What Are the Accounts and Groups to Create?
This topic provides a summary of the user accounts and groups that you create. In a multi-computer deployment, Commerce Server 2009 accounts and user groups must be created on the domain controller. In a single-server deployment, you can create these accounts and groups on the computer where Commerce Server 2009 is installed. For the internal/test and development environments, create the same accounts and groups that you create for the data domain in the production environment.
See the following sections for the account and group requirements for each of these areas:
Commerce Server User and Service Accounts
Commerce Server Groups and Account Assignments
Additional User Groups for Granular Security
SQL Server Database Instances, Accounts, and Role User Mappings
Commerce Server User and Service Accounts
The following table lists the accounts that you create or that are created when you install prerequisite software. You must create the <CS Direct Mailer User>,<CS Installer>,<CS Staging User>, CSLOB, and RunTimeUser accounts before you install Commerce Server 2009. Registering ASP.NET 2.0 as the default framework creates the ASP.NET account. Post-installation, you create SQL Server Login accounts and associate the user accounts together with Windows user groups.
For information about registering ASP.NET as the default framework, see "Install Prerequisite Software" in the Commerce Server 2009 Installation and Configuration Guide at https://go.microsoft.com/fwlink/?LinkId=139462.
Account name |
Description |
Windows User Group |
SQL Server login account |
|---|---|---|---|
<CS Direct Mailer User> |
Account of person who manages the Direct Mailer service. |
not applicable |
not applicable |
<CS Installer> |
Account of person logged on to install and configure Commerce Server 2009. |
Administrator, CatalogAdminGroup, MarketingAdminGroup, OrdersAdminGroup, ProfilesAdminGroup |
not applicable |
<CS Staging User> |
Account of person who manages Commerce Server 2009 Staging. |
not applicable |
<CS Staging User> |
ASPNET |
Account that is used for running the ASP.NET worker process (aspnet_wp.exe) . |
not applicable |
ASPNET |
BizTalkAdmin |
BizTalk Server Administrator identity. |
Administrators, BizTalk Server Administrators, BizTalk Server Operators |
not applicable |
BizTalkSvc |
BizTalk Server service identity. |
BizTalk Application Users, BizTalk Isolated Host Users, IIS_WPG or IIS_IUSRS, SQLServer2005NotificationServicesUser, SSO Administrators |
BizTalkSvc |
CLUSvc |
Cluster service identity. Create only for clustered instances of SQL Server on the data tier domain controller only. |
not applicable |
not applicable |
CSDMSvc |
Commerce Server 2009 Direct Mailer service identity. |
DML_SG |
CSDMSvc |
CSHealthMonitorSvc |
Commerce Server 2009 Health Monitoring service identity. Create on the domain controller only. |
not applicable |
CSHealthMonitorSvc |
CSLOB |
Commerce Server 2009 Adapters identity. |
not applicable |
not applicable |
CSStageSvc |
Commerce Server 2009 Staging (CSS) service identity. |
CSS_SG, CSS Administrators, CSS Operators |
CSStageSvc |
DTSImport |
Data transformation services import identity. |
not applicable |
not applicable |
MOMSvc |
Microsoft System Center Operations Manager (SCOM) service identity. |
not applicable |
not applicable |
RunTimeUser |
Anonymous user identity (IIS account for Commerce Server 2009). |
IIS_WPG (on Windows Server 2003) or IIS_IUSRS (on Windows Server 2008) |
RunTimeUser |
SQLSvc |
SQL Server service identity. |
not applicable |
not applicable |
It is highly recommended that you create each of these accounts by using the following requirements for strong passwords:
Passwords must be at least six (6) characters long.
Passwords may not contain your user name or any part of your full name.
Passwords must contain characters that are uppercase letters, lowercase letters, numbers, and non-alphanumeric characters (such as punctuation symbols).
Commerce Server Groups and Account Assignments
Commerce Server Administrator Groups
You create four administrator groups summarized in the following table. These represent the minimum number of groups to define. You should create distinct user groups based on your business needs. You then assign these groups to authorization roles through the Authorization Manager. For more information, see Authorizing Users and Groups to Access Web Services.
