How to: Get the Access Control List for a Metadata Object

SharePoint 2007

Each object in the Business Data Catalog hierarchy of metadata objects (Application, Entity, Method, MethodInstance, Parameter, TypeDescriptor, and so on) has an access control list (ACL) that specifies which principals have which rights on the object. Of the 13 metadata objects, only LobSystem, Entity, Method, and MethodInstance have ACLs that can be controlled individually. These objects are referred to as Individually Securable metadata objects. Other metadata objects inherit the ACLs from their immediate parent and are referred to as Access-controlled metadata objects.

Business Data clients such as Business Data in Lists and Business Data Web Parts are driven by Business Data Catalog permissions. The minimum permission required on an entity to make it usable in clients is the Selectable in Clients right.


Because Business Data Catalog is a Shared Service that is shared across site collections, site collection level security settings cannot be applied to it. Therefore, Site Settings has little relationship with Business Data Catalog permissions.

The following table shows the rights the administrator—or someone with Manage Permissions right—can set on a Business Data Catalog application.

Right Applies To Description


Access-controlled metadata objects

  • Update

  • Delete

  • Create child object

  • Add property

  • Remove property

  • Clear properties

  • Add localized display name

  • Remove localized display name

  • Clear localized display names

Manage Permissions

Individually securable metadata objects

  • Set permissions

  • Copy permissions to children

Execute (View)


  • Execute the MethodInstance via various run-time API calls

Selectable in Clients

Application and Entity

  • Use in Web Parts and lists

  • View in Picker


The following code example shows how to retrieve the ACL for an LobSystem instance that is registered in the Business Data Catalog.


Project References

Add the following Project References in your console application code project before running this sample:

  • Microsoft.SharePoint

  • Microsoft.SharePoint.Portal

  • Microsoft.Office.Server

using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Office.Server.ApplicationRegistry.Administration;
using Microsoft.Office.Server.ApplicationRegistry.Infrastructure;
using WSSAdmin = Microsoft.SharePoint.Administration;
using OSSAdmin = Microsoft.Office.Server.Administration;

namespace Microsoft.SDK.SharePointServer.Samples
    class GetStartedAndCreateSystem
        const string yourSSPName ="EnterYourSSPNameHere";

        static void Main(string[] args)
            Console.WriteLine("Press any key to exit...");
        static void SetupBDC()
        public static void GetAccessControlList()
            LobSystemInstance mySysInstance = null;
            LobSystemInstanceCollection sysInsCollection = ApplicationRegistry.Instance.GetLobSystemInstancesLikeName("AdventureWorksSampleFromCode");
            foreach (LobSystemInstance sysInstance in sysInsCollection)
                if (sysInstance.Name == "AdventureWorksSampleFromCode")
                    mySysInstance = sysInstance;
            LobSystem ls = mySysInstance.LobSystem;
            IAccessControlList acl = ls.GetAccessControlList();

            foreach (IAccessControlEntry ace in acl)

See Also

Community Additions