Securing the Profiles Database
It is strongly recommended that you use Windows Authentication for access to your databases. When you configure your database connection strings for Windows Authentication, you must assign Business Desk users and run-time users (who use an anonymous domain account) the appropriate levels of access to your databases.
Systems administrators also require access to the Profiles database and should be assigned to the db_owner role.
To help you secure the Profiles database, Commerce Server includes two security scripts: ProfileReaderRole.sql and ProfileWriterRole.sql. These scripts are located in the Program Files\Microsoft Commerce Server\Support folder.
These scripts create two roles on the Profiles database, and assign the necessary permissions to the tables and stored procedures:
- ProfileReaderRole. Assign run-time users to this role.
- ProfileWriterRole. Assign design-time users to this role.
To create the ProfileReaderRole and the ProfileWriterRole
Click Start, point to Programs, point to Microsoft SQL Server, and then click SQL Query Analyzer.
In the Connect to SQL Server dialog box, specify the appropriate SQL server.
In Query Analyzer, in the database drop-down box, select the Profiles database.
Click File, and then click Open.
Navigate to the scripts located in the Program Files\Microsoft Commerce Server\Support folder, and select ProfileReaderRole.
The script opens and the code appears in the Query Analyzer window.
On the toolbar, click
.gif "Run")
to run the script against the Profiles database.Repeat these steps to run the ProfileWriterRole script.
After you create the roles, assign the anonymous run-time user account and the Business Desk group account to the appropriate roles. For instructions, see Assigning SQL Server Database Roles.
The scripts create the two roles and grant permissions on the following Profiles tables and stored procedures.
| Table name | ProfileReaderRole (Run-time users) |
ProfileWriterRole (Business Desk users) |
|---|---|---|
|
Select | Select Insert Delete Update |
|
Select | Select Insert Delete Update |
|
Select | Select Update |
|
Select | Select |
|
Select | Select |
|
Select | Select |
|
Select | Select Update Insert Delete |
|
Select | Select Update Insert Delete |
|
Select | Select Update Insert Delete |
|
Select | Select Update Insert |
|
Select | Select Update Insert Delete |
|
Select | Select Update Insert Delete |
|
Select Insert Update |
Select Insert Delete Update |
|
Select | Select |
|
Select | Select
Insert Delete Update |
|
Select | Select
Insert Delete Update |
|
Select | Select Insert Delete Update |
|
Select Insert Update |
Select Insert Delete Update |
Profiles Stored Procedures
To secure the Profiles stored procedures, the scripts grant permissions to the ProfileReaderRole and ProfileWriterRole scripts as shown in the following table.
.gif "Ee797293.note(en-US,CS.20).gif")
Note
- In the Catalogs database, you must grant the CatalogSet_Info table Select permissions for the Business Desk user account. Otherwise, catalog sets used by the Organization and Profile modules will fail to load.
| Profiles stored procedures | ProfileReaderRole (Run-Time users) |
ProfileWriterRole (Business Desk users) |
|---|---|---|
|
No | Yes |
|
No | Yes |
|
Yes | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
|
Yes | Yes |
|
Yes | Yes |
|
No | Yes |
|
No | Yes |
|
Yes | Yes |
|
Yes | Yes |
|
No | Yes |
|
No | Yes |
|
Yes | Yes |
|
No | Yes |
|
No | Yes |
|
Yes | Yes |
|
No | Yes |
|
No | Yes |
|
No | Yes |
See Also
Credentials for an Active Directory Profile Data Source
Copyright © 2005 Microsoft Corporation.
All rights reserved.