Minimum Security User Rights

The groups and accounts that BizTalk Server uses have the minimum user rights they need to perform most tasks. Therefore, there are some tasks where you may need more user rights than the ones BizTalk Server automatically has granted the group to which you belong. In this topic:

Group and Role Membership

User rights for performing administrative tasks

Community Addition – Task List

Group and Role Membership

The following table describes the Minimum Security User Rights you need to perform tasks in BizTalk Server:

Task Groups or Roles
Setup
Installation - Local Administrators
Configuration - BizTalk Server Administrators
- Local Administrators
- sysadmin SQL Server Role
- SSO Administrators
- OLAP Administrator
Join a BizTalk Server group - Local Administrators
- BizTalk Server Administrators
BizTalk Administration
Create a MessageBox database - BizTalk Server Administrators
- sysadmin SQL Server Role
Create or delete a BizTalk host - BizTalk Server Administrators
- db_ddladmin SQL Server Database role on the BizTalk MessageBox databases
Change the Host Tracking property for a host - BizTalk Server Administrators
- db_securityadmin SQL Server Database role on the BAM Primary Import database, BizTalk MessageBox databases, and the BizTalk Tracking database
Create (install), delete, or change the credentials for a host instance
  • BizTalk Server Administrators
  • Local Administrators
  • securityadmin SQL Server Role on the server(s) where the following databases are:

    • BizTalk MessageBox databases, BizTalk Management database, Rule Engine database, BizTalk Tracking database, BAM Primary Import database
  • db_securityadmin SQL Server Database role on the following databases:

    • BizTalk MessageBox databases, BizTalk Management database, Rule Engine database, BizTalk Tracking database, BAM Primary Import database
Start or stop a host instance - BizTalk Server Administrators
Add or remove Server - BizTalk Server Administrators
- Local Administrators on the computer you are adding or removing.
Add or remove a receive handler - BizTalk Server Administrators
- SSO Affiliate administrators
Start or stop applications, orchestrations, send ports, and send port groups - BizTalk Server Operators
Enable or disable receive locations - BizTalk Server Operators
Search for artifacts - BizTalk Server Operators
Add an adapter - BizTalk Server Administrators
- SSO Affiliate administrators
Backup databases - BTS_BACKUP_USERS role for the databases
- sysadmin SQL Server role on the SQL Server hosting BizTalk Management database. Note: You must configure the SQL Server Agent service to run under a domain account or a local account with a mapped user on each instance of SQL Server.
Configure BizTalk Groups with a certificate - BizTalk Server Administrators
All other tasks (including WMI) - BizTalk Server Administrators
Operations and Message and Service Instance Tracking
View Group Hub page, perform queries, save and load queries - BizTalk Server Operators
View query results - BizTalk Server Operators
General configuration and tracking configuration - BizTalk Server Administrators (read and write)
- BizTalk Server Operators (read)
Browse a health monitoring cube - BizTalk Server Administrators
View message properties - BizTalk Server Administrators
Save message bodies - BizTalk Server Administrators
Use Find Message query - BizTalk Server Administrators
Use Query Build - BizTalk Server Administrators
Use the orchestration debugger - BizTalk Server Administrators
View message flow, message events in the Group Hub page using the BizTalk Server Administration console. - BizTalk Server Operators
Suspend, terminate, or resume instances - BizTalk Server Operators
Archiving or purging messages from the Tracking database - db_owner role on the BizTalk Tracking database
All other tasks - BizTalk Server Administrators
Tracking Profile Editor
Read or write to the BizTalk Management database - BizTalk Server Administrators
Event Bus Monitoring MMC
All tasks - BizTalk Server Administrators
BizTalk WCF Service Publishing Wizard
All tasks - Local Administrators
BizTalk Web Services Publishing Wizard
All tasks - Local Administrators
Business Activity Monitoring
Run BM.exe - db_owner SQL Server Database role in the BAM Primary Import, BAM Star Schema, and BAM Archive databases
Run BM.exe, if there is an Analysis Services database - db_owner SQL Server Database role in the BAM Primary Import, BAM Star Schema, and BAM Archive databases
- OLAP Administrators in the BAM Analysis Services database
Create account for BAM View - db_owner SQL Server Database role in the BAM Primary Import database
- OLAP Administrators in the BAM Analysis Services database
Rule Engine (publishing rules)
Deploy/undeploy policies, manipulate security-related artifacts - RE_ADMIN_USERS SQL Server Database role in the Rule engine database

User rights for performing administrative tasks

In order to perform administrative tasks, using either the BizTalk Server Administration Console or Windows Management Instrumentation (WMI), the account performing the administrative tasks requires different levels of user rights depending on the task to perform.

The following table describes the user rights the account needs to perform the tasks, from least user rights (level 1), to most user rights (level 4).

Level of user rights User rights granted Tasks
0 - BizTalk Server Operators - Basic administration and monitoring tasks. No ability to change configuration settings. No access to message properties or content.
1 - BizTalk Server Administrators - All administrative tasks, except the ones that require level 2-4 user rights
2 - User rights granted to level 1
- securityadmin SQL Server role on all SQL Servers
- db_securityadmin and db_accessadmin SQL Server Database roles in the BizTalk Tracking, Rule Engine, BizTalk Management, BAM Primary Import and BizTalk MessageBox databases
- db_ddladmin SQL Server Database role on all BizTalk MessageBox databases
- SSO Affiliate administrators
- Create and delete BizTalk hosts
- Change host tracking property
- Add and delete servers
- Add and delete receive handlers
- Add adapters
3 - User rights granted to level 2
- Local Administrators on all BizTalk Server runtime computers
- Create and delete host instances
4 - User rights granted to level 3
- sysadmin SQL Server role on all of the SQL Servers that have BizTalk MessageBox databases
- Create MessageBox databases

Community Addition – Task List

Minimum Security Rights for BizTalk Server 2013 R2 (https://social.technet.microsoft.com/wiki/contents/articles/24590.minimum-security-rights-for-biztalk-server-2013-r2.aspx)

See Also

Access Control and Data Security Designing the System Architectures for BizTalk Server Databases in BizTalk Server Windows Groups and User Accounts in BizTalk Server