Securing the Product Catalog Database

It is strongly recommended that you use Windows Authentication for access to your databases. When you configure your database connection strings for Windows Authentication, you must assign Business Desk users and run-time users (who use an anonymous domain account) the appropriate level of access to your databases.

This topic explains the permissions that the Business Desk user and run-time users require to access the Catalog database.

Business Desk Users

To enable Business Desk users to edit catalogs (for example, edit the catalog definition, rebuild the catalog, refresh the full-text index and publish the catalog), you must assign them to the db_owner role.

Carefully consider the trustworthiness of the Business Desk user that you assign to the db_owner role. When assigning a Business Desk user to this role, you must consider the following security risk:

Important

• A Business Desk user assigned to the db_owner role could potentially delete a database. To mitigate this risk, you must create a firewall to prevent direct connection from the Business Desk client to the SQL Server database that contains the catalogs. This is the recommended secure configuration. For detailed instructions, see Deploying a Secure Site.

If you are using BizTalk Server to exchange catalogs with trading partners, the CatalogToVendorAssociation.GetVendorList() API requires access to the BizTalk Messaging Management database (InterchangeBTM). On the InterchangeBTM database, you must grant Execute permission on btsint_organizations_selectvalidvendors stored procedure. Without this permission, the CatalogToVendorAssociation.GetVendorList() API will fail.

Run-Time Users

When using Windows authentication, you must assign run time users who visit your Web site the appropriate level of access to your catalogs. A script will be made available in Commerce Server Service Pack 2 that will configure the appropriate access.

Notes

• Members of the ctlg_CatalogReaderRole must have db_reader permissions on the Administration database. This is required so they can retrieve the connection string to the Product Catalog database and view your catalogs.
• If you are using join keys to link to external tables, you must grant members of the ctlg_CatalogReaderRole Select permissions on those tables as well.

For enhanced security, remove the runtime catalog users in the MSCS_CatalogScratch database from the db_owner role, and add them to the db_ddladmin role. Add any new runtime users to the db_ddladmin role; do not add new users to the db_owner.

The following procedures assume you have already created a SQL login account for the runtime users.

To add runtime users to the db_ddladmin role

1. Click Start, point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
2. In SQL Server Enterprise Manager, expand Security, and then click Logins.
3. Right-click the SQL login account for the runtime users, and then click Properties.
4. In the SQL Server Login Properties dialog box, click the Database Access tab.
5. In the top box, select the MSCS_CatalogScratch database, and then in the bottom box, uncheck the db_owner check box, and specify the db_ddladmin role.
6. Click OK to save your changes.

Global Catalog Tables

The CatalogSecurityRoles.sql script grants Select access to the ctlg_CatalogReaderRole for the following Product Catalog tables:

CatalogAttributes

CatalogDefinitions

CatalogDefinitionProperties

CatalogenumValues

CatalogGlobal

CatalogLanguage

CatalogLanguageMap

CatalogSchemaVersion

CatalogSet_Catalogs

CatalogSet_Info

CatalogStatus

CatalogToVendorAssociation

CatalogUsedDefinitions

Base Catalog Tables

The following tables list the base catalog tables for each base catalog.

For each base catalog

<Catalog Name>_CatalogDeletedProducts

<Catalog Name>_CatalogDependentCatalogs

<Catalog Name>_CatalogHierarchy

<Catalog Name>_CatalogProducts

<Catalog Name>_CatalogRelationships

For each language in the catalog

<Catalog Name>_<LANGUAGE>_Catalog

Virtual Catalog Tables

The following tables list the virtual catalog tables for each base catalog.

For each virtual catalog

<VirtualCatalog Name>_CatalogDeletedProducts

<VirtualCatalog Name>_CatalogHierarchy

<VirtualCatalog Name>_CatalogIncludedProductsAndCategories

<VirtualCatalog Name>_CatalogPricingRules

<VirtualCatalog Name>_CatalogProducts

<VirtualCatalog Name>_CatalogRelationships

<VirtualCatalog Name>_CatalogVirtualProducts

For each language in the catalog

<VirtualCatalog Name>_<LANGUAGE>_Catalog

Catalog Views

For the global catalog

CatalogGlobal_LNG_NEUTRAL

For each language in the Product Catalog System

<CatalogGlobal_<LANGUAGE>

For each catalog

<Catalog Name>_ClassTypes

<Catalog Name>_LNG_NEUTRAL

For each catalog

<Catalog Name>_<LANGUAGE>_RelationsView

<Catalog Name>_<LANGUAGE>

Catalog Stored Procedures

The CatalogSecurityRoles.sql script grants the appropriate access to the following stored procedures. Also listed is the access that the design-time user account should have.

