What Are the Required Accounts and Groups?
This topic summarizes the accounts and groups that you use to help secure a Commerce Server 2009 deployment. These accounts are required to run the various Commerce Server 2009 services, ASP.NET, and Web applications. Commerce Server 2009 creates some of these accounts when you configure a server. Other accounts require that you create them.
See the following sections for the account and group requirements for each of these areas:
Commerce Server Installer and Staging User Accounts
Commerce Server ASP.NET Account
Commerce Server Windows Service Accounts and User Groups
Commerce Server Web Application Accounts and User Groups
Commerce Server Adapter and BizTalk Server Accounts and User Groups
Data Warehouse and Analysis Service Accounts
Note the following:
Commerce Server 2009 supports only <NetBIOS domain name>\<user> name formats for service accounts and Windows groups.
We recommend that you use Active Directory domain groups and user accounts when you use multiple-computer configurations, including SQL Server. Domain groups include domain local groups, global groups, and universal groups, which are supported in both single-server and multiple-computer environments. You must manually create all the domain groups and accounts before you configure Commerce Server 2009.
Note
Commerce Server 2009 supports domain local groups only if Commerce Server 2009 and SQL Server are both joined to the same domain, and the user who logs on and configures Commerce Server 2009 is a member of the domain where the domain local groups exist.
Commerce Server Installer and Staging User Accounts
The Commerce Server 2009 installer account, known as <CS Installer> in this deployment guide, must have the following rights to configure Commerce Server 2009 servers:
Administrator rights on the local computer.
SQL System Administrator rights on the computer that is running SQL Server.
Add the Commerce Server 2009 installer account to the Windows user groups indicated in the following table. This lets the installer access the Web services associated with these user groups.
Account name |
Description |
Windows user group |
|---|---|---|
<CS Installer> |
Account of person logged on to install and configure Commerce Server. |
Administrator, CatalogAdminGroup, MarketingAdminGroup, OrdersAdminGroup,ProfilesAdminGroup |
<data domain>\Staging user> |
Account of person who manages Commerce Server 2009 Staging. |
Not applicable |
Commerce Server ASP.NET Account
Registering ASP.NET version 2.0 as the default framework creates the ASPNET account.
.gif "Important note") Important Note: |
|---|
The ASPNET account only exists on IIS 5.1 or when running in compatibility mode on IIS 6. |
Account name |
Description |
|---|---|
ASPNET |
Account that Commerce Server 2009 uses to run the ASP.NET worker process (aspnet_wp.exe). |
Commerce Server Windows Service Accounts and User Groups
Each Commerce Server 2009 Windows service requires the definition of a Windows service account. The following table summarizes the default names that are used in this deployment guide.
Account name |
Description |
|---|---|
CSDMSvc |
Account for running the Direct Mailer service. |
CSHealthMonitorSvc |
Account for running the Health Monitoring service. |
CSStageSvc |
Account for running the Commerce Server 2009 Staging (CSS) service. |
These three accounts must be created manually. The Configuration Wizard configures Commerce Server 2009 to use these accounts specifically, but the Configuration Wizard does not create these accounts.
Commerce Server Web Application Accounts and User Groups
You use Service user accounts for the Commerce Server 2009 Web applications to perform these tasks:
To run IIS application pools.
To help secure folders.
To establish anonymous access to the Web site.
To access the Commerce Server 2009 databases.
Commerce Server 2009 installs the Web applications when you unpack a Commerce Server 2009 site, such as the Default site, and select the Web services that you want to install. Each Commerce Server 2009 Web application requires definition of a Windows user account and a Windows user group.
The following table summarizes the default names that are used in this deployment guide. You create these items and make assignments before or after you install Commerce Server 2009. You create these accounts and user groups on the data tier domain controller. In addition, you create the RunTimeUser account on the Data tier domain controller. You also use the RunTimeUser account to run the Default Site application pool. For information about SharePoint administrative and service accounts, see http://go.microsoft. c om/fwlink/?LinkId=139663.
Account name |
Description |
|---|---|
RunTimeUser |
IIS account for Commerce Server 2009. The identity Commerce Server 2009 uses to run the IIS worker process that forms the trusted subsystem. Use to run the Default Site application pool. |
CatalogWebSvc |
Account for running the Catalog Web service. |
MarketingWebSvc |
Account for running the Marketing Web service. |
OrdersWebSvc |
Account for running the Orders Web service. |
ProfilesWebSvc |
Account for running the Profiles Web service. |
For each Web application, you create the associated administrative user groups and assign accounts as indicated in the following table. IIS automatically creates the IIS_WPG group.
Commerce Server Web application default name |
User account |
User group |
|---|---|---|
CatalogWebService |
CatalogWebSvc |
CatalogAdminGroup, IIS_WPG |
MarketingWebService |
MarketingWebSvc |
MarketingAdminGroup, IIS_WPG |
OrdersWebService |
OrdersWebSvc |
OrdersAdminGroup, IIS_WPG |
ProfilesWebService |
ProfilesWebSvc |
ProfilesAdminGroup, IIS_WPG |
<site_name> |
RunTimeUser |
Not applicable |
For each site that you unpack, we recommend that you create unique Web service account names and Windows user groups.
Commerce Server Adapter and BizTalk Server Accounts and User Groups
Installing BizTalk Server creates the BizTalkAdmin and BizTalkSvc accounts. You must create the RunTimeUser and CSLOB accounts before you install Commerce Server 2009. After installation, you create SQL Server login accounts and associate the user accounts with Windows user groups.
Account name |
Description |
Windows user group |
|---|---|---|
BizTalkAdmin |
BizTalk Server Administrator identity |
Administrators, BizTalk Server Administrators, BizTalk Server Operators |
BizTalkSvc |
BizTalk Server service identity |
BizTalk Application Users, BizTalk Isolated Host Users, IIS_WPG , SQLServer2005NotificationServicesUser, SSO Administrators |
CSLOB |
Commerce Server 2009 adapters line-of-business service identity |
Not applicable |
Data Warehouse and Analysis Service Accounts
The Data Warehouse and Analytics system use the following service accounts. You create these accounts on the data tier domain controller.
Account name |
Description |
|---|---|
DTSImport |
Data Transformation Services (DTS) import service identity. |
ReportingSvc |
Reporting service identity. |
See Also
Other Resources
What Are the Secure Deployment Requirements?