Microsoft Office Tutorials and References
In Depth Information
Security between two parties is achieved, in part, by each party knowing who the other party is and
trusting the other party. In external data scenarios, there are many parties involved, including the workbook
author, the DCL file author, the end users, Excel Services, and the external database. Each of these might
intentionally try to disclose data it does not have access to, or add, change, or destroy the information in
The following sections explain the most important security threats.
Unauthorized Read Access
Databases protect the information that they manage by enforcing a set of permissions. Depending on the
credentials of the users accessing a database, they might be permitted or denied read or write access to
the database, a table, or some other information. It is the database’s job to protect itself against
unauthorized access, and it is Excel Services’ job to use the correct credentials when connecting to the database.
Excel Services must first be able to correctly authenticate the end user who tries to access external data.
Chapter 8 explains in detail how the user identity is determined.
Excel Services has several ways to decide which credentials to use. It can delegate to end users
credentials in certain topologies, use different credentials that the user is mapped to through SSO, or use some
fixed predefined credentials. Later in this chapter, you learn more about these methods.
When configuring Excel Services, be very careful which credentials the ECS will use to connect to
external data. Using a fixed set of credentials is equivalent to the ECS administrator knowing a user and
password for that database connection, and giving them to all users of that instance of Excel Services.
It is fine to do that if the administrator knows and trusts the users, or wants to give them all the same
permissions to the data.
Correctly configuring Excel Services to collaborate with the database owner ensures that only the
authorized end users will have permissions to read the data they have permissions to.
Reading Other Users’ Data
Excel Services must ensure not only that users will not be able to query data they are not authorized to,
but also that end users will not have access to queries performed by other users (with different
credentials). The ECS caches external data to improve performance, but it shares those caches only between
users who have identical data credentials and permissions. That way, end users will only get the data
they have access to. These performance optimizations are described in the “Performance” section, later
in this chapter.
Another security threat is that end users will see external data that the workbook author has saved.
Workbook authors usually have higher permissions to the database than some of the end users. Data
returned from queries that the author makes when authoring the workbook is saved in the workbook.
When opening a workbook with refresh on open, the ECS performs the query with the credentials
relevant for the end user. The security risk exists if the refresh-on-open query fails for any reason. In that
case, Excel Services might completely fail to open the workbook, as opposed to displaying the data that
was saved in the workbook. You can control this feature with the Stop When Refresh On Open Fails