We had a look at how the security/permissions needs to be configured using SharePoint Designer in the first article ‘Making BCS work for anonymous users – Part 1’. In this article I will outline what changes needs to be done via Central Admin to complete the task and make the external content type accessible for anonymous users in internet facing sites.
Once the relevant changes (mentioned in Part1) are completed and external content types are available in the Central Admin (under the Business Connectivity Services) as shown below, object permissions needs to be set to external content types.
Select the external content type that you need to expose to external users and click the ‘Set Object Permission’ in the ribbon, the dialog shown below will popup where you can add users/groups and set specific permissions. Add the built-in user group ‘NT AUTHORITY\ANONYMOUS LOGON’ and set ‘execute’ permission.
Note: In some cases SharePoint wouldn’t find the built in group ‘NT AUTHORITY\ANONYMOUS LOGON’ and therefore you cant set the permission using the UI, although you can’t set these permissions in the UI you can set them by editing the XML of the underlying BDC model directly. The XML of the BDC model for the external content type includes <AccessControlEntry> elements that specify what rights an individual user or group has to the BCS external content type. Adding users to the BCS permissions in the UI creates additional entries in the XML of the model. To give anonymous users access to the BCS model we need to add the following entry to several <AccessControlList> elements in the BDC model’s XML.
<AccessControlEntry Principal=”NT Authority\Anonymous Logon”>
<Right BdcRight=”Execute” />
The easiest way to do this is, in Central Admin select the BCS service application you created and add the Execute right for a specific user. This will give you an entry that you can do a search and replace on in the XML file later. Then export the BDC Model (with permissions) and edit it. Do a search and replace for the user you added and replace them with ‘NT AUTHORITY\ANONYMOUS LOGON’. Go back to Central Admin and use the Import button on the ribbon to import the edited BDC model into your BCS service app. (make sure you import with permissions).
That’s it, now the external data (may be in a external list or in Business data webparts) that is based on your external content type can now be accessed by anonymous users.
Thanks for reading the article and in my next article I will cover some areas on how to programmatically work with external content types.