How Are Permissions Granted to CSS Authentication Accounts?
Three Commerce Server Staging (CSS) security groups control account access to staging functions. These groups are created when you install CSS. The following three groups are defined on each CSS server:
CSS Administrators. Members of this group have administrative-level access and administer all aspects of staging, server settings, projects, and routes. They have permissions to change the CSS server configuration settings. This group is added to all projects. You cannot remove this group from the project permission settings. By default, built-in Administrators are members of this group.
CSS Operators. Members of this group have operator-level access to manage projects. They have permissions to start, stop, and rollback projects. By default, this group is added to all projects. You can remove this group to customize access to individual projects.
CSS_SG (CSS Service Group). Only members of this group should be used to run the CSS service. It has operator-level access to all projects. The CSS service account that is specified when you configure CSS is automatically added to this group. Ideally, the CSS service account should be the only member of this group.
.gif "Important note")
Important Note:You must add to this group any account that is created that will be used to run the CSS service.
You manage access to the staging functions by adding users to the CSS Administrators or CSS Operators groups on each CSS servers that was defined in the staging deployment. You manage authentication between CSS servers by defining and managing staging authentication accounts. Also, you can provide user access and authentication at the project level. For more information, see the following sections:
Staging Administration
Staging Management Account Access
Staging Project Accounts
Project Administrators and Operators
Staging Administration
Users who belong to the CSS Administrators group can administer local and remote servers, and create and manage projects.
First, only the local server is added to the CSS Microsoft Management Console (MMC). As you define projects and routes, you add the remote CSS servers that are available through the network to the CSS management console so that you can administer them remotely.
When you administer remote CSS servers, you use the credentials for the logon account that opened the CSS management console to validate against the remote CSS server. However, you can override this account either through the Connect Using an authentication account option in the Add Host Dialog or Set Authentication Action menu. This is useful if the logon account cannot be validated against the remote CSS server or you want to use a different account to perform administrative tasks.
Note
Remote CSS server accounts must match an account that belongs to the CSS Administrators group on the remote server.
The CSS administrative account that the CSS management console uses should not be confused with the authentication accounts that are described in Staging Project Accounts. These accounts are used by the CSS service to stage CSS projects.
Staging Management Account Access
When you use the CSS MMC, you can specify an MMC authentication account for administering the CSS servers. This lets you use credentials other than those of the account you used to log on to administer staging. For information about how to set the MMC authentication account, see How to Connect to a Remote Server.
Members of the CSS Operators group have permissions to add and remove servers, and manage projects. Specifically they can start, stop, and rollback projects and view reports. Members of the CSS Administrators group have all the permissions of the CSS Operators group and can perform these additional staging tasks:
Add, remove, and change projects and routes.
Add and remove users to and from projects.
Change server properties.
Start, stop, and pause the staging service.
The following table summarizes the staging tasks that the members of the CSS Administrators and CSS Operators groups can perform.
CSS management console operation |
CSS Command |
CSS Administrator |
CSS Operator |
|---|---|---|---|
Create a project. |
AddProj |
Y |
N |
Add a route. |
AddRoute |
Y |
N |
Apply timed-released transaction. |
Apply |
Y |
Y |
Cancel project deployment. |
Cancel |
Y |
Y |
Continue CSS service that is running on a server. |
Continue |
Y |
N |
Delete a project. |
DelProj |
Y |
N |
Delete a route. |
DelRoute |
Y |
N |
Start project deployment. |
Deploy |
Y |
Y |
Edit a project. |
EditProj |
Y |
N |
Grant user access to a project. |
GrantUser |
Y |
N |
View list of servers. |
List |
Y |
Y |
View list of projects. |
ListProj |
Y |
Y |
View list of routes. |
ListRoute |
Y |
Y |
View user access to a project. |
ListUser |
Y |
N |
Pause CSS service that is running on a server. |
Pause |
Y |
N |
Open server properties. |
QueryGlobal |
Y |
Y |
Open project properties. |
QueryProj |
Y |
Y |
Remove user access to a project. |
RemoveUser |
Y |
N |
View reports. |
Report |
Y |
Y |
Rollback replication. |
RollBack |
Y |
Y |
Set replication globals. |
SetGlobal |
Y |
N |
Start CSS service that is running on a server. |
Start |
Y |
N |
Stop CSS service that is running on a server. |
Stop |
Y |
N |
Note
By default, the local computer administrator's group has administrator level access to all staging projects.
Staging Project Accounts
Staging project accounts are accounts that you define to manage connections between CSS servers when you stage data or content for a project. For more information about staging project accounts, see How Are CSS Authentication Accounts Defined and Managed?
Project Administrators and Operators
Project-level permissions let you customize staging access to individual projects.
You can manage projects with the default groups or by customizing permissions with individual user accounts or groups. You change the default permissions by adding or removing users or groups to the project as administrators or operators. A user who has Operator access can view, start, stop, and rollback the project. A user who has Administrator access can view, start, stop, rollback, and modify the project.
For users who do not belong to the default CSS groups, you can grant them access to specific projects and restrict them from other projects.
For information about how to grant permissions to users at the project level, see How to Add and Remove Users as Project-Level Administrators or Operators.
See Also
Other Resources
How Are CSS Authentication Accounts Defined and Managed?
Staging Web Sites and Commerce Server Data
What Database Access Permissions Must You Grant to CSS Authentication Accounts?
Getting Started Using Commerce Server Staging