What Permissions are Granted for SQL Server Security Roles in the Commerce Server Databases?
This topic describes the permissions granted to SQL Server roles to control access to the tables in the Commerce Server database.
SQL Server Security Requirements for Commerce Server System Roles
Note
Do not add runtime user accounts that only read information to writer roles.
System |
Role |
Use this role for/activity |
Permissions granted |
|---|---|---|---|
Catalog |
|||
ctlg_CatalogReaderRole |
Runtime user accounts who read catalog information. Also provided to Commerce Server Staging (CSS) administrators, CSS operators, and project-level user accounts to enable them to read available catalogs when they configure staging projects. |
Read catalog information. |
|
ctlg_CatalogWriterRole |
Trusted account that runs the ASP.NET worker process. Also provided to the CSS service account to import catalog data when staging business data. |
Create, delete, and update the catalog tables. |
|
Inventory |
|||
inventory_ReaderRole |
Runtime user accounts that only read inventory information. Also provided to CSS service account, CSS administrators, CSS operators, and project-level user accounts to support staging catalog data. |
Read the inventory tables. Members that belong to this role can only read inventory data. |
|
Inventory_WriterRole |
Trusted account running the ASP.NET worker process. Also provided to the CSS service account to support staging catalog data. |
Create, delete, and update the data in the inventory tables. |
|
Inventory_RuntimeRole |
Runtime user accounts that read the inventory tables and update the on-hand quantity in the inventory tables. |
Read the inventory tables and its permissions to update the on-hand quantity in the inventory tables. Members of this role can read inventory data and update the on-hand quantity only. |
|
Inventory_QuantityDeltasManagementRole |
Use this to keep track of the on-hand quantity decrements that occur when runtime users browse and purchase items on the runtime site. |
Read and delete the information in the Inventoryquantitydeltas table. |
|
Marketing |
|||
mktg_marketingService_role |
Marketing Web service-related actions. This role is granted to the user account that runs the Marketing Web service. A user who must access the marketing management API in local mode must also be a member of this role. |
Read/write all Marketing Web service-related actions. |
|
mktg_dataManager_role |
Data manager-related actions. This role is granted to a Marketing Administrator for deleting old data from the system. |
Delete permissions. |
|
mktg_staging_role |
Staging-related actions. This role is granted to the user account that runs the Commerce Server Staging Service. |
Some write and some delete permissions. |
|
mktg_promoCodeExpirationTask_role |
Promocode expiration-related actions. |
Read and write permissions for promotion code expiration tasks. |
|
mktg_promoCodeGenerator_role |
Promocode generation-related actions. This role is granted to the user account that runs the Marketing Web service (because the coupon generator service impersonates this user). A user who must access the promotion code generation API in local mode must also be a member of this role. |
Read and write for promo code generation tasks. |
|
mktg_runtime_role |
Runtime site-related actions. This role is granted to the user account that runs the runtime Commerce Server application. A user who must access the Marketing runtime API must also be a member of this role. |
Read permissions for the site application pool identity. |
|
mktg_directmailer_role |
Direct Mailer-related actions. This role is granted to the user account that runs the Direct Mailer Service. |
Read and write permissions for the Direct Mailer services. |
|
Profiles |
|||
Profile_Schema_Reader |
|
Read profile definitions. |
|
Profile_Reader |
View instances of any profile. |
Read instances of profiles. |
|
Profile_User_Reader |
Run the Marketing Web service; run the Direct Mailer; view users. |
Read instances of the UserObject profile. |
|
Profile_Schema_Manager |
Run the Profiles Web service; run the Direct Mailer. Also CSS Service account to stage site terms. |
Create, read, write, and delete access to profile definitions. |
|
Profile_Runtime |
Run the customer-facing Web application; run the Profiles Web service. |
Create, read, write, and delete access to instances of profiles. |
|
Orders |
|||
Orders_Runtime |
Access runtime-related actions. |
Create, read, write, and delete access to instances of orders. Allows for read access to orders-related configuration information. |
|
Orders_Management |
Access orders management-related actions. Access CSS service account to stage orders configuration. |
Create, read, write, and delete access to orders-related configuration information. |