What are the Staging Security Configuration Requirements?
Commerce Server Staging (CSS) enables flexibility in the ways that you implement your staging credentials. You can assign access at various levels. CSS puts security restrictions on users who access staging functions and the accounts specified to stage content and data. All users who access staging functions must belong to one of the CSS security groups. These users access the Commerce Server Staging console or execute CSS commands.
All accounts that are used to stage data must also belong to one or more CSS security groups. You must also define these accounts on the CSS servers that you use in a staging project. This makes sure that the CSS server(s) receiving content can authenticate the CSS server that sends content.
Security configuration requirements for working with CSS are as follows:
Before you install and configure CSS, create a CSS service account to run on the CSS server. When you configure CSS, specify the CSS service account that you created.
Assign the user accounts of those users who will use CSS to one of the CSS security groups, either the CSS Administrators or CSS Operators group. For information about these groups, see How Are Permissions Granted to CSS Authentication Accounts?
(Optional) Create CSS authentication account(s) to use when staging projects across CSS servers. For information about the different authentication methods supported, see How Are CSS Authentication Accounts Defined and Managed?
If you do not create any CSS authentication accounts, the CSS service account will be used as the default authentication account for authenticating staging projects.
Assign CSS authentication account(s) to either the CSS Administrators group or the CSS Operators group based on your staging requirements. For information about these groups, see How Are Permissions Granted to CSS Authentication Accounts?
For staging business data, configure database access permissions for CSS service accounts, CSS Administrators and CSS Operators groups, and to users assigned project-level permissions. For information about database access requirements, see How Are Permissions Granted to CSS Authentication Accounts?
For staging Web content, provide the CSS authentication account that will stage the content full security permissions on the destination folder. For information about how to set folder permissions, see How to Set Folder Permissions for Staging Accounts.
For creating virtual directories when staging Web content, provide the CSS_SG group access to the IIS metabase on the source and endpoint CSS servers where the projects are staged. This step is required to support creation of the directories and setting access permissions on the directories. For information about how to configure access to the IIS metabase, see How to Configure Access to the IIS Metabase.
For staging the IIS metabase, provide the CSS_SG group access to the IIS metabase on those CSS servers where IIS metabase projects are executed. This step is required to support updates of the IIS metabase. In addition, provide CSS users permissions to view the Web sites in the project properties dialog box accessed from the CSS Microsoft Management Console (MMC). For information about how to configure access to the IIS metabase, see How to Configure Access to the IIS Metabase.
For running scripts before and after project replication, read and execute permissions must be granted to users or accounts that run cmd.exe. For information about how to grant permissions for running scripts, see How to Grant Permissions for Running Scripts.