locked
Regarding Elevating Access For BizTalk Operator Group RRS feed

  • Question

  • At my work place we are challenged with limited access to the BizTalk operator group. Recently I came across this great post by Toon Vanhoutte about elevating the operator group access by using the following query. I have tested this in our lower environments and it does allow the operator group to view message body/context.

    Has anyone else used this and do you think there could be some unknowns/risk associated with this.

    Blog Link:

    http://www.codit.eu/blog/2012/07/02/elevating-permissions-for-biztalk-server-operators-group/

    Query:

    USE BizTalkDTADb;

        GRANT EXECUTE ON OBJECT::bts_GetTrackedMessage
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageFragments
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageParts
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessageContext
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessages
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedPart
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartByID
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartFragment
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartNames
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedParts
            TO BTS_OPERATORS;
    GO
    USE BizTalkMsgBoxDb;
        GRANT EXECUTE ON OBJECT::bts_GetTrackedMessage
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageFragments
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageParts
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadMessageContext
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadMessages
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadPart
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadPartFragment
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadPartNames
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadParts
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessageContext
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessages
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedPart
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartByID
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartFragment
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartNames
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::ops_LoadTrackedParts
            TO BTS_OPERATORS;
    GO
    USE BizTalkMgmtDb;
        GRANT EXECUTE ON OBJECT::dpl_MessageType_Part_Save
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::dpl_MessageType_Save
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::dpl_Operation_MsgType_Save
            TO BTS_OPERATORS;
        GRANT EXECUTE ON OBJECT::dpl_SaveItem
            TO BTS_OPERATORS;
    GO


    Regards Pushpendra K Singh

    Tuesday, January 6, 2015 3:04 PM

Answers

  • Hi Pushpendra ,

    I don't think this way of granting permission is altogether been supported by Microsoft . If you remember we have similar type of issues with ESB toolkit  2.0 (granting permission on tables ) which in later version has been fixed .  and this permission is altogether on DB"s and we don't know its implication 

    So I wont support this methodology , but you can try out on your testing Environment if possible .

    Or else If you convince you client to look for some third party tool which has these functionality  such as BizTalk 360 ,AIMS Innovation etc .

    Thanks

    Abhishek

    Tuesday, January 6, 2015 3:22 PM
  • While I might be willing to look the other way in a TEST environment where diagnosing App or Data issues is necessary, no, do not do this in production.

    Modifications to the BizTalk databases are not supportable and should never be done.

    BizTalk 360 exists exactly for this purpose.

    Tuesday, January 6, 2015 4:48 PM
    Moderator
  • Hi Pushpendra,

    Strange you have been challenged with limited access BizTalk operator group and you're consider options about updating the user access permissions at database level. Two conflict things.

    As suggested, the SQL script you have show its not be used in prod and as the author of the article itself rightly highlighted as its not supported. BizTalk 360 is option.

    We, at one of clients place created a quick Windows operational tool using  ExplorerOM.dll and WMI. You can create such a simple tool, not fancy though in quick time. ExplorerOM.dll and WMI are meant for these types of requirements and you can expose them. 


    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

    Tuesday, January 6, 2015 7:59 PM
  • Agreed on BizTalk360 as the best way to handle access.

    Leonid Ganeline [BizTalk MVP]

    Tuesday, January 6, 2015 8:31 PM
    Moderator

All replies

  • Hi Pushpendra ,

    I don't think this way of granting permission is altogether been supported by Microsoft . If you remember we have similar type of issues with ESB toolkit  2.0 (granting permission on tables ) which in later version has been fixed .  and this permission is altogether on DB"s and we don't know its implication 

    So I wont support this methodology , but you can try out on your testing Environment if possible .

    Or else If you convince you client to look for some third party tool which has these functionality  such as BizTalk 360 ,AIMS Innovation etc .

    Thanks

    Abhishek

    Tuesday, January 6, 2015 3:22 PM
  • While I might be willing to look the other way in a TEST environment where diagnosing App or Data issues is necessary, no, do not do this in production.

    Modifications to the BizTalk databases are not supportable and should never be done.

    BizTalk 360 exists exactly for this purpose.

    Tuesday, January 6, 2015 4:48 PM
    Moderator
  • Thanks Abhishek and John for your inputs.

    Regards Pushpendra K Singh

    Tuesday, January 6, 2015 5:54 PM
  • Hi Pushpendra,

    Strange you have been challenged with limited access BizTalk operator group and you're consider options about updating the user access permissions at database level. Two conflict things.

    As suggested, the SQL script you have show its not be used in prod and as the author of the article itself rightly highlighted as its not supported. BizTalk 360 is option.

    We, at one of clients place created a quick Windows operational tool using  ExplorerOM.dll and WMI. You can create such a simple tool, not fancy though in quick time. ExplorerOM.dll and WMI are meant for these types of requirements and you can expose them. 


    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

    Tuesday, January 6, 2015 7:59 PM
  • Agreed on BizTalk360 as the best way to handle access.

    Leonid Ganeline [BizTalk MVP]

    Tuesday, January 6, 2015 8:31 PM
    Moderator
  • Thanks Ashwin and Leonid. Makes sense. I will pass this forum link/information to the decision makers. Think they were contemplating this in a short term solution for the BizTalk production support guys. I agree it does carry a certain level of apprehension within.


    Regards Pushpendra K Singh

    Tuesday, January 6, 2015 8:41 PM
  • Hi Ashwin,

    Do you have the code for  ExplorerOM.dll and WMI you mentioned, by any chance. 


    Regards Pushpendra K Singh

    Thursday, January 8, 2015 7:45 PM
  • I have but its part of my own company's property, can't share sorry mate. Just gave  ExplorerOM.dll and WMI as an idea that you can also build a quick tool as we did.

    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

    Thursday, January 8, 2015 7:52 PM
  • That should be fine Ashwin. Understand there is no short way ;-). I will do a little digging . Thanks for taking out time and pointing the directions. I appreciate as always, what you guys do for the BizTalk community

    Regards Pushpendra K Singh

    Friday, January 9, 2015 4:22 PM