Home Library Learn Samples Downloads Support Community Forums
2 out of 2 rated this helpful - Rate this topic

Minimum Security User Rights

The groups and accounts that BizTalk Server uses have the minimum user rights they need to perform most tasks. Therefore, there are some tasks where you may need more user rights than the ones BizTalk Server automatically has granted the group to which you belong. The following table describes the Minimum Security User fRights you need to perform tasks in BizTalk Server.

 

Task Groups or Roles

Setup

 

Installation
  • Local Administrators

Configuration
  • BizTalk Server Administrators

  • Local Administrators

  • sysadmin SQL Server Role

  • SSO Administrators

  • OLAP Administrator

Join a BizTalk Server group
  • Local Administrators

  • BizTalk Server Administrators

BizTalk Administration

 

Create a MessageBox database
  • BizTalk Server Administrators

  • sysadmin SQL Server Role

Create or delete a BizTalk host

  • BizTalk Server Administrators

  • db_ddladmin SQL Server Database role on the BizTalk MessageBox databases

Change the Host Tracking property for a host
  • BizTalk Server Administrators

  • db_securityadmin SQL Server Database role on the BAM Primary Import database, BizTalk MessageBox databases, and the BizTalk Tracking database

Create (install), delete, or change the credentials for a host instance

  • BizTalk Server Administrators

  • Local Administrators

  • securityadmin SQL Server Role on the server(s) where the following databases are:

    • BizTalk MessageBox databases, BizTalk Management database, Rule Engine database, BizTalk Tracking database, BAM Primary Import database

  • db_securityadmin SQL Server Database role on the following databases:

    • BizTalk MessageBox databases, BizTalk Management database, Rule Engine database, BizTalk Tracking database, BAM Primary Import database

Start or stop a host instance
  • BizTalk Server Administrators

Add or remove Server
  • BizTalk Server Administrators

  • Local Administrators on the computer you are adding or removing.

Add or remove a receive handler
  • BizTalk Server Administrators

  • SSO Affiliate administrators

Start or stop applications, orchestrations, send ports, and send port groups

  • BizTalk Server Operators

Enable or disable receive locations
  • BizTalk Server Operators

Search for artifacts
  • BizTalk Server Operators

Add an adapter
  • BizTalk Server Administrators

  • SSO Affiliate administrators

Backup databases
  • BTS_BACKUP_USERS role for the databases

  • sysadmin SQL Server role on the SQL Server hosting BizTalk Management database.

noteNote
You must configure the SQL Server Agent service to run under a domain account or a local account with a mapped user on each instance of SQL Server.

Configure BizTalk Groups with a certificate
  • BizTalk Server Administrators

All other tasks (including WMI)
  • BizTalk Server Administrators

Operations and Message and Service Instance Tracking

 

View Group Hub page, perform queries, save and load queries
  • BizTalk Server Operators

View query results
  • BizTalk Server Operators

General configuration and tracking configuration
  • BizTalk Server Administrators (read and write)

  • BizTalk Server Operators (read)

Browse a health monitoring cube
  • BizTalk Server Administrators

View message properties
  • BizTalk Server Administrators

Save message bodies
  • BizTalk Server Administrators

Use Find Message query

  • BizTalk Server Administrators

Use Query Build
  • BizTalk Server Administrators

Use the orchestration debugger
  • BizTalk Server Administrators

View message flow, message events in the Group Hub page using the BizTalk Server Administration console.
  • BizTalk Server Operators

Suspend, terminate, or resume instances
  • BizTalk Server Operators

Archiving or purging messages from the Tracking database
  • db_owner role on the BizTalk Tracking database

All other tasks
  • BizTalk Server Administrators

Tracking Profile Editor

 

Read or write to the BizTalk Management database
  • BizTalk Server Administrators

Event Bus Monitoring MMC

 

All tasks
  • BizTalk Server Administrators

BizTalk WCF Service Publishing Wizard

All tasks
  • Local Administrators

BizTalk Web Services Publishing Wizard

 

All tasks
  • Local Administrators

Business Activity Monitoring

 

Run BM.exe
  • db_owner SQL Server Database role in the BAM Primary Import, BAM Star Schema, and BAM Archive databases

Run BM.exe, if there is an Analysis Services database
  • db_owner SQL Server Database role in the BAM Primary Import, BAM Star Schema, and BAM Archive databases

  • OLAP Administrators in the BAM Analysis Services database

Create account for BAM View
  • db_owner SQL Server Database role in the BAM Primary Import database

  • OLAP Administrators in the BAM Analysis Services database

Rule Engine (publishing rules)

 

Deploy/undeploy policies, manipulate security-related artifacts
  • RE_ADMIN_USERS SQL Server Database role in the Rule engine database

User rights for performing administrative tasks

In order to perform administrative tasks, using either the BizTalk Server Administration Console or Windows Management Instrumentation (WMI), the account performing the administrative tasks requires different levels of user rights depending on the task to perform.

The following table describes the user rights the account needs to perform the tasks, from least user rights (level 1), to most user rights (level 4).

 

Level of user rights User rights granted Tasks

0
  • BizTalk Server Operators
  • Basic administration and monitoring tasks. No ability to change configuration settings. No access to message properties or content.

1
  • BizTalk Server Administrators
  • All administrative tasks, except the ones that require level 2-4 user rights

2
  • User rights granted to level 1

  • securityadmin SQL Server role on all SQL Servers

  • db_securityadmin and db_accessadmin SQL Server Database roles in the BizTalk Tracking, Rule Engine, BizTalk Management, BAM Primary Import and BizTalk MessageBox databases

  • db_ddladmin SQL Server Database role on all BizTalk MessageBox databases

  • SSO Affiliate administrators
  • Create and delete BizTalk hosts

  • Change host tracking property

  • Add and delete servers

  • Add and delete receive handlers

  • Add adapters

3
  • User rights granted to level 2

  • Local Administrators on all BizTalk Server runtime computers
  • Create and delete host instances

4
  • User rights granted to level 3

  • sysadmin SQL Server role on all of the SQL Servers that have BizTalk MessageBox databases
  • Create MessageBox databases

See Also

© 2010 Microsoft Corporation. All rights reserved.
Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.