Runtime Error: Access denied by BDC

When you are working with Business Data Catalog applications, Access Denied errors mean that a user or a service account performing an action—such as accessing an entity, executing a method or deleting an application—does not have permission to perform the action. To resolve the problem, someone with the Manage Permissions right needs to grant the user or the service account appropriate permissions to the Business Data Catalog metadata objects.

Note

The Search service uses the default Content Access account to crawl Business Data Catalog applications that are configured for search.

Details

Each object in the Business Data Catalog hierarchy of metadata objects (Application, Entity, Method, MethodInstance, Parameter, TypeDescriptor, and so on) has an access control list (ACL) that specifies which principals have which rights on the object. Of the 13 metadata objects, only LobSystem, Entity, Method, and MethodInstance have an ACL that can be controlled individually. These objects are referred to as Individually Securable metadata objects. Other metadata objects inherit the ACL from their immediate parent and are referred to as Access-controlled metadata objects.

Summary of Rights

The following table shows the rights the administrator—or someone with Manage Permissions right—can set on a Business Data Catalog application.

Right Applies To Description

Edit

Access-controlled metadata objects

  • Update

  • Delete

  • Create child object

  • Add property

  • Remove property

  • Clear properties

  • Add localized display name

  • Remove localized display name

  • Clear localized display names

Manage Permissions

Individually securable metadata objects

  • Set permissions

  • Copy permissions to children

Execute (View)

MethodInstance

Note

This can be set at the MethodInstance level only using the object model. In the Administration user interface, this is aggregated and displayed, and is editable only at the entity level.

  • Execute the MethodInstance via various run-time API calls

Selectable in Clients

Application and Entity

  • Use in Web Parts and lists

  • View in Picker

See Also

Tasks

How to: Add an Access Control Entry to a Metadata Object
How to: Get the Access Control List for a Metadata Object

Concepts

Business Data Catalog Authorization