Introduction
Out-of-the-Box “Microsoft BizTalk Server” doesn’t
provide any feature so called “BizTalk
Admin console Read-Only” mode.
Sometime we want to provide Read-Only access over
BizTalk Admin Console to certain set of users (Developers/Prod Monitoring and
Support professionals)
But if we place them in BTS_Operators group,
unfortunately they can start and stop the Send Ports, Receive locations and
Orchestrations. That’s what we don’t want them to do.
And also BizTalk operators (Who belongs to BTS_Operators
group) can see the number of suspended messages but can’t view/save the message itself. Another common showstopper might be
that the operators cannot use the Orchestration
debugger. With the debugger we can easily verify where the orchestration
has halted.
So, in order to satisfy above two points following
workaround has been suggested.
Background
We want to provide BizTalk Admin console in Read Only mode
to certain set of users.
Tasks users can carry out:
1.
View service state and message flow in BizTalk.
2.
See the suspended message, its error details,
context properties and view the message body (for
troubleshooting, reprocessing etc.) and also can start the Orchestration
Debugger.
Tasks users can’t
carry out:
1.
Crete/Delete Host and Host Instances.
2.
Add/delete
Adapters , add/delete Handlers to Adapters
3.
Stop and Start Orchestration , Send Port,
Receive Locations and Host Instances etc.
4.
Deploy/Undeploy
BizTalk applications
5.
Add/Remove
resources to existing BizTalk applications.
Other all
the Admin tasks related to biztalk.
One of the Suggestions: We can place the users in “BizTalk
Server Operators” windows group [Default
group created while configuring BizTalk].
But the Risk: “BizTalk Server Operators” group have
permissions to start and stop BizTalk Receive locations, Send
Port s and Orchestrations which we don’ want.
And also users
of “BizTalk Server Operators” group can’t see the suspended message’s
body as well couldn’t debug any orchestration instance [which may be useful for
troubleshooting] which we want.
Solution
“BizTalk Server
Operators” windows group is mapped to ‘BTS_Operators’ database role on
‘BizTalkMgmtDB’. This database role has permission to execute certain stored
procedures
(which in turn facilitate to stop/start BizTalk
Ports/location/orchestrations). Please see the below screen shot.
1.
Revoke execute permission from ‘BTS_Operators’
database role on following stored procedures.
[bts_ReceiveLocation_Status_Update]
[bts_SendPort_Status_Update]
[bts_Orchestration_Status_Update]
OR
2.
Create a new Windows group which should have
same permissions as “BizTalk Server Operators” windows group except execute
permissions on following stored procedure.
[bts_ReceiveLocation_Status_Update]
[bts_SendPort_Status_Update]
[bts_Orchestration_Status_Update]
After following the
above steps you can restrict the BizTalk operators users by starting and
stopping the Send ports, Receive locations and orchestrations.
If your requirement is only that BizTalk Admin
console can be used on Read-Only mode than the task is done.
======================================================
But you want to provide some extra features to users of BizTalk Operators group, that they can
see the number of suspended messages and can view the message body also, and
also they can start the Orchestration debugger for troubleshooting to see there
exactly orchestration halted. Except start and stop feature. Then need to do
following extra steps.
3.
Create new Windows group for Extension to
Operator group.
Create a Windows group named as “BizTalk Server Super Operators” (you can give it any name).
Create a Windows group named as “BizTalk Server Super Operators” (you can give it any name).
[For multi-server installation, you can create it on
Active Directory].
Add the members who deserved the super operator
rights. These members must already be member of the operator windows group.
This because the super operator group is only an extension to the operator permissions.
This because the super operator group is only an extension to the operator permissions.
4.
Create logIn on SQL server for SuperOperator
group.
a. Open the SQL management studio and connect to
the SQL server that is hosting the BizTalk group databases.
b. Open the server security tab and create a new
login by right clicking login and selecting new login.
c. In
the login textbox you specify the group you created in step 3.
d. On
the user mapping tab you check the checkbox for every BizTalk database.
A role must be created for the super operator in the
necessary biztalk databases. In this scenario we only need to create a role in
the BizTalkManagementDB,
BizTalkMessageBoxDB and BizTalkDTADB.
a.
In the
SQL management studio expand the Messagebox Database and right click on the
roles node.
b.
Select
new database role.
c.
Name
this role BTS_SUPEROPERATORS. The owner set to DBO.
d.
Add the
group you created in step 3 to the role members.
e.
Adding
the securables for saving/viewing messages permissions. (as show in below screen shots)
f.
For
Orchestration debugger permissions apply the below mentioned securables to
BizTalk DTADB
g.
Add only
execute permission on added securables.
h.
Do the
same in the BizTalkManagement database.
for saving/viewing messages permissions.
For Orchestration debugger permission, apply following securables (each
one with execute permissions) to BizTalkDTADB database.
After
completing the above steps hopefully we can end up with the required rights for
required set of users.
References:
really helpful for a situation that comes up a lot. very simple solution, thanks
ReplyDeleteThanks Brett!!
Delete