Udostępnij za pośrednictwem


What Are the Accounts and Groups to Create?

This topic provides a summary of the user accounts and groups that you create. In a multi-computer deployment, Commerce Server 2009 accounts and user groups must be created on the domain controller. In a single-server deployment, you can create these accounts and groups on the computer where Commerce Server 2009 is installed. For the internal/test and development environments, create the same accounts and groups that you create for the data domain in the production environment.

See the following sections for the account and group requirements for each of these areas:

  • Commerce Server User and Service Accounts

  • Commerce Server Groups and Account Assignments

  • Additional User Groups for Granular Security

  • SQL Server Database Instances, Accounts, and Role User Mappings

Commerce Server User and Service Accounts

The following table lists the accounts that you create or that are created when you install prerequisite software. You must create the <CS Direct Mailer User>,<CS Installer>,<CS Staging User>, CSLOB, and RunTimeUser accounts before you install Commerce Server 2009. Registering ASP.NET 2.0 as the default framework creates the ASP.NET account. Post-installation, you create SQL Server Login accounts and associate the user accounts together with Windows user groups.

For information about registering ASP.NET as the default framework, see "Install Prerequisite Software" in the Commerce Server 2009 Installation and Configuration Guide at https://go.microsoft.com/fwlink/?LinkId=139462.

Account name

Description

Windows User Group

SQL Server login account

<CS Direct Mailer User>

Account of person who manages the Direct Mailer service.

not applicable

not applicable

<CS Installer>

Account of person logged on to install and configure Commerce Server 2009.

Administrator, CatalogAdminGroup, MarketingAdminGroup, OrdersAdminGroup, ProfilesAdminGroup

not applicable

<CS Staging User>

Account of person who manages Commerce Server 2009 Staging.

not applicable

<CS Staging User>

ASPNET

Account that is used for running the ASP.NET worker process (aspnet_wp.exe) .

not applicable

ASPNET

BizTalkAdmin

BizTalk Server Administrator identity.

Administrators, BizTalk Server Administrators, BizTalk Server Operators

not applicable

BizTalkSvc

BizTalk Server service identity.

BizTalk Application Users, BizTalk Isolated Host Users, IIS_WPG or IIS_IUSRS, SQLServer2005NotificationServicesUser, SSO Administrators

BizTalkSvc

CLUSvc

Cluster service identity. Create only for clustered instances of SQL Server on the data tier domain controller only.

not applicable

not applicable

CSDMSvc

Commerce Server 2009 Direct Mailer service identity.

DML_SG

CSDMSvc

CSHealthMonitorSvc

Commerce Server 2009 Health Monitoring service identity. Create on the domain controller only.

not applicable

CSHealthMonitorSvc

CSLOB

Commerce Server 2009 Adapters identity.

not applicable

not applicable

CSStageSvc

Commerce Server 2009 Staging (CSS) service identity.

CSS_SG, CSS Administrators, CSS Operators

CSStageSvc

DTSImport

Data transformation services import identity.

not applicable

not applicable

MOMSvc

Microsoft System Center Operations Manager (SCOM) service identity.

not applicable

not applicable

RunTimeUser

Anonymous user identity (IIS account for Commerce Server 2009).

IIS_WPG (on Windows Server 2003) or IIS_IUSRS (on Windows Server 2008)

RunTimeUser

SQLSvc

SQL Server service identity.

not applicable

not applicable

It is highly recommended that you create each of these accounts by using the following requirements for strong passwords:

  • Passwords must be at least six (6) characters long.

  • Passwords may not contain your user name or any part of your full name.

  • Passwords must contain characters that are uppercase letters, lowercase letters, numbers, and non-alphanumeric characters (such as punctuation symbols).

Commerce Server Groups and Account Assignments

Commerce Server Administrator Groups

You create four administrator groups summarized in the following table. These represent the minimum number of groups to define. You should create distinct user groups based on your business needs. You then assign these groups to authorization roles through the Authorization Manager. For more information, see Authorizing Users and Groups to Access Web Services.

User group

Description

Accounts to assign

CatalogAdminGroup

Administrator group for the Catalog and Inventory Web services.

