There are several good posts out there providing examples and step by step instructions on how to create external content types with SharePoint 2010 BCS. Unfortunately most fail to provide any warnings or guidance around Authentication; which should be, without a doubt, one of the most important things to consider. Most of these examples work flawlessly… until you try to view your external content type with another user account lacking some sort of access to the external system; and you encounter an error that resembles the following: Cannot connect to the LobSystem (External System)
Fortunately, the solution is likely simple… But you’ll have many thing to consider; what kind of access you need to grant to which accounts, do those accounts need to be mapped back to equivalent accounts in the external system, whether or not to map AD groups rather than individual accounts to accounts in the external systems, and many more that will quickly become apparent fairly quickly.
Of course if you are reading this post, you’ve likely ran into the error and are looking for a solution. Unfortunately there isn’t a one size fits all, and I wouldn’t necessarily consider it an error; more of a warning, a heads up, that you may have not thought the whole thing through. This will definitely be a subject upon which many best practices will come to surface. But, while I can’t give you the right solution for your particular scenario (there are many ways to skin this cat;) I should be able to point you in the right direction.
Chances are that if you followed one of the many posts which describe how to do this, you chose “Connect with User’s Identity” when creating your connection.
You’ll quickly come to realize that in most scenarios not all users have direct read or write access to external systems, often times they don’t even use a Windows Identity. Fortunately, our solution (or at least part of it,) is right under our noses:
If you are wondering what the Secure Store Application ID is, it refers the Secure Store Service, which you’ll want to do some reading on. I recommend you start here (http://msdn.microsoft.com/en-us/library/ee557754(office.14).aspx) for a short but good description, and follow up here (http://technet.microsoft.com/en-us/library/ee806866(office.14).aspx) for detailed steps on how to set it up.
Essentially, you’ll need to create a Secure Store Service Application of type “Individual” or “Group” with several options for each. An application of type “Individual” will require you to map each user to a unique set of credentials (there is an option to create a page from where users can specify there own credentials.) An application of type “Group” will allow you to map a unique set of credentials to a specific AD Group; I suspect this will be the most common scenario.
You’ll then be prompted to configure the various fields which may be required to provide credentials to the external data source. If the external system uses Windows Authentication, the default ones should work just fine.
Next, you’ll need to specify the administrators and members of the target application (read the description of each carefully)
Finally, select your application and specify the credentials that will be used to connect. The Secure Stored Service Application will use these credentials whenever anybody from the specified group tries to connect to the external system.
Now, reconfigure your connection to use the ID of the Secure Store Application in my case “My Secure Store Application”, perform an IIS Reset, and you are likely done.
If by any chance you are not, and instead you receive: “Access denied by Business Data Connectivity.” You’ll need to go to Central Admin > App Management > Manage Service Applications > Business Data Connectivity; and grant your users access to your External Content Type.