Windows Groups and User Accounts in BizTalk Server
This section provides information about BizTalk Server local and domain group and user accounts. The Configuration Manager creates the necessary BizTalk group accounts for you by default if you install BizTalk Server and all prerequisite software on a single computer. The information contained in this section applies to multiple computer topologies.
 Important |
|---|
| BizTalk Server supports local group and user accounts only in single computer configurations. BizTalk Server supports domain group and user accounts in both single and multiple computer configurations. If you use domain groups for your BizTalk Server configuration, you must manually create the groups before you configure BizTalk Server. The Configuration Manager cannot create domain groups. |
Procedures
To create Windows Group and User Accounts in BizTalk Server
-
Using Active Directory, from the Start menu, point to Programs, point to Administrative Tools, and select Active Directory Users and Computers.
-
In the Active Directory Users and Computers window, right-click at the bottom of the right pane, or right-click the Users folder in the navigation tree in the left pane.
-
Select New, then select Group or User.
-
Enter the group or user information outlined in the following table.
The following table lists the Windows group and their membership used by BizTalk Server. It also identifies the SQL Server Roles or Database Roles for the group.
| Group | Group Description | Membership | SQL Server Roles or Database Roles |
|---|---|---|---|
|
SSO Administrators |
Administrator of the Enterprise Single Sign-On (SSO) service. |
Contains service accounts for Enterprise Single Sign-On service. Contains users/groups that need to be able to configure and administer BizTalk Server and SSO service. Contains accounts used to run BizTalk Configuration Manager when configuring SSO master secret server. |
db_owner SQL Server Database Role for the SSO securityadmin SQL Server Role for the SQL Server where SSO is located |
|
SSO Affiliate Administrators |
Administrators of certain SSO affiliate applications. Can create/delete SSO affiliate applications, administer user mappings, and set credentials for affiliate application users |
Contains no service accounts. Contains account used for BizTalk Server Administrators. |
|
|
BizTalk Server Administrators |
Has the least privileges necessary to perform administrative tasks Can deploy solutions, manage applications, and resolve message processing issues. To perform administrative tasks for adapters, receive and send handlers, and receive locations, the BizTalk Server Administrators must be added to the Single Sign-On Affiliate Administrators. For more information, see Managing BizTalk Server Security. |
Contains users/groups that need to be able to configure and administer BizTalk Server. |
BTS_ADMIN_USERS SQL Server Database Role in the following databases: BizTalkMgmtDb BizTalkMsgBoxDb BizTalkRuleEngineDb BizTalkDTADb BAMPrimaryImport db_owner SQL Server Database Role for the following databases: BAMStarSchema BAMPrimaryImport BAMArchive BAMAlertsApplication BAMAlertsNSMain NSAdmin SQL Server Database Role in the following databases: BAMAlertsApplication BAMAlertsNSMain OLAP Administrators on the computer hosting the BAMAnalysis OLAP database. |
|
BizTalk Server Operators |
Has a low privilege role with access only to monitoring and troubleshooting actions For more information, see Managing BizTalk Server Security |
Contains user/groups that will monitor solutions. Contains no service accounts. |
BTS_OPERATORS SQL Server Database Role in the following databases: BizTalkDTADb BizTalkEDIDb BizTalkMgmtDb BizTalkMsgBoxDb BizTalkRuleEngineDb |
|
BizTalk Application Users |
The default name of the first In-Process BizTalk Host Group created by Configuration Manager. Use one BizTalk Host Group for each In-Process host in your environment. Includes accounts with access to In-Process BizTalk Hosts (hosts processes in BizTalk Server, BTSNTSvc.exe). |
Contains service accounts for the BizTalk In-Process host instance in the host that the BizTalk Host Group is designated for. |
BTS_HOST_USERS SQL Server Database Role in the following databases: BizTalkMgmtDb BizTalkMsgBoxDb BizTalkRuleEngineDb BizTalkDTADb BAMPrimaryImport BAM_EVENT_WRITER SQL Server Database Role in the BAMPrimaryImport |
|
BizTalk Isolated Host Users |
The default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP. Use one BizTalk Isolated Host Group for each Isolated Host in your environment. |
Contains service accounts for the BizTalk Isolated host instance in the host that the Isolated BizTalk Host Group is designated for. |
BTS_HOST_USERS SQL Server Database Role in the following databases: BizTalkMgmtDb BizTalkMsgBoxDb BizTalkRuleEngineDb BizTalkDTADb BAMPrimaryImport |
|
BAM Portal Users |
Has access to BAM Portal Web site. |
Everyone group is used for this role by default. Contains no service accounts. |
|
|
BizTalk SharePoint Adapter Enabled Hosts |
Has access to Windows SharePoint Services Adapter Web Service |
Contains service accounts for the BizTalk host instance to be able to call SharePoint Adapter. |
|
|
BizTalk B2B Operators Group |
A new BizTalk role that reduces the onus on the Administrators to perform all Party management operation. This role allows windows users associated with the role to perform all party management operations. |
Contains users/groups that must be able to configure and administer BizTalk Server TPM data and monitor solutions. |
BTS_OPERATORS SQL Server Database Role in the following databases: BizTalkDTADb, BizTalkMgmtDb, BizTalkMsgBoxDb, BizTalkRuleEngineDb and BAMPrimaryImport |
The following table lists the Windows user or service accounts and group affiliations used by BizTalk Server. It also identifies the SQL Server Roles or Database Roles for the accounts.
| User | User Description | Group Affiliation | SQL Server Roles or Database Roles |
|---|---|---|---|
|
Enterprise Single Sign-On Service |
Service account used to run Enterprise Single Sign-On Service which accesses the SSO database. |
SSO Administrators |
|
|
BizTalk Host Instance Account |
Service account used to run BizTalk In-Process host instance which access In-Process BizTalk host instance (BTNTSVC). |
BizTalk Application Users |
|
|
BizTalk Isolated Host Instance Account |
Service account used to run BizTalk Isolated host instance (HTTP/SOAP). |
BizTalk Isolated Host Users IIS_WPG |
|
|
Rule Engine Update Service |
Service account used to run Rule Engine Update Service which receives notifications to deployment/undeployment policies from the Rule engine database. |
|
RE_HOST_USERS SQL Server Database Role in the BizTalkRuleEngineDb |
|
BAM Notification Services User |
Service account used to run BAM Notification Services which accesses the BAM databases. |
SQLServer2008NotificationServicesUser$<ComputerName> |
NSRunService SQL Server Database Role in the following databases: BAMAlertsApplication BAMAlertsNSMain BAM_ManagementNSReader SQL Server role for the BAMPrimaryImport |
|
BAM Management Web Service User |
User account for BAM Management Web service (BAMManagementService) to access various BAM resources. BAM Portal calls BAMManagementService with the user credentials logged on the BAM Portal to manage alerts, get BAM definition XML and BAM views |
IIS_WPG |
NSSubscriberAdmin SQL Server Database Role in the following databases: BAMAlertsApplication BAMAlertsNSMain BAM_ManagementWS SQL Server role for the BAMPrimaryImport |
|
BAM Application Pool Account |
Application pool account for BAMAppPool which hosts BAM Portal Web site. |
IIS_WPG |
|
In This Section
© 2010 Microsoft Corporation. All rights reserved.