<CS Installer>, Business User Accounts

MarketingAdminGroup

Administrator group for the Marketing Web services.

<CS Installer>, Business User Accounts

OrdersAdminGroup

Administrator group for the Orders Web services.

<CS Installer>, Business User Accounts

ProfilesAdminGroup

Administrator group for the Profiles Web services.

<CS Installer>, Business User Accounts

For a production deployment, you will want to define more groups in order to take full advantage of the role assignment roles available. For descriptions about each predefined role, see the next section.

Commerce Server Site and Account and Application Pool Assignments

The following table summarizes the default names for the accounts and application pool that you create when you unpack a Commerce Server 2009 site.

Default name

Windows service account

SQL Server login account

Application pool

DefaultSite

RunTimeUser

RunTimeUser

DefaultSiteAppPool

CSharpSite

RunTimeUser

RunTimeUser

CSharpSiteAppPool

Commerce Server Web Services and Account and Application Pool Assignments

Commerce Server 2009 installs the Web services when you unpack a site, and selects the Web services to install. Each Commerce Server 2009 Web service requires definition of a Windows user account, Windows user group, SQL Server login account, and application pool. The following table summarizes the default names Commerce Server 2009 and the installation guide use. You create the Windows user accounts before you unpack a site, and you create the SQL Server login accounts and application pools after you unpack the site.

Commerce Server 2009 Web service

Default name

Windows user account

Windows user group

SQL Server login account

Application pool

Catalog

CatalogWebService

CatalogWebSvc

CatalogAdminGroup, IIS_WPG or IIS_IUSRS

CatalogWebSvc

CatalogWebSvcAppPool

Marketing

MarketingWebService

MarketingWebSvc

MarketingAdminGroup, IIS_WPG or IIS_IUSRS

MarketingWebSvc

MarketingWebSvcAppPool

Orders

OrdersWebService

OrdersWebSvc

OrdersAdminGroup, IIS_WPG or IIS_IUSRS

OrdersWebSvc

OrdersWebSvcAppPool

Profiles

ProfilesWebService

ProfilesWebSvc

ProfilesAdminGroup, IIS_WPG or IIS_IUSRS

ProfilesWebSvc

ProfilesWebSvcAppPool

For each site that you unpack, we recommend that you create unique Web service account names, SQL Server login account names, Windows user groups, and application pools. You can share application pools, but we do not recommend this action.

Web Service Administrator Role Assignments

The following table lists the Web services and their corresponding authorization stores and administrator roles. You must assign each Web service account to its corresponding authorization role.

Authorization store

Role

Account assignments

CatalogAuthorizationStore.xml

Administrator

CatalogWebSvc, <CS Installer>

MarketingAuthorizationStore.xml

MarketingAdministrator

MarketingWebSvc, <CS Installer>

OrdersAuthorizationStore.xml

OrdersAdministrator

OrdersWebSvc, <CS Installer>

ProfilesAuthorizationStore.xml

ProfileAdministrator

ProfilesWebSvc, <CS Installer>

After you assign write permissions to the authorization stores, in order to perform any operation in the Business Management applications, you assign users to the administrator roles for each Web service. By adding <CS Installer> to each administrator role, you can open and use each Business Management application.

BizTalk Adapters Role Assignments

The following table lists the role assignments to which CSLOB, the BizTalk adapters identity, must be added.

Authorization store

Role

Description

CatalogAuthorizationStore

CatalogAdministrator

Gives the catalog adapter permission to import catalog changes and export catalogs.

CatalogAuthorizationStore

InventoryAdministrator

Gives the inventory adapter permission to import inventory catalog changes and export inventory catalogs.

OrdersAuthorizationStore

OrdersAdapter

Enables the orders adapter to perform all basic functions, such as Update Purchase Order, Save Purchase Order, Accept Basket, Orders Query, and Orders Export.

ProfilesAuthorizationStore

UserObject, ProfileWriter_Adapter

Enables the profiles adapter to update profile objects when it uses the following operations: Profile Delete, Profile Update, Profile Import, Profile Query, and Profile Export.

