Visio Services security considerations
When Visio drawings are connected to external data and the elements
in the drawings can be updated based on that data, security is an
important consideration. Users must have permission to view the diagram
and the data that the diagram is connected to.
Visio
files, as they are stored in document libraries, can be secured using
the native security mechanisms of lists and libraries. To access
external data, Visio Services uses a delegated Windows identity, and
therefore, external data must reside within the same Active Directory
domain as the SharePoint Server 2013 farm or you must configure Visio
Services to use the Secure Store Service (SSS).
The SSS is used to map a user’s credentials or a group of users to a
different credential that has access to the external data source. Visio
Services also uses SSS to configure an unattended service account that
can be used to associate all users to a single account. This is always
used in diagrams that are connected to Microsoft SQL Server databases
that do not use Office Data Connection (ODC) files. If SSS is not used
and external data does not reside within the same domain,
authentication to the external data sources will fail.
You can also control access to specific data sources by explicitly
defining the data providers that are trusted and configuring them using
the Visio Graphics Service Trusted Data Providers page, as shown in Figure 7.
You
navigate to this page by clicking Trusted Data Providers on the Manage
The Visio Graphics Services page on the SharePoint Central
Administration website. You can also manage trusted data providers
using the Windows PowerShell cmdlets: New-SPVisioSafeDataProvider,
Set-SPVisioSafe-DataProvider, and Remove-SPVisioSafeDataProvider.
When diagrams link to data external to the Visio file, and then that
file is presented in Visio Services, that data can be refreshed only
when using the following data sources:
-
SQL Server databases hosted on SQL Server 7.0 or later, including
SQL Azure. Visio Services can connect to tables and views, but not
stored procedures. If you want to use stored procedures, then you need
to use BCS, or you can write your own code.
-
Sheet information that is stored in Excel workbooks (.xlsx files)
published from Excel 2007, Excel 2010, or Excel 2013 stored on the same
SharePoint Server 2013 farm with Excel Services enabled.
-
SharePoint lists and libraries that are hosted on the same farm as the library when the Visio drawing is stored.
-
External lists exposed in SharePoint Server through BCS. In order
for a user to access data in an External List, the user must have
permissions to access the ECT and permissions to access the external
data source. This is new in SharePoint 2013 and means that your
developers should not need to create new custom data providers.
-
Databases using Object Linking and Embedding Database (OLE DB) or
Open Database Connectivity (ODBC) APIs. The only limitation of using
these data source types is obtaining and deploying the drivers on the
SharePoint servers.
-
Custom data providers implemented as Microsoft .NET Framework assemblies.
Using these data providers, a wide range of data sources can be
used, such as Power View, System Center, SAP, Dynamics Web Services,
Windows PowerShell, and BCS.
Note
If you are using Office 365, then you are limited to Excel Services, SharePoint lists, and external lists.