The Microsoft SharePoint Conference 2006 disclosed lots of new features, and many new questions. The Business Data Catalog (BDC) was very impressive to see, but raised many questions in my mind about how security is handled. For example, when you connect data from a 3rd party database (SAP, Peoplesoft, SQL Server, ...) into a SharePoint list, SharePoint will cache that data so the normal list filtering and sorting will work as expected. That's great, but what about little things like if SharePoint passes my identity through the BDC to get the data, will you see the data cached from the BDC's use of my identity?
Todd happened to point me at gotdotnet, which doesn't have much for BDC yet, but it does have the best explaination I've seen yet for BDC security. The explaination is short, but it's packed with information that you may not recognize (or understand the relivance of) until you've heard 3 more explainations of how the BDC works.
http://www.gotdotnet.com/codegallery/messageboard/thread.aspx?id=5e078686-a05c-4a44-a131-88d75e550be8&mbid=bed395e0-f868-435c-bd5c-9eaf3bcd50c6&threadid=dba78318-6ced-4d88-b853-1cdba0ba2ffc
I've formulated a series of questions and sent them off to a MS Office Program Manager. When I get a response I'll post more. In the meantime, I'll leave you with the core quote from gotdotnet:
“The general point is that when you move data from the back-end into another place -- the Search index, the List store, the User-Profile store -- the authentication and authorization of the new place takes over.”