answer by GuYuming Friday, September 24, 2010 9:35 AM
    • Unmarked as answer by GuYuming Wednesday, December 26, 2018 1:19 AM
    Tuesday, September 21, 2010 3:58 AM
  • guys, thanks for your answers, been a little wrapped up so could not get back to you.

    my whole point was that the external list was being created out of the external content type and still users who have been assigned permissions (through sp groups) are denied permission because they dont have permissions on the external content type, so why can't i assign permissions to external content type using sharepoint groups?

    right now what i am doing is giving all domain users permissions to execute on external content type but restricting permissions on the external list created out of it, sounds ugly, wonder what the best practice says.




    Tuesday, September 21, 2010 6:15 PM
  • SharePoint group is defined in site collections, while BCS service application is associated with SharePoint Web Applications. I guess that is the reason why you cannot use SharePoint groups in BCS.

    Thursday, September 23, 2010 2:08 AM
  • thanks for your answer GuYuming, but the question for which i am trying to get an answer is what is the best practice for assigning permissions to externa content types while an external list is being created out of it.




    Friday, September 24, 2010 3:25 PM
  • Please take a look at this , and pay attention to the Notes and Cautions highlighted.
    Sunday, September 26, 2010 7:07 AM
  • Why do you mark this yourself as an answer? Is that not a bit arrogant/annoying to people who are looking for an answer?
    Tuesday, December 25, 2018 1:18 PM
  • I don't like the idea of marking answer either :(, I think voting helpful is fine. 

    If the original poster still want to use SharePoint group to assign permission in BCS, and if the people picker in BCS admin can accept custom claim, a custom claim provider with for SharePoint group will be a choice. I had developed one based on 

    As for the best practice the original poster asked, usually, user cares item level permission for external data most:

    And then, the permission on external list. And usually, end user won't change the BCS model, so, it will ok if they can "execute". And may need "selectable in clients" if end user will create external list by themselves.

    • Edited by GuYuming Wednesday, December 26, 2018 2:10 AM
    Wednesday, December 26, 2018 2:03 AM