How Are CSS Authentication Accounts Defined and Managed?
You can base the configuration of the authentication accounts that are used to stage Commerce Server Staging (CSS) projects on your network and business requirements. There are three main categories of CSS authentication accounts.
CSS Service Accounts
CSS Management and Administration Accounts
Staging Project Accounts
CSS Service Account
The CSS service account is the account assigned to the Commerce Server Staging Windows service when you configure CSS on the server.
This account requires the following permissions:
Member of the CSS_SG group. (This is defined when you configure CSS.)
(Optional) Database access to the source or destination SQL Server databases. This access is only required when you stage business data projects.
You must define a CSS service account for each CSS server in a staging deployment.
CSS Management and Administration Accounts
Management and administration accounts are accounts that you use to execute CSS functions from either the CSS console or command line. You can grant these accounts permission to perform the following staging tasks by adding them to one of the CSS security groups, CSS Administrators or CSS Operators.
Staging task |
CSS Administrators |
CSS Operators |
---|---|---|
Add, remove, and change projects. |
Yes |
No |
Add, remove, and change routes. |
Yes |
No |
Add and remove users to and from projects. |
Yes |
No |
Add and remove servers. |
Yes |
No |
Change server properties. |
Yes |
No |
Start, stop, apply, and rollback staging projects. |
Yes |
Yes |
View project and route properties. |
Yes |
Yes |
Start, stop, and pause the staging service. |
Yes |
Yes |
When you use these accounts to stage business data, these accounts also require database access permissions to the source SQL Server databases.
When you perform tasks from the CSS Microsoft Management Console (MMC) on remote servers, you can specify an MMC authentication account for the remote server. You must add this account to the corresponding CSS security group based on the intended use of staging tasks as outlined in the table earlier in this topic.
For information about the CSS security groups, see How Are Permissions Granted to CSS Authentication Accounts? For information about how to define the MMC authentication account, see How to Connect to a Remote Server.
Staging Project Accounts
For CSS servers to send a replication request to other CSS servers, the CSS service residing on the sending server must set up a connection with the receiving server. This is achieved by using a valid authentication account. This authentication account is referred to as a staging project account. Staging project accounts are used to connect to another CSS server in order to transmit data. These accounts must be members of the CSS Operators or CSS Administrators groups, or be users who have been assigned as administrator or operator with project-level permissions.
When you use these accounts to stage business data, these accounts also require database access permissions to the source SQL Server databases.
Note
You can specify the CSS service account running on the CSS server as a staging project account. If you do this, you must add this account to the CSS Operators or CSS Administrator group on the destination server.
Important Note: |
---|
When you create or modify a project through the CSS MMC, the staging project account is used to authenticate the connection to the remote server. This account must belong to the CSS Administrators group on the remote server to perform the task or the task will fail. |
CSS supports three methods of specifying the authentication accounts to use when staging projects. These methods, in the order in which they take precedence, are as follows:
Destination-level authentication. Destination-level authentication specifies authentication accounts for individual destination servers and the servers that are defined in a route. You can define destination servers in the project or the project can use routes already created for staging.
Project-level authentication. Project-level authentication lets you specify an account that can be used for all destination servers that are defined throughout a project. An authentication account defined at this level specifies staging accounts for individual projects. Destination accounts override this account during staging.
Default (global) authentication. Default authentication applies to all staging projects unless a project-level or destination-level account is specified. The default authentication account is defined for a CSS server through the CSS MMC. Project-level or destination-level authentication accounts override this account during staging.
Note
Each of the accounts specified for each of these levels of authentication should be members of the CSS Administrators or CSS Operators groups on the destination CSS servers. Or, they must be assigned as an operator or administrator with project-level permissions for specific project(s).
The following illustration shows the authentication process that CSS uses to stage projects (files and data) between different servers and environments.
Configuring Destination-Level Authentication
You can override the authentication for both project-level and default authentication by configuring the authentication account for each destination for a project or route. Destination-level authentication provides you detailed control and flexibility for connecting to remote servers. This is especially useful if your destination servers are on different domains.
The destination-level authentication account must match an account on the corresponding remote CSS server(s). It must belong to the CSS Operators or CSS Administrators group on the destination server. Or, it must be assigned as an operator or administrator with project-level permissions for the project.
Important Note: |
---|
If a destination-level authentication account is defined through the New Project Wizard, the account must belong to the CSS Administrators group on the destination server. This is necessary because the destination-level account will be used to create the project on the destination server, and only members of the CSS Administrators can create projects. If it is not a member, the project creation will fail with access denied on the destination server. |
For information about how to configure a project to use destination-level authentication, see How to Configure Destination-Level Authentication.
Project-Level Authentication
You can override the authentication for default authentication by configuring the project-level authentication account. Project-level authentication lets you use different authentication accounts on a project-by-project basis.
As with the destination-level authentication account, the project-level authentication account must match an account on the corresponding CSS remote server(s). It must belong to the CSS Operators or CSS Administrators group on the destination server. Or, it must be assigned as an operator or administrator with project-level permissions for the project.
For information about how to configure a project to use project-level authentication, see How to Configure Project-Level Authentication.
Default (Global) Authentication
The default authentication account authenticates with other CSS servers for deployment when no other authentication information is provided at the project or destination level. It also executes the scheduled tasks if the project has a configured schedule. This means that the default authentication account must match an account that is part of the CSS Operators or CSS Administrators group at all intended destination servers unless it is assigned as operator or administrator with project-level permissions for particular projects.
For CSS staging operations to succeed, the intended destination servers must be able to recognize the credentials that the source server supplies. This means that the credentials that are supplied for the default authentication account must match an account that is available to all intended destination servers. An account is available to a destination server if it meets one of the following criteria:
The account is in the destination server’s local user accounts database.
The account is in the user accounts database for the domain to which the destination server belongs.
The account is in the user accounts database of a domain trusted by the destination server’s domain.
See Also
Other Resources
How to Configure Destination-Level Authentication
How to Configure Project-Level Authentication
How to Change the Default (Global) Authentication Account
How Are Permissions Granted to CSS Authentication Accounts?