Setting appropriate permissions on your BDC LobSystemInstance to work with Enterprise Search

Posted Thursday, July 19, 2007 2:24 PM by C-Dog's .NET Tip of the Day

Alright, so you managed to get some data in the BDC and you want to be able to enable Enterprise Search on it. Well this is one thing that the MOSS SDK actually has decent information. However, in my working experience I have found that a few things are missing. Hopefully, this will help you in getting a crawl working the first time.

Typically in a MOSS installation, you have multiple service accounts. Typically, your Enterprise Search service is going to have its own account. In this example, we'll just call it mydomain\EnterpriseSearchService. You will also have a centeral administration account most likely. In most cases I typically use this account with the BDC, because it seems to be the easiest to get to work. Since I am not a MOSS expert, I am telling you what I have gotten to work not what is necessarily best practice. Hopefully I am close, but I fully expect to get schooled one day on it.

Follow the instructions in the MOSS SDK on how to set up Enterprise Search first. Next, go into your application definition in your Shared Service Provider to manage permissions. Add the Enterprise Search and Central Administration account and check all the checkboxes with the various permissions. Also click the Copy all permissions to descendants button. This will copy these permissions down to the various child level objects in your schema. All elements except for extermely important one needed to make Enterprise Search work.

So how do you fix that? Modify your BDC schema file with an AccessControl element. For each entity you need an access control element giving permission to your central admin account and the enterprise search account. However, that's not all. It seems when you make a change like this it becomes the only permissions applied to that object, so if you do not also grant permission to yourself, you will never be able to delete that BDC entry again. Here is what the entries would look like. These lines with your appropriate accounts would go immeidately after the opening of your Entity element.

<AccessControlList>
 <AccessControlEntry Principal="mydomain\moss administrators">
   <Right BdcRight="Execute"/>
   <Right BdcRight="Edit"/>
   <Right BdcRight="SetPermissions"/>
   <Right BdcRight="SelectableInClients"/>
  </AccessControlEntry>
 <AccessControlEntry Principal="mydomain\EnterpriseSearchService">
   <Right BdcRight="Execute"/>
   <Right BdcRight="Edit"/>
   <Right BdcRight="SetPermissions"/>
   <Right BdcRight="SelectableInClients"/>
  </AccessControlEntry>
 <AccessControlEntry Principal="mydomain\CentralAdmin">
   <Right BdcRight="Execute"/>
   <Right BdcRight="Edit"/>
   <Right BdcRight="SetPermissions"/>
   <Right BdcRight="SelectableInClients"/>
  </AccessControlEntry>
</AccessControlList>

Once you have made the changes to your schema, reimport it and start your crawl. If all goes well, your BDC entity will now be indexed. Also, you need to be sure and grant SQL permissions to your Central Admin and Enterprise Search accounts. I also typically use the RevertToSelf setting on the AuthenticationMode element in your LobSystemInstance connection settings. Otherwise you have to deal with kerberos or setting up single sign-on.

Lastly, I found that some instructions were incorred in the Enterprise Search section of the downloaded CHM file from the SDK. So if things aren't making sense, check the online version of the page, because it looks like it has been corrected.

Read the complete post at http://www.dotnettipoftheday.com/blog.aspx?id=375