IN THIS CHAPTER
• Adding a New Trusted Data Provider
• Publishing an ODC file to SharePoint 2010 with Secure Store Service Security Model
Accessing data from any data source requires that a user should be authenticated by that data source first. In the case of data driven Visio web drawings, Visio Graphics Service authenticates the data source on behalf of the web drawing viewer. It either uses viewer’s SharePoint server credential or Secure Store Service account to setup a connection to the data source. Visio web drawings can be connected to both internal and external data sources as long as you are using a trusted data provider. If the provider is not registered with SharePoint 2010 then drawing will not attempt to setup a connection with the data source. This chapter discusses different aspects of data level security when dealing with Visio Graphics Service on SharePoint 2010. Visio web drawings (.VDW files) must be published to a SharePoint document library to be opened in a browser. By setting the document library permissions correctly you can limit access to a particular drawing for your viewers. This helps you with securing your content on user interface/SharePoint level. In this chapter, we will not focus on content level security but keep our focus on data level security. To learn more about content or site level security, review article shared at http://technet.microsoft.com/en-us/library/cc288189.aspx.
If Visio web drawing is accessing data from an internal data source such as a SharePoint list or Excel workbook, Visio Graphics Service connects to it by using the viewer’s SharePoint server credentials. To use an Excel workbook as a data source, Excel Services must be started, and the workbook or list must be hosted on the same SharePoint farm as the web drawing. You can verify whether Excel Services is running by completing the following steps on the Central Administration home page: Click the Manage Service Applications link on the Central Administration home page. This will take you to Manage Service Applications page as shown in Figure 13.1. Confirm that Excel Services Application Service is already started.
Figure 13.1. Manage service applications.
Visio Graphics Service can connect to external data sources such as SQL Server, IBM DB2, Oracle, other OLEDB/ODBC providers, and custom data sources. When Visio Graphics Service is loading data in a web drawing, the service checks the connection information stored in the web drawing to determine whether the specified data provider is on a trusted data provider list. If the provider is on the trusted list, a connection is tried; otherwise, the connection request is ignored. By default, the data providers shared in the Table 11.1 in Chapter 11 are already included on the list.
If you are trying to use a data provider which is not registered with the trusted data provider list then you can add a new trusted data provider through the SharePoint Central Administration home page using following steps:
To edit or remove an existing data provider, select the actual data provider you want to edit or remove and choose the required action from the drop-down menu.
When adding a new data provider, you are asked for following parameter values as shown in Figure 13.2:
• Trusted Data Provider ID: The data provider ID must be the same ID used to reference the data provider in the connection string.
• Trusted Data Provider Type: The data provider type must be one of the following values:
• Trusted Data Provider Description: The data provider description is a friendly name that appears on the Trusted Data Providers page.
Figure 13.2. Adding new trusted data provider.
You can also add, edit or delete trusted data providers using Windows PowerShell command prompt. Detailed steps are shared at http://technet.microsoft.com/en-us/library/ee524056.aspx.
Visio Graphics Service supports two types of data connections for a web drawing: embedded connection and external connection using an Office Data Connectivity (ODC) file. When creating a data connection in Microsoft Visio 2010, choose Previously Created Connection option on data selector window to provide location for an ODC file.
When using the Integrated Windows authentication model with either embedded or external connection, the Visio Graphics Service uses the viewer’s Windows credentials to authenticate with the database. Integrated Windows authentication with constrained Kerberos delegation provides the stronger security setup.
When you are using Secure Store Service model, the Visio Graphics Service uses the Secure Store Service to map the viewer’s credential to a credential with access to the database. The Secure Store Service supports mappings for both Integrated Windows authentication and other forms of authentication such as SQL Server authentication. The Secure Store Service model is supported only when the drawing uses an ODC file to connect to the data source. The ODC file specifies the Secure Store Service target application that will be used for credential mapping.
For ease of configuration, a farm administrator can also map all users to a single unattended service account with database access. This unattended service account must be a low-privilege Windows domain account that is given access to databases. The Visio Graphics Service impersonates this account if no other authentication method is specified.
When using Secure Store Service security model or an Unattended Service account, this approach does not help with auditing of database calls by individual user. Creating the Secure Store Service Target Application.
In this section we will create the Secure Store Service target application for Visio Graphics Service and then later use the same application id to connect to an external data source using an ODC file:
• Target Application ID: The Secure Store target application ID is a unique identifier. You cannot change this property after you create the target application. Enter Visio Graphics Service SSSID in the Target Application ID text box.
• Display Name: The display name is used for display purposes only. Enter Visio Graphics Service SSSID in the Display Name text box.
• Contact Email: The contact email should be a valid email address of the primary contact for this target application. Enter your email address for now.
• Target Application Type: The target application type determines whether this application uses a group mapping or individual mapping. Ticketing indicates whether tickets are used for this target application. You cannot change this property after you create the target application. For now, select Individual from the drop-down menu.
• Target Application Page URL: The target application page URL can be used to set the values for the credential fields for the target application by individual users. You can leave it to use the default page for now.
Figure 13.5. Target application administrator settings.
Now that you have configured the Secure Store Service application for Visio Graphics Service, our next step is to set the credentials for this Secure Store Service application:
Figure 13.6. Set up Windows credentials for Visio Graphics Service SSSID.
We are now ready to create an ODC file which will use the same Secure Store Service Application ID which we just created to connect to ContosoRetailsDW SQL database. Refer to our next section to accomplish this task.
As shared earlier Visio web drawings can connect to an external data source using office data connectivity (ODC) files. You can simply create one ODC file for your external data source and then publish it on your SharePoint data connection library. All Excel and Visio based reports/drawing files under document library can use the same ODC file which you will be publishing in your data connection library. This is very helpful when you have to make changes to your data connection string in future. If for example, your server location changes in future then you can simply update this ODC file with new location and all reports will be directed to the new location without making any changes to the actual report/drawing file.
In this section we will create and publish an ODC file using Microsoft Excel 2010. Use the following steps to accomplish this task:
You have now successfully configured and published the ODC file to SharePoint 2010 under the Data Connections library of your choice. This ODC file is connecting to the SQL Server database using the Secure Store Service application you created earlier for Visio Graphics Service. You can now use this ODC file to develop data-driven Visio web drawings. Review Chapter 12, “Visio Graphics Service Development,” to learn more about developing Visio web drawings using ODC files.
This chapter explained how Visio web drawings can connect to internal or external data sources. It also provided the steps to add a trusted data provider in SharePoint 2010. This chapter also explained how to create an ODC file to connect to SQL Server data sources with a Secure Store Service security model. It also provided a detailed summary of data source delegation methods available when working with Visio Graphics Service on SharePoint 2010.
The following are best practices from this chapter:
• For stronger and enterprise-level security solutions, use Kerberos delegation and ensure that all servers reside in the same domain to be used for per-user identity data source connections.
• Most of the data providers are already listed in SharePoint 2010 Visio Graphics Service settings. Always review the existing list before adding a new data service provider.
• Keep only those data providers in the Trusted Data Providers list that you think you will use with Visio web drawings.
• Use low-privileged accounts when configuring unattended service accounts to connect to an external data source.
• If using windows authentication then External data sources must reside within the same domain as the SharePoint Server 2010 farm or Visio Graphics Services must be configured to use the Secure Store Service. For more information, review planning documentation at http://technet.microsoft.com/en-us/library/cc560988.aspx.