Access Control for Administrative Roles

When a user opens any of the BizTalk Server tools that require access to the databases or to Windows resources, the interactive user of the tool must have the proper SQL Server and Windows user rights in order to perform the various tasks that the tools support.

One or more of the BizTalk Server tools access the BizTalk Server databases. Therefore, BizTalk must grant some level of access in each database to the BizTalk Server administrators. Furthermore, for security reasons, BizTalk Server Administrators should not have more user rights than necessary to perform their jobs. Using SQL Server roles, BizTalk can fulfill both requirements. Anytime BizTalk Server creates a database either through installation, the Configuration Wizard, or through the BizTalk Administration console, BizTalk Server also creates a SQL role for the BizTalk Server Administrators in that database. BizTalk grants this role, and any SQL Server login assigned to this role, the minimum user rights needed by Administrators on the SQL Server objects (tables, views, stored procedures, and so on) to perform administrative tasks on that database.

Note  There are some administrative tasks that require BizTalk Administrators to have more permissions that those given to them through the SQL roles such as creating host instances. For more information about these additional permissions, see Minimum Security User Rights.

BizTalk Server creates a Windows group for the administrators when you run the Configuration Wizard for the first time. By default, BizTalk calls this BizTalk Server Administrators, although you can choose a different name. This group has a corresponding login in SQL Server, which BizTalk Server adds to the appropriate SQL Server roles. You must add the BizTalk Server Administrators to the Single Sign-On Affiliate Administrators Group. For more information about Enterprise Single Sign-On, see Using Enterprise Single Sign-On.

Caution  BizTalk administrators must ensure they trust the source of the assembly they will deploy in the system. If they deploy assemblies with code you do not trust, they may expose the BizTalk environment to potential attacks. BizTalk Server does not enforce any restrictions on the actions that custom code components can perform when the BizTalk engine invokes them.

See Also

Access Control and Data Security

Windows Group and User Accounts in BizTalk Server

To download updated BizTalk Server 2004 Help from, go to

Copyright © 2004 Microsoft Corporation.
All rights reserved.