Authoring Step 2: Define Top-Level Security Parameters

Last modified: April 19, 2010

Applies to: SharePoint Server 2010

Each object in the BDC hierarchy of metadata objects (Application, Entity, Method, MethodInstance, Parameter, TypeDescriptor, and so on) has an access control list (ACL) that specifies which principals have which rights on the object. Of the metadata objects, only LobSystem, Entity, Method, and MethodInstance have their own individually controllable ACLs. These objects are referred to as Individually Securable metadata objects. Other metadata objects inherit the ACL from their immediate parent and are referred to as access-controlled metadata objects.

Table 1 shows the rights that the administrator or someone with the Manage Permissions right can set on a BDC application.

Table 1. Rights that someone with Manage Permissions can set on a BDC application


Applies To



Access-controlled metadata objects

  • Update the object

  • Delete the object

  • Create child object

  • Add property

  • Remove property

  • Clear properties

  • Add localized display name

  • Remove localized display name

  • Clear localized display names

Manage Permissions

Individually securable metadata objects

  • Set permissions

  • Copy permissions to child objects

Execute (View)


Execute the MethodInstance object via various run-time API calls

Selectable in Clients

Application and Entity

  • Use in Web Parts and lists

  • View in Picker

The BDC enables you to specify access permissions for each individually securable metadata object, such as LobSystem, Entity, Method, and MethodInstance, directly in the XML. In this step, you specify the ACL at the LobSystem level in the XML.

Note Note

You can also configure top-level security parameters in the BDC administration pages.

Add the following XML to the end of the Model element (before the </Model> end tag).

Note Note

You must update the Principal attribute values with the correct domain and user or group names.

   <AccessControlEntry Principal="[your domain]\[you]">
      <Right BdcRight="Execute"/>
      <Right BdcRight="Edit"/>
      <Right BdcRight="SetPermissions"/>
      <Right BdcRight="SelectableInClients"/>
   <AccessControlEntry Principal="[your domain]\[your external data users]"> 
      <Right BdcRight="Execute"/>
      <Right BdcRight="SelectableInClients"/>