Every BizTalk administrator has probably already received complaints from BizTalk operators that operators can see the number of suspended messages but can’t view the message itself. Another common remark might be that the operators cannot use the Orchestration debugger. Debugging in production is not advised but with the debugger you can at least verify where the orchestration has halted.
Off course, for organisations where IT operations needs to comply with security regulations like Sarbanes Oxley or other compliance rules, the Microsoft best practices for BizTalk security apply. These can be found here. When these compliance rules do not apply for your organisation and after checking with the security responsible you can tackle these problems.
The super operator
There is a way to make it possible for operators to view and save messages with the administration console and let them use the orchestration debugger. Most of the BizTalk security resides in SQL server. In the form of two roles: BTS_OPERATOR for the Operators and BTS_ADMIN_USERS for the BizTalk Administrators. These roles are defined at database level. They can be found in every BizTalk database.
When configuring the BizTalk group these roles are created for operators and administrators with the relevant permissions (securables) on database objects. The Windows groups specified for operators and administrators in the BizTalk group configuration are given a SQL login and granted the accompanying role.Each role has its own securables. These securables are permissions on objects such as stored procedures and tables.
The BizTalk Administrators have a lot more of these securables. Here under you will find the steps to creating a super operator role that delivers extra permissions to operators, for example the permission to save messages.
1. Create a windows group for the super operator.
First we need to create a windows local group, if you do not use active directory accounts and groups, or an active directory group.
Add the members who deserved the super operator rights. These members must already be member of the operator windows group.
This because the super operator group is only an extension to the operator permissions.
2. Create the SQL login for the super operators.
- Open the SQL management studio and connect to the SQL server that is hosting the BizTalk group databases.
- Open the server security tab and create a new login by right clicking login and selecting new login.
- In the login textbox you specify the group you created in step 1.
- On the user mapping tab you check the checkbox for every BizTalk database.
In this way a user is created for the group in every BizTalk database.
3. Create the super operator role.
A role must be created for the super operator in the necessary biztalk databases. In this scenario we only need to create a role in the BizTalkManagementDB and the BizTalkMessageBoxDB.
For other scenarios it might be possible to create such a role in the BAM databases too.
- In the SQL management studio expand the Messagebox Database and right click on the roles node.
- Select new database role.
- Name this role BTS_SUPEROPERATOR. The owner can be DBO.
- Add the group you created in step 1 to the role members.
- Do the same in the BizTalkManagement database.
4. Adding the securables for saving/viewing messages permissions.
In the messagebox database doubleclick the super operator role. Open the tab securables and add the securables according to the screenshot following these steps:
- Click add.
- Select specific objects, click ok.
- In object types check the stored procedures checkbox, click ok.
- Click the browse button and put a check next to the stored procedures you see in the screenshot.
- Select every securable one by one and grant the role the execute right.
Now you need to add the securables to the role in the management database.
Follow the steps above but this time add the securables seen in the next screenshot.
That’s it. With the new super operator group created we have an extra level of security. This can be really handy because there are only two roles out of the box. Now there are regular BizTalk operators, BizTalk super operators with save permissions and the BizTalk administrators.
5. Adding another permission, the Orchestration debugger.
To give the newly created BizTalk super operators this additional permission you just have to add some extra securables to the SQL super operator role. Add these securables to the super operator role in the BizTalkDTADb, and grant the execute right to the role for each securable:
We will continue to search for extra permissions to add to the super operator role. These permissions will be posted soon. If you have also found out which securables accompany certain rights or if you have any questions about this topic, feel free to comment them on this post.