What Are the Required Database Accounts and Database Role Mappings?
This topic summarizes the database accounts and database role mappings that you use to help secure a Commerce Server 2009 deployment. You use database accounts that correspond to Commerce Server 2009 service accounts as logins for the SQL Server databases. This limits the service accounts to the access needed to perform their functions. When you configure Commerce Server 2009 or unpack a site, the SQL Server databases and roles are created.
Note
Several database names start with the name that you provided for your site; <site_name> is used in the following tables.
See the following topics for the database account and role mapping requirements for each of these areas:
Web Application Database Role Mappings
Direct Mailer Service Database Role Mappings
Commerce Server Staging System Database Role Mappings
Data Warehouse and Analytics System Database Role Mappings
Commerce Server Health Monitor Service Database Role Mappings
Web Application Database Role Mappings
The following table lists the accounts on the computers that are running SQL Server in the data tier that you must add to the specified roles. The database account names are identical to the account names that you create for the service identities.
Database account |
Database |
SQL Server roles |
|---|---|---|
ASPNet |
MSCS_Admin |
db_datareader |
CatalogWebSvc |
MSCS_Admin |
admin_reader_role |
MSCS_CatalogScratch |
db_ddladmin, db_datareader, db_datawriter |
|
<site_name>_ProductCatalog |
ctlg_CatalogWriterRole, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole, db_datareader, db_datawriter |
|
MarketingWebSvc |
MSCS_Admin |
admin_reader_role |
<site_name>_Marketing |
mktg_MarketingService_role, mktg_promoCodeGenerator_role |
|
<site_name>_MarketingLists |
db_owner |
|
OrdersWebSvc |
MSCS_Admin |
admin_reader_role |
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
|
<site_name>_Marketing |
mktg_runtime_role |
|
<site_name>_ProductCatalog |
ctlg_catalogReaderRole, Inventory_ReaderRole |
|
<site_name>_Profiles |
Profile_Reader, Profile_Schema_Reader |
|
<site_name>_TransactionConfig |
Orders_Management |
|
<site_name>_Transactions |
Orders_Management, Orders_Runtime |
|
ProfilesWebSvc |
MSCS_Admin |
admin_reader_role |
<site_name>_Profiles |
Profile_Schema_Manager, Profile_Runtime |
|
RunTimeUser |
MSCS_Admin |
admin_reader_role |
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
|
<site_name>_Marketing |
mktg_runtime_role |
|
<site_name>_MarketingLists |
db_datareader |
|
<site_name>_ProductCatalog |
ctlg_catalogReaderRole, Inventory_RuntimeRole |
|
<site_name>_Profiles |
Profile_Schema_Reader, Profile_Runtime |
|
<site_name>_TransactionConfig |
Orders_Runtime |
|
<site_name>_Transactions |
Orders_Runtime |
Direct Mailer Service Database Role Mappings
The following table lists the database role mappings that you must make for the Direct Mailer service account on the computer that is running SQL Server in the data tier. Create a SQL Server login account for the Direct Mailer service account, CSDMSvc. The account name must match the name assigned in Active Directory. Assign the following role mappings to this account.
Database account |
Database |
SQL Server roles |
|---|---|---|
CSDMSvc |
DirectMailer |
db_owner |
MSCS_Admin |
admin_reader_role |
|
<site_name>_Marketing |
mktg_directmailer_role |
|
<site_name>_MarketingLists |
db_owner |
|
<site_name>_Profiles |
Profile_Schema_Reader, Profile_Reader |
Commerce Server Staging System Database Role Mappings
The following table lists the roles required to use Commerce Server 2009 staging. Create a SQL Server login account for the Commerce Server 2009 Staging (CSS) service account, CSStageSvc, and for the CSS user account, <data domain>/<Staging user>. The account name must match the name assigned in Active Directory. Assign the following role mappings to this account.
Database account |
Database |
SQL Server roles |
|---|---|---|
CSStageSvc |
MSCS_Admin |
admin_reader_role |
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
|
<site_name>_Marketing |
db_ddladmin, mktg_staging_role |
|
<site_name>_MarketingLists |
db_datareader |
|
<site_name>_ProductCatalog |
ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole |
|
<site_name>_Profiles |
Profile_Schema_Manager |
|
<site_name>_TransactionConfig |
Orders_Management |
|
<data domain>/<Staging user>. |
<SiteName>_ProductCatalog |
ctlg_CatalogReaderRole, Inventory_ReaderRole |
MSCS_Admin |
db_datareader |
|
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
Additional role mappings are required when you add users to the system to stage specific projects. For more information, see What Database Access Permissions Must You Grant to CSS Authentication Accounts?
Data Warehouse and Analytics System Database Role Mappings
The following tables list the roles required to use the Commerce Server 2009 Data Warehouse.
Commerce Server Production Database Server
The following table lists the database role mappings that you must make for the Data Warehouse service account on the computer that is running SQL Server in the data tier. Create a SQL Server login account for the DTS Import service account, DTSImport. The account name must match the name created when you unpack the Data Warehouse resource. Assign the following role mappings to this account.
Database account |
Database |
SQL Server roles |
|---|---|---|
DTSImport |
ms_db |
db_datareader, db_dtsadmin, db_dtsltduser , db_dtsadmin, db_dtsoperator |
<sitename>_DataWarehouse |
db_datareader, db_datawriter, db_owner, db_ddladmin |
|
MSCS_Admin |
admin_reader_role |
|
<sitename>_DataWarehouse |
db_datareader |
|
<sitename>_marketing |
db_datareader |
|
<sitename>_marketing_lists |
db_datareader |
|
<sitename>_productcatalog |
db_datareader |
|
<sitename>_profiles |
db_datareader, Profile_Schema_Reader |
|
<sitename>_transactionconfig |
db_datareader |
|
<sitename>_transactions |
db_datareader |
|
MSCS_Admin |
admin_reader_role |
|
<sitename>_DataWarehouse |
db_datareader |
Data Warehouse and Analytics Server
The following table lists the database role mappings that you must make for the Data Warehouse service account on the computer that is running SQL Server for the Data Warehouse. Create a SQL Server login account for the DTS Import service account, DTSImport. The account name must match the name created when you unpack the Data Warehouse resource. Assign the following role mappings to this account.
Database account |
Database |
SQL Server role |
|---|---|---|
DTSImport |
msdb |
db_datareader, db_dtsadmin, db_dtsltduser , db_dtsoperator |
<sitename>_DataWarehouse |
db_datareader, db_datawriter, db_owner, db_ddladmin |
For more information on creating the DTSImport database login account and granting access, see How to Grant Permissions for Data Import.
Commerce Server Health Monitoring Database Role Mapping
The following table lists the database role mapping that you must make for the Health Monitoring service account on the computer that is running SQL Server in the data tier. Create a SQL Server login account for the Health Monitoring service account, CSHealthMonitorSvc. The account name must match the name created in Active Directory. Assign the following role mapping to this account.
Database account |
Database |
SQL Server role |
|---|---|---|
CSHealthMonitorSvc |
MSCS_Admin |
admin_reader_role |
See Also
Other Resources
How to Create the Database Accounts