How to give read only access to the BizTalk server to the BizTalk users

How to give read only access to the BizTalk server to the BizTalk users

Problem Description:
===================

We get a lot of cases where the customers want to know how can they give read only access to the BizTalk Server to their users.

Users should be able to have read only access to the BizTalk servers so that they can run the console and view the BizTalk configuration but not to be able to change the properties from the console.

Solution
=========

To access the BizTalk Admin Console users need to be part of either BizTalk server Administrator group or BizTalk server operator group.

If user is part of BizTalk admin group, he can do everything in admin console.

If user is part of BizTalk Server Operators group, then he can do only monitoring activities. He can also do few more activities such as “Start/Stop orchestrations”, “Enable/Disable” send ports & Receive locations et. But he will not able to create a new artifacts (New receive location / Send ports etc…).

So the work around here is to add the users only in BizTalk server operator group if we want to give them read only access on the BizTalk server and not to add them in the BizTalk server Administrator group.

Members of the BizTalk Server Operators group can do the following:

                   a.View Group Hub page, perform queries, save and load queries

                  b.View query results.

  c.Start or stop applications.

  d.Start or stop orchestrations.

e.Start or stop send ports or send port groups.

f.Enable or disable receive locations. The changes do not take effect until the next cache refresh interval of 60 seconds, which is the default. The cache refresh interval is set at the BizTalk Server group level.

g.Terminate and resume service instances.

Members of the BizTalk Server Operators group cannot do the following:

A .Modify the configuration for BizTalk Server.

          b. Create a MessageBox database

                c. Create or delete a BizTalk host

                d. Change the Host Tracking property for a host

                e. Create (install), delete, or change the credentials for a host instance

                f. Start or stop a host instance

                g. Add or remove Server

                h. Add or remove a receive handler

                 i. Add an adapter

                 j. View Message properties

                  k. Save Message body

                   l. Use Find message query in HAT

                      m .Use query build in HAT

                       n. Use orchestration debugger

   o. View message context properties classified as Personally Identifiable Information (PII) or message bodies.

   p. Modify the course of message routing, such as removing or adding new subscriptions to the running system, including the ability to publish messages into the BizTalk Server runtime.

Two things to note here:

1.If a user who is a member of the BizTalk Server Operators group is also a local administrator on the computers running BizTalk Server, this user can access data beyond the role of the Operators group on these computers

2.If you want to allow a user who is a member of the BizTalk Server Operators group to monitor remote BizTalk servers, this user must also be a member of the local Administrators group on the remote computers.

Related links:

 https://technet.microsoft.com/en-us/library/aa578061.aspx

https://technet.microsoft.com/en-us/library/aa559845.aspx

Comments

  • Anonymous
    August 04, 2010
    I'm trying to give developers access to view suspended message context and details in QA, but the Operators group don't have access to view message context.  Can somebody help with giving them read access to view message context without making them part of the administrators group?

  • Anonymous
    May 03, 2011
    This is just for information purpose. BizTalk 360 a production support/monitoring tool for BizTalk server (http://www.biztalk360.com) is capable of solving this exact issues. It provides the ability to assign fine grained authorization to user on production environment. You can limit users to certain BizTalk applications, you can provide users only read-only access, you can restrict users from resuming/terminating suspended services intances. More details can be found at www.biztalk360.com/.../tour.aspx

  • Anonymous
    December 23, 2014
    www.codit.eu/.../elevating-permissions-for-biztalk-server-operators-group