Recommended Administrator Capabilities in Service Provider Foundation


Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 R2 Orchestrator

This topic provides guidelines for administrator capabilities and roles for administering Service Provider Foundation.

Roles for database administrators

A database administrator (DBA) has full administrator rights on SQL Server, and operates as the SQL Server administrator. This administrator should be able to grant permissions to create databases in SQL Server or grant those permissions to the Service Provider Foundation Administrator (SPFA). This administrator should be able to do the following:

  • Create database named SCSPFDB. The default database is set to SCSPFDB.

  • Create a SQL Server logon and user for the Service Provider Foundation Administrator, and grant the user the permissions described in this table.

    Permissions Purpose
    Alter To be able to create tables.
    Connect with Grant To connect to the existing database.
    Select with Grant, Update with Grant, Delete with Grant, Insert with Grant To grant these permissions to application users.
    Alter All logins To create SQL Server logins for the application pool users.

Roles for Service Provider Foundation administrators

A Service Provider Foundation administrator is the user responsible for installing Service Provider Foundation, and should have administrative rights on the server where Service Provider Foundation is to be installed.

There are two database scenario configurations:

  • Install Service Provider Foundation by using a connection to an existing database.

    The Service Provider Foundation administrator must verify that the permissions were granted by the database administrator as described in the previous section.

  • Create a new database.

    The database administrator must create the database (SCSPFDB) and then the Service Provider Foundation administrator must install Service Provider Foundation and have permission to configure the database as needed such as to add tables. Service Provider Foundation administrators must create the Service Provider Foundation Application Pool in Internet Information Services (IIS) and create a database user for an Application Pool User with the following permissions:

    Permission Purpose
    Connect To be able to connect to the Service Provider Foundation database.
    Select, Update, Delete, Insert To be able to perform basic operations.
    Create the SQL Server logon for Application Pool User with default database set to SCSPFDB. To be able to log on to SQL Server and access this database.

Roles for Application Pool users

This is the Application Pool user in IIS who must have full administrative privileges in System Center 2012 – Virtual Machine Manager (VMM). These users should have the permissions to perform Create, Read, Update, and Delete operations on the Service Provider Foundation database. For portal applications, these operations can be restricted to specific tables.

See Also

Manage Certificates and User Roles in Service Provider Foundation
Administering Service Provider Foundation
Walkthrough: Creating a Certificate and User Roles for Service Provider Foundation
Configuring Portals for Service Provider Foundation