How to Configure Access Privileges to Commerce Foundation Services Using Windows PowerShell
This topic provides guidance on how to use Microsoft Windows PowerShell to
Control whether or not to enforce authorization on requests sent to the Commerce Foundation.
Control access to commerce Web services by setting required permissions in authorization stores using Authorization Manager (Azman).
Important Note: |
---|
Always set access privileges to the strict minimum requirement. |
Security and Performance Considerations
The authorization process consumes resources and applying the required amount of security while maintaining maximum system performance is a balancing act. In deployment environments where security is not a concern, you can consider disabling authorization to maximize on system performance. However, consider the following before opting to disable authorization:
- Generally speaking, authentication is required in any production environment.
Note
An exception to this statement may apply to the shopper (external) zone of a two-tier deployment, where the commerce client is configured to run in process and where no routing is involved.
Authorization should be enabled in any deployment where the Commerce Foundation is accessed via exposed service endpoint, such as in a three-tier deployment topology.
Authorization should be enabled in any deployment topology where a routing service is configured, including in a two-tier deployment.
Note
In a Solution Storefront deployment, a routing service is preconfigured to handle requests coming from the Silverlight-based Commerce Server Business Administration Ribbon, integrated into the business user zone (the Default zone). By default, authorization is enforced on requests coming from the business user zone.
Important The procedure provided in this topic uses a Windows PowerShell script which is suitable for use in a two-tier deployment environment only.
In a three-tier commerce deployment, assign the required access privileges to services by manually adding the Windows identity of Web application to the appropriate authorization store in AzMan. For more information, see Managing Authentication.
Prerequisites
- You are familiar with the access privileges requirements for service account
Configure Access Privileges for the Web Services Using Windows PowerShell (Two-tier deployment)
The following is a sample Windows PowerShell script that updates the ChannelConfiguration.config file to assign the minimum set of access privileges for each Web service.
See Using Windows PowerShell for SharePoint 2010 Commerce Deployment for a list of variables and sample values that may be used in sample scripts provided in this topic
In the following example, Commerce Foundation authorization is set to "optional". This means that the Commerce Foundation does not enforce authorization on all incoming requests. When set to "optional" authorization is enforced at the operation sequence level. Requests for operations that do not require authorization are served whether security information is included in the request or not.
Important Note: |
---|
In a farm deployment, the configuration must be applied locally on each server. You cannot update authorization stores on remote servers. |
$wa = Get-SPWebApplication $WebAppName
if($ExtendedZoneType -eq "Internet")
{
$internalSettings = $wa.IisSettings[ [Microsoft.SharePoint.Administration.SPUrlZone]::Default ]
$publicSettings = $wa.IisSettings[ [Microsoft.SharePoint.Administration.SPUrlZone]::Internet ]
}
else
{
$internalSettings = $wa.IisSettings[ [Microsoft.SharePoint.Administration.SPUrlZone]::Intranet ]
$publicSettings = $wa.IisSettings[ [Microsoft.SharePoint.Administration.SPUrlZone]::Default ]
}
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Interop.Security.AzRoles, Version=2.0.0.0, publicKeyToken=31bf3856ad364e35, culture=neutral")
function SetMinimumPrivileges( [string] $appPath )
{
# Setting up the CommerceEntityAuthorizationStore to minimum access privileges. This authorization store is used to
$azmanStore = New-Object Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass
$storePath = "msxml://" + $appPath + "\CommerceEntityAuthorizationStore.xml"
$azmanStore.Initialize(0, $storePath , $null)
$azmanApp = $azmanStore.OpenApplication("CommerceFoundation",$null)
$stsGroup = $azmanApp.OpenApplicationGroup("Security Token Service",$null)
$stsGroup.AddMemberName($StsAccount,$null)
$stsGroup.Submit(0,$null)
$stsGroup.AddMemberName($StsAccount,$null)
$stsGroup.Submit(0,$null)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($stsGroup)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanApp)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanStore)
Write-Host "Setting access privileges to the Catalog Web service to strict minimum"
$azmanStore = New-Object Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass
$storePath = "msxml://" + $appPath + "\CatalogAuthorizationStore.xml"
$azmanStore.Initialize(0, $storePath , $null)
$azmanApp = $azmanStore.OpenApplication("CatalogandInventorySystem",$null)
$role = $azmanApp.OpenRole("CatalogViewer",$null)
$role.AddMemberName($ManagedAccount,$null)
$role.Submit(0,$null)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($role)
$role = $azmanApp.OpenRole("InventoryViewer",$null)
$role.AddMemberName($ManagedAccount,$null)
$role.Submit(0,$null)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($role)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanApp)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanStore)
Write-Host "Setting access privileges to the Orders Web service to strict minimum"
$azmanStore = New-Object Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass
$storePath = "msxml://" + $appPath + "\OrdersAuthorizationStore.xml"
$azmanStore.Initialize(0, $storePath , $null)
$azmanApp = $azmanStore.OpenApplication("OrderSystem",$null)
$role = $azmanApp.OpenRole("OrdersAdministrator",$null)
$role.AddMemberName($ManagedAccount,$null)
$role.Submit(0,$null)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($role)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanApp)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanStore)
Write-Host "Setting access privileges to the Profiles Web service to strict minimum"
$azmanStore = New-Object Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass
$storePath = "msxml://" + $appPath + "\ProfilesAuthorizationStore.xml"
$azmanStore.Initialize(0, $storePath , $null)
$azmanApp = $azmanStore.OpenApplication("ProfileSystem",$null)
$role = $azmanApp.OpenRole("ProfileAdministrator",$null)
$role.AddMemberName($ManagedAccount,$null)
$role.Submit(0,$null)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($role)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanApp)
$e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanStore)
Write-Host "Set authorization checks as optional inside ChannelConfig"
$channelConfigFile= $appPath + "\ChannelConfiguration.config"
$xml = [xml](get-content $channelConfigFile)
$root = $xml.get_DocumentElement()
$root.DefaultChannel.CommerceAuthorization.authorizationDemand="Optional"
$xml.Save($channelConfigFile)
}
SetMinimumPrivileges($internalSettings.Path.FullName)
SetMinimumPrivileges($publicSettings.Path.FullName)
$farm = Get-SPFarm
if($farm.Servers.Count -gt 1)
{
Write-Host "The minimum privleges were set only for the current server and not the other servers on the farm. Modifications to the channel configuration file and the authorization files have to be copied manually."
}
Note
In a SharePoint 2010 deployment, perform an IIS reset after making changes to authorization stores in AzMan. The IIS reset forces user claims to refresh.
See Also
Other Resources
Using Windows PowerShell for SharePoint 2010 Commerce Deployment
Walkthrough: Deploying SharePoint 2010 Commerce Solution in a Two-Tier Topology
Walkthrough: Deploying a SharePoint 2010 Commerce Solution in a Three-Tier Topology
Cannot Use Silverlight Web Tools After Making Updates to Authorization Stores