How to give read only access to the BizTalk server to the BizTalk users
How to give read only access to the BizTalk server to the BizTalk users
Problem Description:
===================
We get a lot of cases where the customers want to know how can they give read only access to the BizTalk Server to their users.
Users should be able to have read only access to the BizTalk servers so that they can run the console and view the BizTalk configuration but not to be able to change the properties from the console.
Solution
=========
To access the BizTalk Admin Console users need to be part of either BizTalk server Administrator group or BizTalk server operator group.
If user is part of BizTalk admin group, he can do everything in admin console.
If user is part of BizTalk Server Operators group, then he can do only monitoring activities. He can also do few more activities such as “Start/Stop orchestrations”, “Enable/Disable” send ports & Receive locations et. But he will not able to create a new artifacts (New receive location / Send ports etc…).
So the work around here is to add the users only in BizTalk server operator group if we want to give them read only access on the BizTalk server and not to add them in the BizTalk server Administrator group.
Members of the BizTalk Server Operators group can do the following:
a.View Group Hub page, perform queries, save and load queries
b.View query results.
c.Start or stop applications.
d.Start or stop orchestrations.
e.Start or stop send ports or send port groups.
f.Enable or disable receive locations. The changes do not take effect until the next cache refresh interval of 60 seconds, which is the default. The cache refresh interval is set at the BizTalk Server group level.
g.Terminate and resume service instances.
Members of the BizTalk Server Operators group cannot do the following:
A .Modify the configuration for BizTalk Server.
b. Create a MessageBox database
c. Create or delete a BizTalk host
d. Change the Host Tracking property for a host
e. Create (install), delete, or change the credentials for a host instance
f. Start or stop a host instance
g. Add or remove Server
h. Add or remove a receive handler
i. Add an adapter
j. View Message properties
k. Save Message body
l. Use Find message query in HAT
m .Use query build in HAT
n. Use orchestration debugger
o. View message context properties classified as Personally Identifiable Information (PII) or message bodies.
p. Modify the course of message routing, such as removing or adding new subscriptions to the running system, including the ability to publish messages into the BizTalk Server runtime.
Two things to note here:
1.If a user who is a member of the BizTalk Server Operators group is also a local administrator on the computers running BizTalk Server, this user can access data beyond the role of the Operators group on these computers
2.If you want to allow a user who is a member of the BizTalk Server Operators group to monitor remote BizTalk servers, this user must also be a member of the local Administrators group on the remote computers.
Related links:
https://technet.microsoft.com/en-us/library/aa578061.aspx