Note

There is a hotfix tool available for you so that you can apply updates to stored procedures for resources and sites that you specify. You use the hotfix update tool to do the following:

• Display information about available hotfixes. You can list all the available hotfixes, or only the hotfixes for a specific Commerce Server resource, or you can display information for a specific hotfix for a given the number. The tool lists only those hotfixes that need stored procedure updates. The description includes the following information:
  • The resource to which the hotfix applies.
  • The hotfix number.
  • The stored procedures updated by the hotfix.
  • A brief description of the hotfix.
• Apply all the hot fixes for a specified resource or apply a hotfix by specifying the hotfix number. You can apply the hotfix to a specific site by specifying the site name, or you can apply the hotfix to the appropriate database by specifying the connection string.

Each time you run the hotfix tool, it appends new entries to the end of the log files and StoredProcedureBackupText file. The new entries are separated by a date and time stamp.

After you install a hotfix, always check the contents of the log files.

ctlg_AddAttributeToCatalog

ctlg_AddCatalogDefinitionProperty

ctlg_AddCatalogLanguage

ctlg_AddCatalogLanguageMap

ctlg_AddChildCategoryToCategory

ctlg_AddColumnsToCatalog

ctlg_AddColumnsToRelationships

ctlg_AddDefaultToProperty

ctlg_AddDisplayNameToCatalog

ctlg_AddDisplayNameToProperty

ctlg_AddFullTextCatalogForLanguage

ctlg_AddParentCategoryToCategory

ctlg_AddPricingCategory

ctlg_AddProductToCategory

ctlg_AddPropertyAttribute

ctlg_AddPropertyForCSVImport

ctlg_AddPropertyToDefinition

ctlg_AddPropertyValue

ctlg_AddRelationshipToCategory

ctlg_AddRelationshipToProduct

ctlg_AlterClassTypesToProduct

ctlg_AlterClassTypesToProductFamily

ctlg_AlterColumnInTable

ctlg_AlterFullTextColumns

ctlg_AlterPropertyInFullTextCatalogs

ctlg_AlterPropertyLength

ctlg_CheckCatalog

ctlg_CompleteCatalogImport

ctlg_CreateCatalogClassTypesView

ctlg_CreateCatalogLanguageView

ctlg_CreateCatalogLanguageViews

ctlg_CreateCatalogProcedures

ctlg_CreateCatalogSystem_LanguageView

ctlg_CreateCatalogSystem_LanguageViews

ctlg_CreateCategory

ctlg_CreateCategoryDefinition

ctlg_CreateFullTextCatalog

ctlg_CreateProduct

ctlg_CreateProductDefinition

ctlg_CreateProductVariant

ctlg_CreateProperty

ctlg_CreateTriggers

ctlg_DeleteCatalog

ctlg_DeleteCatalogDefinition

ctlg_DeleteImportProduct

ctlg_DeleteProductsFromDeletedTable

ctlg_DeleteProperty

ctlg_DeleteVariant

ctlg_DropCatalogLanguageView

ctlg_DropCatalogObjectFromDatabase

ctlg_DropCatalogProcedures

ctlg_DropCatalogProceduresAndViews

ctlg_DropFullTextCatalog

ctlg_DropViewOnCatalogGlobal

ctlg_EnsurePropTableMapExists

ctlg_GetBaseCatalogName

ctlg_GetCatalogDefinitionProperties

