How to Configure Access Privileges to Commerce Foundation Services Using Windows PowerShell

This topic provides guidance on how to use Microsoft Windows PowerShell to

• Control whether or not to enforce authorization on requests sent to the Commerce Foundation.

• Control access to commerce Web services by setting required permissions in authorization stores using Authorization Manager (Azman).

Important Note:
Always set access privileges to the strict minimum requirement.

Security and Performance Considerations

The authorization process consumes resources and applying the required amount of security while maintaining maximum system performance is a balancing act. In deployment environments where security is not a concern, you can consider disabling authorization to maximize on system performance. However, consider the following before opting to disable authorization:

• Generally speaking, authentication is required in any production environment.

• Authorization should be enabled in any deployment where the Commerce Foundation is accessed via exposed service endpoint, such as in a three-tier deployment topology.

• Authorization should be enabled in any deployment topology where a routing service is configured, including in a two-tier deployment.

Important   The procedure provided in this topic uses a Windows PowerShell script which is suitable for use in a two-tier deployment environment only.

In a three-tier commerce deployment, assign the required access privileges to services by manually adding the Windows identity of Web application to the appropriate authorization store in AzMan. For more information, see Managing Authentication.

Prerequisites

• You are familiar with the access privileges requirements for service account

Configure Access Privileges for the Web Services Using Windows PowerShell (Two-tier deployment)

The following is a sample Windows PowerShell script that updates the ChannelConfiguration.config file to assign the minimum set of access privileges for each Web service.

See Using Windows PowerShell for SharePoint 2010 Commerce Deployment for a list of variables and sample values that may be used in sample scripts provided in this topic

In the following example, Commerce Foundation authorization is set to "optional". This means that the Commerce Foundation does not enforce authorization on all incoming requests. When set to "optional" authorization is enforced at the operation sequence level. Requests for operations that do not require authorization are served whether security information is included in the request or not.

Important Note:
In a farm deployment, the configuration must be applied locally on each server. You cannot update authorization stores on remote servers.

$wa = Get-SPWebApplication $WebAppName

if($ExtendedZoneType -eq "Internet")
{
    $internalSettings = $wa.IisSettings[ [Microsoft.SharePoint.Administration.SPUrlZone]::Default ]
    $publicSettings = $wa.IisSettings[ [Microsoft.SharePoint.Administration.SPUrlZone]::Internet ]
}
else
{
    $internalSettings = $wa.IisSettings[ [Microsoft.SharePoint.Administration.SPUrlZone]::Intranet ]
    $publicSettings = $wa.IisSettings[ [Microsoft.SharePoint.Administration.SPUrlZone]::Default ]
}

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Interop.Security.AzRoles, Version=2.0.0.0, publicKeyToken=31bf3856ad364e35, culture=neutral") 

function SetMinimumPrivileges( [string] $appPath )
{

    # Setting up the CommerceEntityAuthorizationStore to minimum access privileges.  This authorization store is used to 
    $azmanStore = New-Object Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass
    $storePath = "msxml://" + $appPath + "\CommerceEntityAuthorizationStore.xml"
    $azmanStore.Initialize(0, $storePath , $null)
    $azmanApp = $azmanStore.OpenApplication("CommerceFoundation",$null)
    $stsGroup = $azmanApp.OpenApplicationGroup("Security Token Service",$null)
    $stsGroup.AddMemberName($StsAccount,$null)
    $stsGroup.Submit(0,$null)

    $stsGroup.AddMemberName($StsAccount,$null)
    $stsGroup.Submit(0,$null)

    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($stsGroup)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanApp)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanStore)

    Write-Host "Setting access privileges to the Catalog Web service to strict minimum"
    $azmanStore = New-Object  Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass
    $storePath = "msxml://" + $appPath + "\CatalogAuthorizationStore.xml"
    $azmanStore.Initialize(0, $storePath , $null)
    $azmanApp = $azmanStore.OpenApplication("CatalogandInventorySystem",$null)
    $role = $azmanApp.OpenRole("CatalogViewer",$null)
    $role.AddMemberName($ManagedAccount,$null)
    $role.Submit(0,$null)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($role)

    $role = $azmanApp.OpenRole("InventoryViewer",$null)
    $role.AddMemberName($ManagedAccount,$null)
    $role.Submit(0,$null)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($role)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanApp)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanStore)

    Write-Host "Setting access privileges to the Orders Web service to strict minimum"
    $azmanStore = New-Object  Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass
    $storePath = "msxml://" + $appPath + "\OrdersAuthorizationStore.xml"
    $azmanStore.Initialize(0, $storePath , $null)
    $azmanApp = $azmanStore.OpenApplication("OrderSystem",$null)
    $role = $azmanApp.OpenRole("OrdersAdministrator",$null)
    $role.AddMemberName($ManagedAccount,$null)
    $role.Submit(0,$null)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($role)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanApp)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanStore)

    Write-Host "Setting access privileges to the Profiles Web service to strict minimum"
    $azmanStore = New-Object  Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass
    $storePath = "msxml://" + $appPath + "\ProfilesAuthorizationStore.xml"
    $azmanStore.Initialize(0, $storePath , $null)
    $azmanApp = $azmanStore.OpenApplication("ProfileSystem",$null)
    $role = $azmanApp.OpenRole("ProfileAdministrator",$null)
    $role.AddMemberName($ManagedAccount,$null)
    $role.Submit(0,$null)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($role)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanApp)
    $e = [System.Runtime.InteropServices.Marshal]::ReleaseComObject($azmanStore)

    Write-Host "Set authorization checks as optional inside ChannelConfig"
    $channelConfigFile= $appPath + "\ChannelConfiguration.config"
    $xml = [xml](get-content $channelConfigFile)
    $root = $xml.get_DocumentElement()
    $root.DefaultChannel.CommerceAuthorization.authorizationDemand="Optional"
    $xml.Save($channelConfigFile)
}

SetMinimumPrivileges($internalSettings.Path.FullName)
SetMinimumPrivileges($publicSettings.Path.FullName)


$farm = Get-SPFarm
if($farm.Servers.Count -gt 1)
{
    Write-Host "The minimum privleges were set only for the current server and not the other servers on the farm. Modifications to the channel configuration file and the authorization files have to be copied manually."
}

See Also

Other Resources

Using Windows PowerShell for SharePoint 2010 Commerce Deployment

Walkthrough: Deploying SharePoint 2010 Commerce Solution in a Two-Tier Topology

Walkthrough: Deploying a SharePoint 2010 Commerce Solution in a Three-Tier Topology

Cannot Use Silverlight Web Tools After Making Updates to Authorization Stores