Commerce Server Health Monitoring Service Role Assignments

For Commerce Server 2009 to monitor the Web services, you must grant the Commerce Server 2009 Health Monitoring service permissions to view each service. The following table lists the role assignments you assign to the CSHealthMonitorSvc account.

Authorization store

Role

CatalogAuthorizationStore.xml

CatalogViewer

MarketingAuthorizationStore.xml

MarketingViewer

OrdersAuthorizationStore.xml

OrdersViewer

ProfilesAuthorizationStore.xml

ProfileAdministrator

Additional User Groups for Granular Security

The following sections summarize the various authorization roles that are predefined for the Commerce Server 2009 systems. For each authorization role of interest, create an associated user group on the domain controller. You can then add business user accounts to the user group.

  • Catalog and Inventory Systems

  • Marketing System

  • Orders System

  • Profiles System

For each user group you create, you must assign the groups to authorization roles through the Authorization Manager. For more information, see Authorizing Users and Groups to Access Web Services.

Note

A few features require permissions in more than one authorization store. For example, the authorization role must have Profiles Administrator and Catalog Viewer permissions to create credit card profiles.

Catalog and Inventory Systems

The following table describes the predefined authorization roles for the Catalog System and the Inventory System.

Role

Description

CatalogAdministrator

Members can manage the Catalog System.

CatalogViewer

Members have read access to the Catalog System.

CatalogManager

Members can manage all the catalogs in the Catalog System.

SchemaManager

Members can manage the catalog and inventory schema, including property, category, and product definitions.

CatalogSetsAdministrator

Members can manage all the catalog sets.

CatalogSetsViewer

Members can view all the catalog sets in the Catalog System.

InventoryAdministrator

Members can manage the Inventory System.

InventoryViewer

Members can view all the catalogs in the Inventory System.

InventorySynchronizationManager

Members can synchronize the run-time Inventory System with the management system.

Administrator

Members can manage the Catalog System and the Inventory System.

Marketing System

The following table describes the predefined authorization roles for the Marketing System.

Role

Description

MarketingAdministrator

Members have full access to every operation in the Marketing System.

MarketingApprover

Members can approve or reject marketing items, such as campaigns, discounts, and expressions.

MarketingAuthor

Members can create marketing-related items, including customers, campaigns, discounts, and expressions.

MarketingViewer

Members can view and search marketing items, including campaign event logs.

GlobalExpressionAuthor

Members can create, edit, and delete global expressions across multiple discounts.

RuntimeSiteManager

Members can refresh the Discounts and Advertisements caches of the run-time site.

Orders System

The following table describes the predefined authorization roles for the Orders System.

Role

Description

OrdersAdministrator

Members can manage data integrity and cleanup issues.

OrdersConfigurationEditor

Members can manage orders configuration data for the site.

OrdersViewer

Members have read access to view orders.

OrdersAdapter

Members can search orders for order processing and updates.

Profiles System

The following table describes the predefined authorization roles for the Profiles System.

Role

Description

ProfileAdministrator

Members have complete access to the Profiles System.

ProfileWriter_BusinessManager

Members of this scope-level role have access to the profile definition within the scope. There are six profile definitions: UserObject, Address, Organization, BlanketPO, CreditCard, and Currency.

ProfileWriter_CSR

Members of this scope-level role have access to the profile definition within the scope.

ProfileWriter_Adapter

Members of this scope-level role have access to the profile definition within the scope.

Users of the scope-level roles have access only to the profile type within the scope name. For example, members of the ProfileWriter_BusinessManager role in the UserObject scope have access to the UserObject profile definition only. You must add users to each scope-level role individually.

SQL Server Database Instances, Accounts, and Role User Mappings

SQL Server Database Instances Created for Commerce Server

The following table summarizes the Commerce Server 2009 databases and default database names that Commerce Server 2009 and the installation guide use.

Commerce Server 2009 SQL Server database instance

Default database name

How the database is created

CS Administration

MSCS_Admin

Created by the Commerce Server 2009 Configuration Wizard.

CS Catalog Scratch

MSCS_CatalogScratch

Created by unpacking the catalog site resource.

Direct Mailer

DirectMailer

Created by the Commerce Server 2009 Configuration Wizard.

