Christopher Even on SharePoint Search

BDC and Security

The BDC is the perfect choice for indexing and working with small datasources with minimal security requirements and only structured data. But as soon as you dealing with unstructured data like documents in combination with metadata like a document management system contains you are out of luck and now have to write your own protocol handler or hope a vendor comes out with one.

Security and the BDC
The two uses of the BDC have two different security approaches:

Search Content Source - When using the BDC as a search content source you can't have any security specifically on the crawled data like you can get with your own protocol handler With a PH you actually create AD based ACLs that are attached to each item and applied by SharePoint before the results are returned. With the BDC in order to provide any security on there results you have to use the new Security trimming feature and write a query to verify access to the data. This is a severly limited approach as it queries for each and every item and is applied after the results are generated effecting relevancy. If you are dealing with large result sets and heavily secured data then you may have to spool through thousands of results just to get enough to show to the user if any.

Web part data source - this is when you create BDC data definitions to display data in web parts from your LOB systems. The security for this requires you to include all your security in each and every query or web service call. If you mapping to an API this may be already taken care of for you but if not be prepared to deal with large queries or stored proceedures especially if your LOB system has complex security models with groups or roles or even worse hierarchy based.