Minimum Security User Rights

Minimum Security User Rights

Collapse All

The groups and accounts that BizTalk Server uses have the minimum user rights they need to perform most tasks. Therefore, there are some tasks where you may need more user rights than the ones BizTalk Server automatically has granted the group to which you belong. The following table describes the Minimum Security User Rights you need to perform tasks in BizTalk Server.

Task	Groups or Roles
Setup
Installation	Local Administrators
Configuration	BizTalk Server Administrators Local Administrators sysadmin SQL Server Role SSO Administrators OLAP Administrator
Join a BizTalk Server group	Local Administrators BizTalk Server Administrators
BizTalk Administration
Create a MessageBox database	BizTalk Server Administrators sysadmin SQL Server Role
Create or delete a BizTalk host	BizTalk Server Administrators db_ddladmin SQL Server Database role on the BizTalk MessageBox databases
Change the Host Tracking property for a host	BizTalk Server Administrators db_securityadmin SQL Server Database role on the BAM Primary Import database, BizTalk MessageBox databases, and the BizTalk Tracking database
Create (install), delete, or change the credentials for a host instance	BizTalk Server Administrators Local Administrators securityadmin SQL Server Role on the server(s) where the following databases are: BizTalk MessageBox databases, BizTalk Management database, Rule Engine database, BizTalk Tracking database, BAM Primary Import database db_securityadmin SQL Server Database role on the following databases: BizTalk MessageBox databases, BizTalk Management database, Rule Engine database, BizTalk Tracking database, BAM Primary Import database
Start or stop a host instance	BizTalk Server Administrators
Add or remove Server	BizTalk Server Administrators Local Administrators on the computer you are adding or removing.
Add or remove a receive handler	BizTalk Server Administrators SSO Affiliate administrators
Start or stop applications, orchestrations, send ports, and send port groups	BizTalk Server Operators
Enable or disable receive locations	BizTalk Server Operators
Search for artifacts	BizTalk Server Operators
Add an adapter	BizTalk Server Administrators SSO Affiliate administrators
Backup databases	BTS_BACKUP_USERS role for the databases sysadmin SQL Server role on the SQL Server hosting BizTalk Management database. Note You must configure the SQL Server Agent service to run under a domain account or a local account with a mapped user on each instance of SQL Server.
Configure BizTalk Groups with a certificate	BizTalk Server Administrators
All other tasks (including WMI)	BizTalk Server Administrators
Operations and Health and Activity Tracking (HAT)
View Group Hub page, perform queries, save and load queries	BizTalk Server Operators
View query results	BizTalk Server Operators
General configuration and tracking configuration	BizTalk Server Administrators (read and write) BizTalk Server Operators (read)
Browse a health monitoring cube	BizTalk Server Administrators
View message properties	BizTalk Server Administrators
Save message bodies	BizTalk Server Administrators
Use Find Message query	BizTalk Server Administrators
Use Query Build	BizTalk Server Administrators
Use the orchestration debugger	BizTalk Server Administrators
View message flow, message events in HAT	BizTalk Server Operators
Suspend, terminate, or resume instances	BizTalk Server Operators
Archiving or purging messages from the Tracking database	db_owner role on the BizTalk Tracking database
All other tasks	BizTalk Server Administrators
Tracking Profile Editor
Read or write to the BizTalk Management database	BizTalk Server Administrators
Event Bus Monitoring MMC
All tasks	BizTalk Server Administrators
BizTalk Web Services Publishing Wizard
All tasks	Local Administrators
Human Workflow Services
Start/stop Web service using the Human Workflow Services (HWS) Administration console	Local Administrators
Activity Model Designer API	HWS_AM_DESIGNER SQL Server Database role in the BizTalk Management and HWS Administration databases
All other tasks	BizTalk Server Administrators
Business Activity Monitoring
Run BM.exe	db_owner SQL Server Database role in the BAM Primary Import, BAM Star Schema, and BAM Archive databases
Run BM.exe, if there is an Analysis Services database	db_owner SQL Server Database role in the BAM Primary Import, BAM Star Schema, and BAM Archive databases OLAP Administrators in the BAM Analysis Services database
Create account for BAM View	db_owner SQL Server Database role in the BAM Primary Import database OLAP Administrators in the BAM Analysis Services database
Business Activity Services
Perform publishing operations that do not modify BizTalk Server settings	BizTalk BAS Users
Perform management operations that make changes in BizTalk Server, such as deploying partners and creating and activating agreements	BizTalk BAS Managers
Perform operations that directly affect the operations of BizTalk Server, such as creating a BizTalk Server registration and synchronizing and repairing databases with the Trading Partner Management database	BizTalk BAS Administrators
Rule Engine (publishing rules)
Deploy/undeploy policies, manipulate security-related artifacts	RE_ADMIN_USERS SQL Server Database role in the Rule engine database

User rights for performing administrative tasks

In order to perform administrative tasks, using either the BizTalk Server Administration Console or Windows Management Instrumentation (WMI), the account performing the administrative tasks requires different levels of user rights depending on the task to perform.

The following table describes the user rights the account needs to perform the tasks, from least user rights (level 1), to most user rights (level 4).

Level of user rights	User rights granted	Tasks
0	BizTalk Server Operators	Basic administration and monitoring tasks. No ability to change configuration settings. No access to message properties or content.
1	BizTalk Server Administrators	All administrative tasks, except the ones that require level 2-4 user rights
2	User rights granted to level 1 securityadmin SQL Server role on all SQL Servers db_securityadmin and db_accessadmin SQL Server Database roles in the BizTalk Tracking, Rule Engine, BizTalk Management, BAM Primary Import and BizTalk MessageBox databases db_ddladmin SQL Server Database role on all BizTalk MessageBox databases SSO Affiliate administrators	Create and delete BizTalk hosts Change host tracking property Add and delete servers Add and delete receive handlers Add adapters
3	User rights granted to level 2 Local Administrators on all BizTalk Server runtime computers	Create and delete host instances
4	User rights granted to level 3 sysadmin SQL Server role on all of the SQL Servers that have BizTalk MessageBox databases	Create MessageBox databases

Concepts

Business Activity Services Security Considerations
Databases in BizTalk Server
Windows Groups and User Accounts in BizTalk Server 2006

Other Resources

Access Control and Data Security
Designing the System Architectures for BizTalk Server