Site Catalog

<site_name>_productcatalog

Created when you unpack the site resource.

Site Marketing

<site_name>_marketing

Created when you unpack the site resource.

Site Marketing List

<site_name>_marketing_lists

Created when you unpack the site resource.

Site Profiles

<site_name>_profiles

Created when you unpack the site resource.

Site Transaction Configuration

<site_name>_transactionconfig

Created when you unpack the site resource.

Site Transactions

<site_name>_transactions

Created when you unpack the site resource.

SQL Database Account, Database, and Database Role User Mapping

The following table lists the accounts on the computers that are running SQL Server that you must add to the specified roles. By default, the database names start with DefaultSite. However, you might have specified different database names when you unpacked your site.

Database account

Database

SQL Server roles

ASPNET

MSCS_Admin

db_datareader

CatalogWebSvc

MSCS_Admin

admin_reader_role

MSCS_CatalogScratch

db_datareader, db_datawriter, db_ddladmin

DefaultSite_ProductCatalog

ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole

MarketingWebSvc

MSCS_Admin

admin_reader_role

DefaultSite_Marketing

mktg_MarketingService_role, mktg_promoCodeGenerator_role

DefaultSite_MarketingLists

db_owner

Defaultsite_ProductCatalog

ctlg_catalogReaderRole

DefaultSite_Profiles

Profile_Reader, Profile_Schema_Reader

OrdersWebSvc

MSCS_Admin

admin_reader_role

MSCS_CatalogScratch

db_datareader, db_datawriter, db_ddladmin

DefaultSite_Marketing

db_ddladmin, mktg_runtime_role

DefaultSite_ProductCatalog

ctlg_catalogReaderRole, Inventory_ReaderRole

DefaultSite_Profiles

Profile_Reader, Profile_Schema_Reader

DefaultSite_TransactionConfig

Orders_Management

DefaultSite_Transactions

Orders_Management, Orders_Runtime

ProfilesWebSvc

MSCS_Admin

admin_reader_role

DefaultSite_Profiles

Profile_Schema_Manager, Profile_Runtime

RunTimeUser

MSCS_Admin

admin_reader_role

MSCS_CatalogScratch

db_datareader, db_datawriter, db_ddladmin

DefaultSiteMarketing

db_ddladmin, mktg_runtime_role

DefaultSite_MarketingLists

db_datareader

DefaultSite_ProductCatalog

ctlg_catalogReaderRole, Inventory_RuntimeRole

DefaultSite_Profiles

Profile_Schema_Reader, Profile_Runtime

DefaultSite_TransactionConfig

Orders_Runtime

DefaultSite_Transactions

Orders_Runtime

CSDMSvc

DirectMailer

db_owner

MSCS_Admin

admin_reader_role

DefaultSite_Marketing

mktg_directmailer_role

DefaultSite_MarketingLists

db_owner

DefaultSite_Profiles

Profile_Schema_Reader, Profile_Reader

CSHealthMonitorSvc

MSCS_Admin

admin_reader_role

CSStageSvc

MSCS_Admin

admin_reader_role

MSCS_CatalogScratch

db_datareader, db_datawriter, db_ddladmin

DefaultSite_Marketing

db_ddladmin, mktg_staging_role

DefaultSite_MarketingLists

db_datareader

DefaultSite_ProductCatalog

ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole

DefaultSite_Profiles

Profile_Schema_Manager

DefaultSite_TransactionConfig

Orders_Management

<CS Staging User>

MSCS_Admin

db_datareader

MSCS_CatalogScratch

db_datareader, db_datawriter, db_ddladmin

DefaultSite_ProductCatalog

ctlg_CatalogWriterRole, Inventory_ReaderRole

See Also

Other Resources

What Are the Required Accounts and Groups?

How to Create a Domain Account in Active Directory

How to Create a Group in Active Directory

How to Create a Local Account

How to Create a Windows Group

How to Add Business User Accounts to Active Directory Groups

Authorizing Users and Groups to Access Web Services

Configuring a Domain Controller

Authorization Manager Policy Access

Creating Accounts and Groups