Share via


Managing Users and Roles

When a server administrator installs Workflow Services for SQL Server, the installation creates a Microsoft® Windows® group called modAppOwners and adds DCOM permissions making it possible for members of that group to create applications.

Setup then creates a SQL Server login called <servername>\modAppOwners and adds the Windows modAppOwners group to the login. This login is added to the database creators role, which has permissions necessary to create workflow applications based on a template, create SQL databases, and register workflow applications.

The modAppOwners Windows group also is added to the Microsoft® FrontPage® Administrator group, so members can create Webs for workflow applications.

To give a developer the appropriate permissions, a server administrator must add the developer's Windows domain account name to the Windows modAppOwners group.

Users and Roles

User access and security for workflow applications are based on SQL Server database users and roles. To manage the permissions in your project database easily, it is recommended you define a set of roles based on job functions and assign each role the permissions that apply to that job, rather than assigning permissions to each individual user. To add or remove users and roles or set permissions on database objects, use the SQL Server Enterprise Manager.

To assign users and groups to database roles, the users and groups must have valid Windows 2000 domain accounts and SQL Server logins.

Note   If you make any changes to the membership of database roles in your workflow application, you must synchronize the Workflow Application User Directory for role permissions to work properly.

When you have created the Windows 2000 accounts, SQL Server logins, and database roles for your users, then you can assign the users to your workflow application. While the SQL Server login makes it possible for the users to connect to the SQL Server system, a database user account is required to access individual databases. These user accounts are created with Enterprise Manager for each workflow application and are unique to each application.

The Workflow Application User Directory

The workflow application User Directory stores information about the Windows domain users and groups that use the workflow applications on the server. You can choose to keep the workflow application User Directory current in one of the following three ways:

  • Synchronize with the Windows Active Directory/Exchange 2000 Server.

  • Synchronize with Microsoft® Exchange 5.5 Server. If you are using Exchange 5.5 Server to synchronize user information and a user has information in the Exchange Global Address List, then the additional information from Exchange is combined with the Windows 2000 user information in the user directory. If a Windows 2000 account has multiple Exchange mailboxes, the synchronization process automatically selects the first entry returned by Exchange. If you want to select a different mailbox, you can do so in the Workflow Manager for SQL Server.

  • Maintain the directory manually. The server administrator can edit user information using the User Information tab in the Workflow Manager, but cannot add new users.

    Note   Whenever you add or remove a user, the information in the user directory must be synchronized.

Windows Domain Account and SQL Server Login Authentication

Because Windows caches user credentials and SQL Server is using Windows authentication, any changes made to a user's Windows or SQL Server login accounts will not take affect until the user logs off and then logs back in. Therefore, if credentials are changed during an active connection, SQL Server only will recognize the new credentials after the user logs out and logs back in.

See Also

Managing the Server | Backing Up and Restoring Workflow Applications | Managing Workflow Applications | Creating New Applications from Templates | Moving a Workflow Application to a Different Server | Removing a Workflow Application from the Server | Synchronizing User Information | Editing User Information | Managing Templates