User group |
Description |
Accounts to assign |
|---|---|---|
CatalogAdminGroup |
Administrator group for the Catalog and Inventory Web services. |
<CS Installer>, Business User Accounts |
MarketingAdminGroup |
Administrator group for the Marketing Web services. |
<CS Installer>, Business User Accounts |
OrdersAdminGroup |
Administrator group for the Orders Web services. |
<CS Installer>, Business User Accounts |
ProfilesAdminGroup |
Administrator group for the Profiles Web services. |
<CS Installer>, Business User Accounts |
For a production deployment, you will want to define more groups in order to take full advantage of the role assignment roles available. For descriptions about each predefined role, see the next section.
Commerce Server Site and Account and Application Pool Assignments
The following table summarizes the default names for the accounts and application pool that you create when you unpack a Commerce Server 2009 site.
Default name |
Windows service account |
SQL Server login account |
Application pool |
|---|---|---|---|
DefaultSite |
RunTimeUser |
RunTimeUser |
DefaultSiteAppPool |
CSharpSite |
RunTimeUser |
RunTimeUser |
CSharpSiteAppPool |
Commerce Server Web Services and Account and Application Pool Assignments
Commerce Server 2009 installs the Web services when you unpack a site, and selects the Web services to install. Each Commerce Server 2009 Web service requires definition of a Windows user account, Windows user group, SQL Server login account, and application pool. The following table summarizes the default names Commerce Server 2009 and the installation guide use. You create the Windows user accounts before you unpack a site, and you create the SQL Server login accounts and application pools after you unpack the site.
Commerce Server 2009 Web service |
Default name |
Windows user account |
Windows user group |
SQL Server login account |
Application pool |
|---|---|---|---|---|---|
Catalog |
CatalogWebService |
CatalogWebSvc |
CatalogAdminGroup, IIS_WPG or IIS_IUSRS |
CatalogWebSvc |
CatalogWebSvcAppPool |
Marketing |
MarketingWebService |
MarketingWebSvc |
MarketingAdminGroup, IIS_WPG or IIS_IUSRS |
MarketingWebSvc |
MarketingWebSvcAppPool |
Orders |
OrdersWebService |
OrdersWebSvc |
OrdersAdminGroup, IIS_WPG or IIS_IUSRS |
OrdersWebSvc |
OrdersWebSvcAppPool |
Profiles |
ProfilesWebService |
ProfilesWebSvc |
ProfilesAdminGroup, IIS_WPG or IIS_IUSRS |
ProfilesWebSvc |
ProfilesWebSvcAppPool |
For each site that you unpack, we recommend that you create unique Web service account names, SQL Server login account names, Windows user groups, and application pools. You can share application pools, but we do not recommend this action.
Web Service Administrator Role Assignments
The following table lists the Web services and their corresponding authorization stores and administrator roles. You must assign each Web service account to its corresponding authorization role.
Authorization store |
Role |
Account assignments |
|---|---|---|
CatalogAuthorizationStore.xml |
Administrator |
CatalogWebSvc, <CS Installer> |
MarketingAuthorizationStore.xml |
MarketingAdministrator |
MarketingWebSvc, <CS Installer> |
OrdersAuthorizationStore.xml |
OrdersAdministrator |
OrdersWebSvc, <CS Installer> |
ProfilesAuthorizationStore.xml |
ProfileAdministrator |
ProfilesWebSvc, <CS Installer> |
After you assign write permissions to the authorization stores, in order to perform any operation in the Business Management applications, you assign users to the administrator roles for each Web service. By adding <CS Installer> to each administrator role, you can open and use each Business Management application.
BizTalk Adapters Role Assignments
The following table lists the role assignments to which CSLOB, the BizTalk adapters identity, must be added.
Authorization store |
Role |
Description |
|---|---|---|
CatalogAuthorizationStore |
CatalogAdministrator |
Gives the catalog adapter permission to import catalog changes and export catalogs. |
CatalogAuthorizationStore |
InventoryAdministrator |
Gives the inventory adapter permission to import inventory catalog changes and export inventory catalogs. |
OrdersAuthorizationStore |
OrdersAdapter |
Enables the orders adapter to perform all basic functions, such as Update Purchase Order, Save Purchase Order, Accept Basket, Orders Query, and Orders Export. |
ProfilesAuthorizationStore |
UserObject, ProfileWriter_Adapter |
Enables the profiles adapter to update profile objects when it uses the following operations: Profile Delete, Profile Update, Profile Import, Profile Query, and Profile Export. |
Commerce Server Health Monitoring Service Role Assignments
For Commerce Server 2009 to monitor the Web services, you must grant the Commerce Server 2009 Health Monitoring service permissions to view each service. The following table lists the role assignments you assign to the CSHealthMonitorSvc account.
