SharePoint BDC Permission Inheritance
In these days I was working on the search issue in SharePoint 2007, which led me to the interesting behaviour of BDC Permissions.
We had the following errors in MOSS crawl log
bdc2://<guid>
The parameter is incorrect. (Could not create a security identifier for the identity ”<domain><user.name>. This identity may have been deleted.)
What it means, is that search can’t crawl BDC content, because owner of the BDC application was removed.
Diagnosing this issue we found that user who imported BDC application doesn’t work at us anymore, and he was removed from Active Directory. So, that’s why BDC not accessible.
You can find the full descriptions of this behaviour there http://k2distillery.blogspot.com/2008/06/bdc-crawl-missing-security-identifier.html
So, the workaround promised be simple – just “Manage Permissions” for this BDC application, removing user from list of BDC Entry owners and from BDC Catalog Permissions. That’s what described in that article. But reality is far from it :,,)
The actual behaviour is whenever you navigate to “Manage Permissions” you got “Error: Access Denied” screen. The surprising part of this is that my user is
- Farm Administrator
- SSP Site Owner and SSP administrator
- have all rights in SSP Personalization Permissions
- have all rights in BDC Catalog Permissions
Well, I have all permissions, but I still can’t access user’s BDC application.
I didn’t know one thing – BDC Catalog permissions are INHERITED permissions. It means that you need explicitly copy all BDC permissions to your user 🙂 Really bizarre.
Solution: Navigate to BDC Catalog Permissions page, select your admin user and click “Copy all permissions to descendants”. Detailed instruction is there: http://blogs.msdn.com/mutaz/archive/2008/12/14/ssp-admin-cannot-manage-existing-bdc-applications.aspx
Hail to Mutaz, helping to nail down this issue