Access denied by business data connectivity error - sharepoint

I created external content type in the sharepoint designer and created a list. I went to the URL and when refresh the page the list appeared. When I click the list it is showing as
"Access denied by Business Data Connectivity. Correlation
ID:bab07ba2-5ac1-463c-ab8d-f4f2233fb26"
In Central admin i gave the permissions for my account to that external content type.
Still it is showing this message. What is the solution for this one.

Got the solution. Need to add the
"Set metadata store permission"
I added my user here. The list now generated with out any problem.
Thank you all.

Go to: Central Admin -> Manage Service Application (http://CentralAdminURL/_admin/ServiceApplications.aspx) -> Business Data Connectivity Service
Then select the External Content type you are looking for and make sure you provide permissions (buttons at the ribbon) to all authenticated users.
Regards
Ronald

Related

Azure Applications; How to create a separate authorization page for out of network users

I've been tasked with figuring out a way to make a certain set of Azure users authenticate to a Web Application by accepting/denying a warning message that should be presented before the users are directed to the application itself. The users that should not go through this process are in-network users.. they should be able to input the URL and be presented with a sign-in page and from there they will have access into the application. This has already been configured via Azure AD but the previous issue for out of network users is what i'm having issues with.
My current thoughts on this is to create an a simple authorization page created by an azure function that out of network users will be directed to because the IP addresses will be placed in a conditional access rule to do so. From the simple page the user will be directed to the application or logged out if they choose cancel.
This is just a thought but definitely open to suggestions. Thoughts?
For those who may have been interested in an answer for this question I have figured it out. In order to do this I had to create a "Terms Of Use" within Azure Active Directory. This Terms of use consisted of a pdf file containing the information my user needed to view before accept/deny could be clicked. On the "Terms Of Use" was created I then created a custom conditional access policy which included users needing to accept the "Terms Of Use" before being able to access our Portal or Applications. Hope this helps

UnauthorizedAccessException for limited permissions user via REST API

not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features

Not able to create record using a newly created profile in CRM 2016

I created a user testaccount1 in the active directory, and then created a new user profile in the CRM 2016 and added the account to a security group
I was able to create records that I have given access for that account
I repeated the same steps and created a testaccount2 in active directory, created a user profile in CRM and added to the same security group as testaccoutn1
But when I try to create record using the testaccount2 I get the below error
Insufficient Permissions You do not have permission to access these
records. Contact your Microsoft Dynamics CRM administrator.
There is only one security role that is assigned to both these accounts, where should I look for to fix this?
Hit Download log file
the error message will give you the specific permission that is missing
(it will look something like "**prvContactCreate" if you are lacking create on the contact record at the level of scope/depth required). Once you post the error message here, we will be able to give more detailed responses. Question - When creating the record with the second account - are you by chance setting the owner as someone other than yourself? If so, what is the depth of the privilege for the security role on the given user?

SharePoint BCS SSS Help Needed

I'm trying to bring external content into our SharePoint environment. We are running SP 2010. The data I want to bring in exists in Sql Server. What I'm struggling to do is map the logged in SharePoint user to an underlying sql user.
In SharePoint I have created a new Target Application in the Secure Store Serivce:
Target Application ID: TestApp
Target Application Type: Group
I have specified two fields:
Name :: Type
User Name :: User Name
Password :: Password
--these are not the Windows User Name and Windows Password types just the basic types
Target Application Administrators and Members are both set as myself (AD User).
In SharePoint Designer I've created a new External Content Type. I've added a connection of (Type -> Sql Server). I've set the database server name to the server name that is not on the same box as SharePoint and I've set the database name. I've selected the Connect with Impersonated Custom Identity option and set the Secure Store Application Id to TestApp. When I click OK I get prompted for credentials so I enter the Sql Server user credentials and the connection succeeds. I expand out the tables, right click the table I want accessible, and click Create All Operations. I go through the wizard and enter one limit filter.
Next I right click MyTable in the External Content Types windows, select External List, and give it a name. Next I go into Central Admin and set the credentials of TestApp.
Now when I log into SharePoint I can see my external list in the left hand TOC. I click on the list and I get the error Access Denied by Business Data Connectivity with a correlation code. I've opened up the logs to see what is being returned which has some interesting logs but I'm not sure exactly how to remedy the problem:
Log:
Access Denied for User '0#.w|domain\myuser, which may be an impersonation by 'domain\myuser'. Securable MethodInstance with Name 'Read List' has ACL that contains
Another Log:
Error while executing web part: Microsoft.SharePoint.SPException: Access denied by Business Data Connectivity. ---> Access Denied for User '0#.w|domain\myuser', which may be an impersonation by 'domain\myuser'. Securable MethodInstance with Name 'Read List' denied access.
I know if I'm using pass through creds we will need kerbors to handle the double hop but didn't think I would need kerbos with cred mapping to a sql server user.
Any help would be greatly appreciated!!!!
I was playing around with BCS and ran into what I think is a similar problem. This helped to solved the problem. See if this helps
http://www.zimmergren.net/archive/2010/05/08/access-denied-by-business-data-connectivity-solution.aspx
This happens because you have not set access on the BCS object that you created. Go into Central Administration and select your External Content Type or other object and select Set Permissions from the dropdown. Your authentication is working or you would not be able to save the object you created to the metadata store. You now need to tell the metadata store who has access to the objects you created in BCS.

Forms/AD Authentication with Sharepoint

All,
I'm configuring Sharepoint to use forms authentication with LDAP/Active Directory. I'm new to Sharepoint, so if this is obvious, please point me in the right direction.
Whenever I attempt to log in with a bad account or password, I get the very friendly (and correct) error message,
The server could not sign you in. Make
sure your user name and password are
correct, and then try again.
... which implies that Sharepoint is able to communicate with AD. If I log in with a valid account, I get a page that says:
alt text http://img63.imageshack.us/img63/6053/sharepointerror.png
(I added the grey bar to cover up the login name)
Any suggestions? The account I'm logging in with is an administrator and has been granted full control in central administration.
Also, interesting note: If I click the "sign in as a different user" link, and attempt to sign in using with the same credentials I just used, the site just redirects back to the login page, with no error or status message. If I then manually enter the site url, it again shows the "Error: Access Denied" page. Argh.
Go to site action of the actual site and add user in the format of
:loginid
It should resolve and show it underlined then try login in back to application that should fix it.
Your AD connection is working fine just need to add to sharepoint users list
yourprovider:userid
Yourprovider name is the name you gave to the user provider in web config
And you can add this user from parent site that is windows protected and you have all
I suppose it's sharepoint site security issue.
I'm getting the same error when trying to enter Site Settings page with a user that has a lack of permissions.
If you have at least one user that can access the Site Settings page, I suggest you to go to Site Actions/Site Settings/Users and Permissions/People and grops then click New button and add a user from AD to an appropriate group, eg. Team Site Members.
You have made connection with Ad and its working fine. So that you got error, when you try to login with invalid user id.
But you have missed one step in above scenario.
You need to give the permission for all AD users in your SharePoint site. The better way is to create a user group in AD (it may already there) which included all the users and add this user group in your SharePoint site with read permission.

Resources