Authorization store |
Role |
|---|---|
CatalogAuthorizationStore.xml |
CatalogViewer |
MarketingAuthorizationStore.xml |
MarketingViewer |
OrdersAuthorizationStore.xml |
OrdersViewer |
ProfilesAuthorizationStore.xml |
ProfileAdministrator |
Additional User Groups for Granular Security
The following sections summarize the various authorization roles that are predefined for the Commerce Server 2009 systems. For each authorization role of interest, create an associated user group on the domain controller. You can then add business user accounts to the user group.
Catalog and Inventory Systems
Marketing System
Orders System
Profiles System
For each user group you create, you must assign the groups to authorization roles through the Authorization Manager. For more information, see Authorizing Users and Groups to Access Web Services.
Note
A few features require permissions in more than one authorization store. For example, the authorization role must have Profiles Administrator and Catalog Viewer permissions to create credit card profiles.
Catalog and Inventory Systems
The following table describes the predefined authorization roles for the Catalog System and the Inventory System.
Role |
Description |
|---|---|
CatalogAdministrator |
Members can manage the Catalog System. |
CatalogViewer |
Members have read access to the Catalog System. |
CatalogManager |
Members can manage all the catalogs in the Catalog System. |
SchemaManager |
Members can manage the catalog and inventory schema, including property, category, and product definitions. |
CatalogSetsAdministrator |
Members can manage all the catalog sets. |
CatalogSetsViewer |
Members can view all the catalog sets in the Catalog System. |
InventoryAdministrator |
Members can manage the Inventory System. |
InventoryViewer |
Members can view all the catalogs in the Inventory System. |
InventorySynchronizationManager |
Members can synchronize the run-time Inventory System with the management system. |
Administrator |
Members can manage the Catalog System and the Inventory System. |
Marketing System
The following table describes the predefined authorization roles for the Marketing System.
Role |
Description |
|---|---|
MarketingAdministrator |
Members have full access to every operation in the Marketing System. |
MarketingApprover |
Members can approve or reject marketing items, such as campaigns, discounts, and expressions. |
MarketingAuthor |
Members can create marketing-related items, including customers, campaigns, discounts, and expressions. |
MarketingViewer |
Members can view and search marketing items, including campaign event logs. |
GlobalExpressionAuthor |
Members can create, edit, and delete global expressions across multiple discounts. |
RuntimeSiteManager |
Members can refresh the Discounts and Advertisements caches of the run-time site. |
Orders System
The following table describes the predefined authorization roles for the Orders System.
Role |
Description |
|---|---|
OrdersAdministrator |
Members can manage data integrity and cleanup issues. |
OrdersConfigurationEditor |
Members can manage orders configuration data for the site. |
OrdersViewer |
Members have read access to view orders. |
OrdersAdapter |
Members can search orders for order processing and updates. |
Profiles System
The following table describes the predefined authorization roles for the Profiles System.
Role |
Description |
|---|---|
ProfileAdministrator |
Members have complete access to the Profiles System. |
ProfileWriter_BusinessManager |
Members of this scope-level role have access to the profile definition within the scope. There are six profile definitions: UserObject, Address, Organization, BlanketPO, CreditCard, and Currency. |
ProfileWriter_CSR |
Members of this scope-level role have access to the profile definition within the scope. |
ProfileWriter_Adapter |
Members of this scope-level role have access to the profile definition within the scope. |
Users of the scope-level roles have access only to the profile type within the scope name. For example, members of the ProfileWriter_BusinessManager role in the UserObject scope have access to the UserObject profile definition only. You must add users to each scope-level role individually.
SQL Server Database Instances, Accounts, and Role User Mappings
SQL Server Database Instances Created for Commerce Server
The following table summarizes the Commerce Server 2009 databases and default database names that Commerce Server 2009 and the installation guide use.
