Share via


What Are the Required Database Accounts and Database Role Mappings?

This topic summarizes the database accounts and database role mappings that you use to help secure a Commerce Server 2009 deployment. You use database accounts that correspond to Commerce Server 2009 service accounts as logins for the SQL Server databases. This limits the service accounts to the access needed to perform their functions. When you configure Commerce Server 2009 or unpack a site, the SQL Server databases and roles are created.

Note

Several database names start with the name that you provided for your site; <site_name> is used in the following tables.

See the following topics for the database account and role mapping requirements for each of these areas:

  • Web Application Database Role Mappings

  • Direct Mailer Service Database Role Mappings

  • Commerce Server Staging System Database Role Mappings

  • Data Warehouse and Analytics System Database Role Mappings

  • Commerce Server Health Monitor Service Database Role Mappings

Web Application Database Role Mappings

The following table lists the accounts on the computers that are running SQL Server in the data tier that you must add to the specified roles. The database account names are identical to the account names that you create for the service identities.

Database account

Database

SQL Server roles

ASPNet

MSCS_Admin

db_datareader

CatalogWebSvc

MSCS_Admin

admin_reader_role

MSCS_CatalogScratch

db_ddladmin, db_datareader, db_datawriter

<site_name>_ProductCatalog

ctlg_CatalogWriterRole, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole, db_datareader, db_datawriter

MarketingWebSvc

MSCS_Admin

admin_reader_role

<site_name>_Marketing

mktg_MarketingService_role, mktg_promoCodeGenerator_role

<site_name>_MarketingLists

db_owner

OrdersWebSvc

MSCS_Admin

admin_reader_role

MSCS_CatalogScratch

db_datareader, db_datawriter, db_ddladmin

<site_name>_Marketing

mktg_runtime_role

<site_name>_ProductCatalog

ctlg_catalogReaderRole, Inventory_ReaderRole

<site_name>_Profiles

Profile_Reader, Profile_Schema_Reader

<site_name>_TransactionConfig

Orders_Management

<site_name>_Transactions

Orders_Management, Orders_Runtime

ProfilesWebSvc

MSCS_Admin

admin_reader_role

<site_name>_Profiles

Profile_Schema_Manager, Profile_Runtime

RunTimeUser

MSCS_Admin

admin_reader_role

MSCS_CatalogScratch

db_datareader, db_datawriter, db_ddladmin

<site_name>_Marketing

mktg_runtime_role

<site_name>_MarketingLists

db_datareader

<site_name>_ProductCatalog

ctlg_catalogReaderRole, Inventory_RuntimeRole

<site_name>_Profiles

Profile_Schema_Reader, Profile_Runtime

<site_name>_TransactionConfig

Orders_Runtime

<site_name>_Transactions

Orders_Runtime

Direct Mailer Service Database Role Mappings

The following table lists the database role mappings that you must make for the Direct Mailer service account on the computer that is running SQL Server in the data tier. Create a SQL Server login account for the Direct Mailer service account, CSDMSvc. The account name must match the name assigned in Active Directory. Assign the following role mappings to this account.

Database account

Database

SQL Server roles

CSDMSvc

DirectMailer

db_owner

MSCS_Admin

admin_reader_role

<site_name>_Marketing

mktg_directmailer_role

<site_name>_MarketingLists

db_owner

<site_name>_Profiles

Profile_Schema_Reader, Profile_Reader

Commerce Server Staging System Database Role Mappings

The following table lists the roles required to use Commerce Server 2009 staging. Create a SQL Server login account for the Commerce Server 2009 Staging (CSS) service account, CSStageSvc, and for the CSS user account, <data domain>/<Staging user>. The account name must match the name assigned in Active Directory. Assign the following role mappings to this account.

Database account

Database

SQL Server roles

CSStageSvc

MSCS_Admin

admin_reader_role

MSCS_CatalogScratch

db_datareader, db_datawriter, db_ddladmin

<site_name>_Marketing

db_ddladmin, mktg_staging_role

<site_name>_MarketingLists

db_datareader

<site_name>_ProductCatalog

ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole

<site_name>_Profiles

Profile_Schema_Manager

<site_name>_TransactionConfig

Orders_Management

<data domain>/<Staging user>.

<SiteName>_ProductCatalog

ctlg_CatalogReaderRole,

Inventory_ReaderRole

MSCS_Admin

db_datareader

MSCS_CatalogScratch

db_datareader, db_datawriter,

db_ddladmin

Additional role mappings are required when you add users to the system to stage specific projects. For more information, see What Database Access Permissions Must You Grant to CSS Authentication Accounts?

Data Warehouse and Analytics System Database Role Mappings

The following tables list the roles required to use the Commerce Server 2009  Data Warehouse.

Commerce Server Production Database Server

The following table lists the database role mappings that you must make for the Data Warehouse service account on the computer that is running SQL Server in the data tier. Create a SQL Server login account for the DTS Import service account, DTSImport. The account name must match the name created when you unpack the Data Warehouse resource. Assign the following role mappings to this account.

Database account

Database

SQL Server roles

DTSImport

ms_db

db_datareader, db_dtsadmin, db_dtsltduser , db_dtsadmin, db_dtsoperator

<sitename>_DataWarehouse

db_datareader, db_datawriter, db_owner, db_ddladmin

MSCS_Admin

admin_reader_role

<sitename>_DataWarehouse

db_datareader

<sitename>_marketing

db_datareader

<sitename>_marketing_lists

db_datareader

<sitename>_productcatalog

db_datareader

<sitename>_profiles

db_datareader, Profile_Schema_Reader

<sitename>_transactionconfig

db_datareader

<sitename>_transactions

db_datareader

MSCS_Admin

admin_reader_role

<sitename>_DataWarehouse

db_datareader

Data Warehouse and Analytics Server

The following table lists the database role mappings that you must make for the Data Warehouse service account on the computer that is running SQL Server for the Data Warehouse. Create a SQL Server login account for the DTS Import service account, DTSImport. The account name must match the name created when you unpack the Data Warehouse resource. Assign the following role mappings to this account.

Database account

Database

SQL Server role

DTSImport

msdb

db_datareader, db_dtsadmin, db_dtsltduser , db_dtsoperator

<sitename>_DataWarehouse

db_datareader, db_datawriter, db_owner, db_ddladmin

For more information on creating the DTSImport database login account and granting access, see How to Grant Permissions for Data Import.

Commerce Server Health Monitoring Database Role Mapping

The following table lists the database role mapping that you must make for the Health Monitoring service account on the computer that is running SQL Server in the data tier. Create a SQL Server login account for the Health Monitoring service account, CSHealthMonitorSvc. The account name must match the name created in Active Directory. Assign the following role mapping to this account.

Database account

Database

SQL Server role

CSHealthMonitorSvc

MSCS_Admin

admin_reader_role

See Also

Other Resources

How to Create the Database Accounts

How to Associate Database Accounts with Database Roles

Granting Access to the Commerce Server Databases