Securing a Predictor Deployment

  • Article

You perform the following steps to secure a Predictor deployment that uses Windows Authentication:

Secure the Predictor Service account.

Grant permissions to run the Model Builder DTS task.

Configure the Predictor resource connection strings using Windows Authentication.

Run the SegmentViewer script to secure Predictor tables.

Secure the Predictor model deployed to the Web server.

Grant permissions to use the Segment Viewer and Affinity Lists modules.

Securing the Predictor Service Account

The account assigned to the Predictor service must have the Log on as service right. Commerce Server grants the account this right during setup.

The account assigned to the Predictor service must be assigned to the following roles:

  • Administration database. Assign to the db_datareader role.
  • Data Warehouse SQL Server database. Assign to the db_datareader, db_datawriter, and db_ddladmin roles.
  • List Manager tables. Assign Select, Update, Insert, and Delete permissions.
  • Campaigns database. Assign db_ddladmin role, db_datawriter, and db_datareader.
  • Config COM+ Application. Assign to the Administrators role.

To grant the Predictor service account access to the appropriate databases

  1. In SQL Enterprise Manager, expand Security, right-click Logins, and then click New Login.
  2. Create a new login for the Predictor service using Windows Authentication, and then click OK.
  3. In the display pane, right-click the new login, and then click Properties.
  4. In the SQL Server Login Properties dialog box, on the Database Access tab, specify the Administration database, and then select the db_datareader role.
  5. Specify the Data Warehouse SQL Server database, and then assign the following roles: db_datareader, db_datawrite, and db_ddladmin.
  6. Click OK.

For more detailed information, see SQL Server Books Online.

To assign the Predictor service account to the Administrators role

  1. Click Start, point to Programs, point to Administrative Tools, and then click ComponentServices.
  2. Expand Component Services, expand Computers, expand My Computer, expand COM+ Applications, expand Commerce Server Config, expand Roles, and then expand Administrators.
  3. Right-click Users, select New, and then select User.
  4. In the Select Users or Groups dialog box, in the Look in box, select the Predictor service account, for example, CSPred.
  5. Click OK.

Granting Permissions to Run the Model Builder DTS Task

Before you can run the Model Builder DTS task, you must first add your account to the security context of the Predictor service component, that is, to a list of user accounts that are allowed to call the Predictor service.

If you are setting up the Model Builder task to run on a scheduled basis, then you must also add the account for SQL Agent to the list of user accounts that are allowed to call the Predictor service.

To add your account to the Predictor security context

  1. Click Start, click Run, type Dcomcnfg, and then press ENTER.
  2. On the Applications tab, select Microsoft Commerce Server Predictor Service, and then click Properties.
  3. On the Security tab, select Use custom access premissions, and then click Edit.
  4. In the Registry Value Permissions dialog box, click Add.
  5. Add the user account you want to run the Model Builder task, and in the Type of Access box, select Allow Access.
  6. The Administrators group must have the Log on as a service right.
  7. Click OK to save your the changes, click OK to exit the Properties dialog box, and then click OK to exit Dcomcnfg.
  8. Restart the Predictor service.

Configuring the Predictor Resource Connection Strings

If you are building models on a database other than the Data Warehouse database, you need to configure a connection string for the Predictor resource to the external database.

It is recommended that you always configure the Predictor resource connection string to an external database for Windows Authentication.

When you configure the Predictor resource to use Windows Authentication, the account used by the Predictor resource must be a member of the following roles on the external database:

  • db_datareader
  • db_datawriter
  • db_ddladmin

If the Predictor service is on one computer, and the external database is on another computer, then the Predictor service account must be a domain user account.

To configure the Predictor resource connection string for Windows Authentication

  1. Expand Commerce Server Manager, expand Global Resources, right-click Predictor on <server name>, and then click Properties.
  2. In the Predictor on <server name> Properties dialog box, on the Connection Strings tab, select External database, and then click Modify.
  3. In the Data Link Properties dialog box, do the following:
    Use this To do this
    Select or enter a server name Select the name of the server that contains the Data Warehouse database you want to access, or the external database.
    Use Windows NT Integrated security Click to use Windows Authentication for the external database (not the Data Warehouse database).
    Select the database on the server Type the database name that you want to access.
  4. Click OK.