Commerce Server 2009 SQL Server database instance |
Default database name |
How the database is created |
|---|---|---|
CS Administration |
MSCS_Admin |
Created by the Commerce Server 2009 Configuration Wizard. |
CS Catalog Scratch |
MSCS_CatalogScratch |
Created by unpacking the catalog site resource. |
Direct Mailer |
DirectMailer |
Created by the Commerce Server 2009 Configuration Wizard. |
Site Catalog |
<site_name>_productcatalog |
Created when you unpack the site resource. |
Site Marketing |
<site_name>_marketing |
Created when you unpack the site resource. |
Site Marketing List |
<site_name>_marketing_lists |
Created when you unpack the site resource. |
Site Profiles |
<site_name>_profiles |
Created when you unpack the site resource. |
Site Transaction Configuration |
<site_name>_transactionconfig |
Created when you unpack the site resource. |
Site Transactions |
<site_name>_transactions |
Created when you unpack the site resource. |
SQL Database Account, Database, and Database Role User Mapping
The following table lists the accounts on the computers that are running SQL Server that you must add to the specified roles. By default, the database names start with DefaultSite. However, you might have specified different database names when you unpacked your site.
Database account |
Database |
SQL Server roles |
|---|---|---|
ASPNET |
MSCS_Admin |
db_datareader |
CatalogWebSvc |
MSCS_Admin |
admin_reader_role |
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
|
DefaultSite_ProductCatalog |
ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole |
|
MarketingWebSvc |
MSCS_Admin |
admin_reader_role |
DefaultSite_Marketing |
mktg_MarketingService_role, mktg_promoCodeGenerator_role |
|
DefaultSite_MarketingLists |
db_owner |
|
Defaultsite_ProductCatalog |
ctlg_catalogReaderRole |
|
DefaultSite_Profiles |
Profile_Reader, Profile_Schema_Reader |
|
OrdersWebSvc |
MSCS_Admin |
admin_reader_role |
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
|
DefaultSite_Marketing |
db_ddladmin, mktg_runtime_role |
|
DefaultSite_ProductCatalog |
ctlg_catalogReaderRole, Inventory_ReaderRole |
|
DefaultSite_Profiles |
Profile_Reader, Profile_Schema_Reader |
|
DefaultSite_TransactionConfig |
Orders_Management |
|
DefaultSite_Transactions |
Orders_Management, Orders_Runtime |
|
ProfilesWebSvc |
MSCS_Admin |
admin_reader_role |
DefaultSite_Profiles |
Profile_Schema_Manager, Profile_Runtime |
|
RunTimeUser |
MSCS_Admin |
admin_reader_role |
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
|
DefaultSiteMarketing |
db_ddladmin, mktg_runtime_role |
|
DefaultSite_MarketingLists |
db_datareader |
|
DefaultSite_ProductCatalog |
ctlg_catalogReaderRole, Inventory_RuntimeRole |
|
DefaultSite_Profiles |
Profile_Schema_Reader, Profile_Runtime |
|
DefaultSite_TransactionConfig |
Orders_Runtime |
|
DefaultSite_Transactions |
Orders_Runtime |
|
CSDMSvc |
DirectMailer |
db_owner |
MSCS_Admin |
admin_reader_role |
|
DefaultSite_Marketing |
mktg_directmailer_role |
|
DefaultSite_MarketingLists |
db_owner |
|
DefaultSite_Profiles |
Profile_Schema_Reader, Profile_Reader |
|
CSHealthMonitorSvc |
MSCS_Admin |
admin_reader_role |
CSStageSvc |
MSCS_Admin |
admin_reader_role |
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
|
DefaultSite_Marketing |
db_ddladmin, mktg_staging_role |
|
DefaultSite_MarketingLists |
db_datareader |
|
DefaultSite_ProductCatalog |
ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole |
|
DefaultSite_Profiles |
Profile_Schema_Manager |
|
DefaultSite_TransactionConfig |
Orders_Management |
|
<CS Staging User> |
MSCS_Admin |
db_datareader |
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
|
DefaultSite_ProductCatalog |
ctlg_CatalogWriterRole, Inventory_ReaderRole |
See Also
Other Resources
What Are the Required Accounts and Groups?
How to Create a Domain Account in Active Directory
How to Create a Group in Active Directory
How to Add Business User Accounts to Active Directory Groups
Authorizing Users and Groups to Access Web Services
Configuring a Domain Controller