ctlg_GetCatalogGlobalProperties

ctlg_GetCatalogLanguages

ctlg_GetCatalogLanguagesForExport

ctlg_GetCatalogProperties

ctlg_GetCatalogPropertiesForExport

ctlg_GetCatalogPropertiesForUpdate

ctlg_GetCatalogRelationships

ctlg_GetCatalogType

ctlg_GetCatalogs

ctlg_GetCatalogsInCatalogSet

ctlg_GetCategoryOID

ctlg_GetCategoryProperties

ctlg_GetDefinedCatalogAttributes

ctlg_GetDefinedPropertyAttributes

ctlg_GetDefinitionProperties

ctlg_GetDefinitions

ctlg_GetDefnPropertiesForCatalogImport

ctlg_GetDefnPropertiesForCSVImport

ctlg_GetDeletedProducts

ctlg_GetDistinctPropertiesIncatalog

ctlg_GetFTSColumnLCID

ctlg_GetFTSQuery

ctlg_gethierarchy

ctlg_gethierarchy2

ctlg_GetHierarchy_For_VC

ctlg_GetJoinType

ctlg_GetParentCategories

ctlg_GetPricingCategory

ctlg_GetPricingCategoryOIDs

ctlg_GetPrimaryParentCategory

ctlg_GetProductCategory_UniqueID

ctlg_GetProductOID

ctlg_GetProductOIDAndType

ctlg_GetProductProperties

ctlg_GetProductsForExport

ctlg_GetProductVariantProperties

ctlg_GetProperties

ctlg_GetPropertiesForCatalog

ctlg_GetPropertiesInCatalog

ctlg_GetPropertiesInDefinitions

ctlg_GetPropertiesUsedInCatalogs

ctlg_GetPropertyAttributes

ctlg_GetPropertyAttributesForDefinition

ctlg_GetPropertyValues

ctlg_GetRelationships_For_VC

ctlg_GetResults

ctlg_GetSearchableCategories

ctlg_GetSmallestFulltextcatalog

ctlg_GetSourceCatalogsForExport

ctlg_GetSpecsearchableProps

ctlg_GetSQLQuery

ctlg_GetValidLanguage

ctlg_ImportRelationship

ctlg_InsertCatalogGlobal

ctlg_InsertCatalogsBeingExportedOrImported

ctlg_InsertCatalogStatus

ctlg_InsertCSVCatalog

ctlg_InsertDefinition

ctlg_InsertDefinitionProperties

ctlg_InsertEnumValues

ctlg_InsertHierarchy

ctlg_InsertHierarchy2

ctlg_InsertUsedDefinition

ctlg_IsCatalogPropertyRemovable

ctlg_IsCatalogValidForFTSearch

ctlg_IsCategorySpecSearchable

ctlg_IsDefinitionPresent

ctlg_IsDefinitionPropPresent

ctlg_IsDefinitionUsedInCatalog

ctlg_IsEnumPresent

ctlg_IsProductvalid

ctlg_IsPropertyPresentInDefinition

ctlg_JoinQueryWithTable

ctlg_PersistTT_EnsureExists

ctlg_PersistTT_GetName

ctlg_PersistTT_Purge

ctlg_PersistTT_PurgeTablesUsingProperty

ctlg_PurgeCatalog

ctlg_RecordCatalogExport

ctlg_RemoveAllCatalogLanguages

ctlg_RemoveCatalogAttribute

ctlg_RemoveCatalogLanguage

ctlg_RemoveChildCategoryForCategory

ctlg_RemoveColumnsFromRelationships

ctlg_RemoveDefinitionFromCatalog

ctlg_RemoveFullTextCatalogForLanguage

ctlg_RemoveParentCategoryForCategory

ctlg_RemoveProductFromCategory

ctlg_RemovePropertyAttribute

ctlg_RemovePropertyFromDefinition

ctlg_RemovePropertyValue

ctlg_RemoveRelationship

ctlg_RenameCatalogDefinition

ctlg_RenameCatalogProperty

ctlg_SetPricingCategory

ctlg_SetPrimaryParentCategory

ctlg_TableExistsInFullTextCatalog

ctlg_UpdateCategoryDisplayNames

ctlg_UpdateCategoryRelationships

ctlg_UpdateParentOids

