none
Is there a best practice way of segregating biztalk permissions across the SDLC? RRS feed

  • Question

  • I'm working on the SQL Server side of things, helping some people set up a biztalk project. There are some issues with figuring out the SQL permissions required by biztalk and how to set them up.

    I have read the guide here which indicates which SQL permissions to assign to which AD groups. I assume these groups are created by the biztalk install process (if that's not true then please let me know).

    I generally try to grant SQL permissions to AD groups rather than individual users, but it seems like all of the biztalk services (dev, uat and production) would be using the same AD groups (eg, "SSO Administrators"). So if I grant permission to the groups, then all biztalk services would be able to access all SQL Servers. For example, someone could point the development biztalk services at the production biztalk SQL server, and it would work because on both SQL Servers the permission would be assigned to the same AD group.

    Is there any way to have biztalk create, for example, the AD group "SSO Administrators - DEV" and "SSO Administrators - UAT" so that I can prevent biztalk from violating SDLC boundaries, or do I just have to accept this in biztalk-land?

    Tuesday, October 14, 2014 2:31 AM

Answers

  • Nops,

    You need to create BizTalk releated  windows group on AD  and use these while configuring your BizTalk Environment . for Security purpose and group conflict its always preferred to use different group for different Environment.

    Note : dont use the local group which are on the machine . Your group should be like this .

     Domain-ABC\SSO Administrators_Prod, Domain-ABC\SSO Affiliate adminstrators_Prod, Domain-ABC\Biztalk Administrators_Prod,  etc for Production Environment

    ,Domain-ABC\SSO Administrators_Test, Domain-ABC\SSO Affiliate adminstrators_Test, Domain-ABC\Biztalk Administrators_Test for Testing Environment.

    The Developer Box can use the local BizTalk group as bith SQL and BizTalk will be on same box .

    Thanks

    Abhishek

    • Marked as answer by allmhuran Tuesday, October 14, 2014 6:23 AM
    Tuesday, October 14, 2014 5:30 AM

All replies

  • Hello,

    While setup of Production or test Environment for BizTalk ,you always deals with Multi server Configuation(sql and BizTalk app on different machine) .

    It requires you to create windows group on AD for BizTalk related group such as SSO ,BizTalk Admin group ,BizTalk Users etc. and you need to give appropriate rights(sysadmin,dbcreator) to these group to so that it can communicate with SQL.

    Note :

    Seperate AD windows group for Production and Test Environment is preferred.

    Development Machine can work on Local groups as well .

    You also need to check with the MSDTC configuration from Application server to DB server .

    Thanks

    Abhishek

    Tuesday, October 14, 2014 5:12 AM
  • Yes, our SQL services and biztalk serviecs are hosted on different machines, but that's not really relevant to this particular topic.

    Yep, the goal here is to assign the appropriate rights to the appropriate groups.

    You said "Separate AD windows group for Production and Test Environment is preferred" - I definitely agree. But this is the reason for the question. If the biztalk install creates the AD groups (SSO Administrators, SSO Affiliate adminstrators, Biztalk Administrators, Biztalk Host users, etc) then every biztalk install (dev, UAT and prod) will all use the same AD groups. If permissions in SQL are assigned to these groups, then it doesn't seem possible for different phases of the SLDC to be accessible only to specific biztalk services. In other words, it doesn't seem like I can enforce the idea that the biztalk dev services should only be able to access the biztalk dev databases.


    • Edited by allmhuran Tuesday, October 14, 2014 5:24 AM
    Tuesday, October 14, 2014 5:20 AM
  • Nops,

    You need to create BizTalk releated  windows group on AD  and use these while configuring your BizTalk Environment . for Security purpose and group conflict its always preferred to use different group for different Environment.

    Note : dont use the local group which are on the machine . Your group should be like this .

     Domain-ABC\SSO Administrators_Prod, Domain-ABC\SSO Affiliate adminstrators_Prod, Domain-ABC\Biztalk Administrators_Prod,  etc for Production Environment

    ,Domain-ABC\SSO Administrators_Test, Domain-ABC\SSO Affiliate adminstrators_Test, Domain-ABC\Biztalk Administrators_Test for Testing Environment.

    The Developer Box can use the local BizTalk group as bith SQL and BizTalk will be on same box .

    Thanks

    Abhishek

    • Marked as answer by allmhuran Tuesday, October 14, 2014 6:23 AM
    Tuesday, October 14, 2014 5:30 AM
  • Roger that, so if I understand correctly, we should be getting the project people to talk to the AD admins to create the appropriate groups to meet our requirements and then using those groups during biztalk setup (and assigning the appropriate users, eg, the SSO Service account) to those groups.

    Thanks.
    Tuesday, October 14, 2014 6:23 AM