Running the SegmentViewer Script to Secure Predictor Tables

In this step, you run the SegmentViewer script against the Data Warehouse SQL Server database. This script creates the SegmentViewer role on the Data Warehouse, and grants the role the appropriate permissions work with the Segment Viewer module in Business Desk.

The Predictor tables reside in the Data Warehouse database. The following table lists the Predictor tables, and the permissions required by system administrators and business managers.

Table Permissions for system administrators Permissions for business managers 
PredictorDataTables
 Full access Select
Update		 
PredictorModelCfgs
 Full access Select
Update		 
PredictorModels
 Full access Select
Update		 
*PredictorAttribute_<model_config>
 Full access Select

*There is one PredictorAttribute_<model_config> table per model configuration. It is created the first time a model is built.

System administrators require full access to these tables when they run the Model Builder DTS task. Business Desk users require Select permissions so they can manipulate the segments using Segment Viewer module in Business Desk.

Ee823521.note(en-US,CS.20).gifNote

  • It is recommended that you use different accounts for running the Predictor service and the Model Builder DTS tasks. If both accounts are assigned to the Administrators group, the Model Builder task will fail with a permission denied error.

    To solve this issue, change the Predictor service account to use the local system account, and then restart the Predictor service. For more information, see Predictor Service Account.

For information about creating Windows groups, assigning Windows accounts to the groups, and then assigning the Windows groups to the SQL Server roles for these tables, see Assigning SQL Server Database Roles.

To run the SegmentViewer script

  1. Click Start, point to Programs, point to Microsoft SQL Server, and then click SQL Query Analyzer.

  2. In the Connect to SQL Server dialog box, specify the appropriate SQL server.

  3. In Query Analyzer, in the database drop-down box, select the Data Warehouse SQL Server database.

  4. Click File, and then click Open.

  5. Navigate to the scripts located in the Program Files\Microsoft Commerce Server\Support folder, and then select SegmentViewer.

    The script opens and the code appears in the Query Analyzer window.

  6. On the toolbar, click Run to run the script against the Data Warehouse.

    The SegmentViewer role is created.

  7. After you create the role, assign the appropriate Business Desk group account to the role. For instructions, see Assigning SQL Server Database Roles.

Securing the Predictor Model Deployed to the Web Server

The steps you perform to secure a Predictor deployment depends on whether the Predictor model resides on the Web server in a file or in a database.

  • Database. If you copy the Predictor tables from the Data Warehouse to a database on the Web server, you must grant Select permissions to the anonymous accounts. In IIS, the anonymous user account is IUSR_<computer_name>, and the machine account is IWAM_<computer_name>.

    If your site is based on ASP.NET, you must grant these Select permissions to the anonymous account used by ASP.NET sites: the ASPNET account.

  • File. If you copy the Predictor model to the Web server as a file, then you must secure the file by using access control lists (ACLs). Grant read access to Everyone. For instructions, see Windows 2000 Help.

For instructions about deploying Predictor models to a database or file on the Web server, see Deploying Predictor.

Granting Permissions to Use the Segment Viewer and Affinity Lists Modules

You use the Business Desk Permissions module to grant Business Desk users access to the Segment Viewer and Affinity Lists modules. You can specify which Business Desk users can open the modules, and who can perform specific tasks using the modules. For example, you can specify the following:

  • Segment Viewer module: Open, save segment labels, create a report, export user lists to the List Manager module
  • Affinity Lists module: Open, export affinity lists to the List Manager module

For detailed instructions about using the Permissions module to grant access to the Segment Viewer and Affinity Lists modules, see Setting Business Desk Permissions for Windows Accounts.

Copyright © 2005 Microsoft Corporation.
All rights reserved.