ctlg_UpdateProductRelationships

ctlg_ValidateCatalogForCSVImport

ctlg_ValidateJoinTableInfo

ctlg_VC_AddHierarchy

ctlg_VC_AddPriceRule

ctlg_VC_AddVCRule

ctlg_VC_ApplyCatalogLevelPriceRule

ctlg_VC_ApplyPriceRule

ctlg_VC_ApplyPriceRuleToDescendents

ctlg_VC_BC_GetDependentCatalogs

ctlg_VC_DoesPriceRuleExist

ctlg_VC_DoesProdOrCategExist

ctlg_VC_DoesVCRuleExist

ctlg_VC_EvaluateVCRule

ctlg_VC_ExcludeCatalog

ctlg_VC_ExcludeCategory

ctlg_VC_ExcludeCategoryDescendents

ctlg_VC_ExcludeProduct

ctlg_VC_ExcludeVariant

ctlg_VC_FTS_GetResults

ctlg_VC_GetPriceRules

sp_VC_GetProductOrVariantOrCategoryOID

ctlg_VC_GetRelationshipDescColumns

ctlg_VC_GetSourceCatalogs

ctlg_VC_GetUserDefinedBCProperties

ctlg_VC_GetUserDefinedVCProperties

ctlg_VC_GetVCRules

ctlg_VC_ImportPriceRule

ctlg_VC_ImportRelationship

ctlg_VC_ImportRule

ctlg_VC_IncludeCatalog

ctlg_VC_IncludeCategory

ctlg_VC_IncludeCategoryDescendents

ctlg_VC_IncludeExcludeCatalog

ctlg_VC_IncludeProduct

ctlg_VC_IncludeVariant

ctlg_VC_IsVirtualCatalog

ctlg_VC_MaterializeVCViews

ctlg_VC_PropagateBCChanges

ctlg_VC_PropagateBCChanges_DeleteCatalog

ctlg_VC_PropagateBCChanges_Hierarchy

ctlg_VC_PropagateBCChanges_PrimaryParentCategory

ctlg_VC_PropagateBCChanges_ProductCategory

ctlg_VC_PropagateBCChanges_Relationship

ctlg_VC_PropagateBCChanges_Variant

ctlg_VC_PropagateDependentCatalogChanges

ctlg_VC_PropagateVCChanges_DeleteCatalog

ctlg_VC_RebuildVirtualCatalog

ctlg_VC_ReEvaluateAllPricingRules

ctlg_VC_ReEvaluateAllVCInclusionOrExclusionRules

ctlg_VC_ReEvaluateAllVCRules

ctlg_VC_RemovePriceRule

ctlg_VC_RemoveVCRule

ctlg_VC_Reset_Evaluated_Tables

ctlg_VC_ResetUserDefinedLinks

ctlg_VC_SetVCDirtyFlag

ctlg_VC_SetVCRebuildStatus

ctlg_VC_SetVCStatus

ctlg_VC_SplitVCIdentifierName

ctlg_VC_UpdateDependentVCs_DeletedProductsTables

ctlg_VC_UpdateVCs_Dependent_On_DefinitionName

ctlg_VC_UpdateVCs_Dependent_On_PropertyName

Catalog-Specific Stored Procedures

Stored procedures for each catalog

ctlg_DeleteCategory_for_<Catalog Name>

ctlg_DeleteProduct_for_<Catalog Name>

ctlg_GetRelationships_for_<Catalog Name>

ctlg_GetResults_for_AllColumns_<Catalog Name>

Stored procedures per catalog language

ctlg_AncestorCategories_for_<Catalog Name>_<LANGUAGE>

ctlg_GetCategoryResults_For_<Catalog Name>_<LANGUAGE>

ctlg_GetChildCategories_for_<Catalog Name>_<LANGUAGE>

ctlg_GetDescProds_for_<Catalog Name>_<LANGUAGE>

ctlg_GetDescProdsOnly_for_<Catalog Name>_<LANGUAGE>

ctlg_GetProductsFor_<Catalog Name>_<LANGUAGE>

ctlg_GetRootCategories_for_<Catalog Name>_<LANGUAGE>

ctlg_GetRootProducts_for_<Catalog Name>_<LANGUAGE>

ctlg_Specsearch_for_<Catalog Name>_<LANGUAGE>

Functions

fn_AddTablePrefixToColumnList

fn_CS_AppendClause

fn_IsSingleLanguageCatalog

fn_VC_GetMungedIdentifier

GetSQLDataType

Copyright © 2005 Microsoft Corporation.
All rights reserved.