MOSS 2007 profile import using BDC with Single Sing-On: Permissions

If you want to extend your profiles with data not only coming from an LDAP source, but also from the BDC you have to be aware of some permission settings in order to prevent you from a severe headache. And even more when you connect to your external data source using the Single Sign-On service.

Configuring the import's custom datasource is pretty easy, so I won't get into this. But now comes what is not so obvious: How to set the permissions to make this work

  1. Make sure you know the account on which the profiles are crawled. This is ususally the default content access account specified for the search (you cannot specifiy a special useraccount for the BDC custom datasource!
  2. This account must be member of the group you've specified in the Single Sign-On settings page for the SSO application that is used in the BDC instance of your application definition.
  3. Also, this account must have "Execute" rights on the BDC, the application and don't forget the instance itself! (I'm not so sure here, but there are these 3 levels of permission - instance is needed in any case!)
  4. Make sure that this account hase the "Manage Audiences" right in "Personalization services permissions".

Uff... that's all. Now it should work. Happy trying

 

Posted on SharePoint Blogs Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks

Read the complete post at http://www.sharepointblogs.com/michael/archive/2007/09/18/moss-2007-profile-import-using-bdc-with-single-sing-on-permissions.aspx

Published Tuesday, September 18, 2007 9:42 AM by SharePoint Blogs
Filed under: , , , , ,