Minimum Security Rights for BizTalk Server 2006 to 2020

Introduction

A few years ago, perhaps it was 2005 or so, a customer asked us to try to boil down the security you need for each type of BizTalk Server rights. Below is a list of table that is our best attempt to summarize how to do this.

  1. Identify the task that the user needs to perform.
  2. From that, tables that match each level of access and locate the task to perform.
  3. Once identified, locate the matching change table and make the appropriate changes to match.

This is the first of a series of articles for BizTalk Server security. This was reviewed all versions up to BizTalk Server 2020.

Security Rights Tables

Basic Access

Can

Cannot
Basic administration and monitoring:
  • Start or stop applications, orchestrations, send ports, and send port groups
  • Enable or disable receive locations
  • Get dependencies
  • Search for artifacts
  • View Group Hub page, perform queries, save queries, and load queries
  • View query results
  • Read-only of general configuration and tracking configuration
  • View message flow and message events
  • Suspend, terminate, and resume instances
  • View message content
  • View message context properties
  • View message properties
  • Create or Delete BizTalk hosts
  • Change host tracking properties
  • Add or delete Servers
  • Add or delete receive handlers
  • Add adapters
  • Create or delete host instances
  • Create a Message Box database
  • Manage the SSO secret
  • Manage the server holding the SSO master secret
  • Search for parties
  • Create a party

Application Administrator

Can

Cannot
BizTalk application administration:
  • All Basic Access tasks
  • View message content
  • View message context properties
  • View message properties
  • Create or Delete BizTalk hosts
  • Change host tracking properties
  • Add or delete Servers
  • Add or delete receive handlers
  • Add adapters
  • Create or delete host instances
  • Create a Message Box database
  • Manage the SSO secret
  • Manage the server holding the SSO master secret

Group Administrator

Can

Cannot
BizTalk Group Administration:
  • All Basic Access tasks
  • All Application Administrator tasks
  • Create and delete BizTalk hosts
  • Change host tracking property
  • Add and delete servers
  • Add and delete receive handlers
  • Add adapters
  • Create or delete host instances
  • Create a Message Box database
  • Manage the SSO secret
  • Manage the server holding the SSO master secret

Host Administrator

Can

Cannot
BizTalk host instance administration:
  • All Basic Access tasks
  • All Application Administrator tasks
  • All Group Administrator tasks
  • Create and delete host instances
  • Create a Message Box database
  • Manage the SSO secret
  • Manage the server holding the SSO master secret

Top Administrator

Can

Cannot
SQL and SSO administration
  • All Basic Access tasks
  • All Application Administrator tasks
  • All Group Administrator tasks
  • All Host Administrator tasks
  • Create a Message Box database
  • Manage the SSO Secret
  • Manage the server holding the SSO Master Secret
No restrictions

Group, Database, and Role Requirements

Basic Access Settings

Where to change

What to change
Active Directory or Local Groups Add user to:
  • BizTalk Server Operators
BizTalk Server(s) Local Groups None
SQL Server Roles None
SQL Server Database Roles None

Application Administrator Settings

Where to change

What to change
Active Directory or Local Groups Add user to:
  • BizTalk Server Administrators
BizTalk Server(s) Local Groups None
SQL Server Roles None
SQL Server Database Roles None

Group Administrator Settings

Where to change

What to change
Active Directory or Local Groups Add user to:
  • BizTalk Server Administrators
  • SSO Affiliate Administrators
BizTalk Server(s) Local Groups None
SQL Server Roles Add user to:
SQL Server Database Roles Add the user to the db_securityadmin and db_accessadmin roles in the following databases:
  • BizTalkDTADb
  • BizTalkRuleEngineDb
  • BizTalkMgmtDb
  • BAMPrimaryImport
  • BizTalkMsgBoxDb

Add the user to the db_ddladmin role in the following database:

  • BizTalkMsgBoxDb

Host Administrator Settings

Where to change

What to change
Active Directory or Local Groups Add user to:
  • BizTalk Server Administrators
  • SSO Affiliate Administrators
BizTalk Server(s) Local Groups Add user to:
  • BUILTIN\Administrators
SQL Server Roles Add user to:
SQL Server Database Roles Add the user to the db_securityadmin and db_accessadmin roles in the following databases:
  • BizTalkDTADb
  • BizTalkRuleEngineDb
  • BizTalkMgmtDb
  • BAMPrimaryImport
  • BizTalkMsgBoxDb

Add the user to the db_ddladmin role in the following database:

  • BizTalkMsgBoxDb

Top Administrator Settings

Where to change

What to change
Active Directory or Local Groups Add user to:
  • BizTalk Server Administrators
  • SSO Administrators
BizTalk Server(s) Local Groups Add user to:
  • BUILTIN\Administrators
SQL Server Roles Add user to:
SQL Server Database Roles None

Other languages

This article is also available in the following languages:

See Also

Another important place to find an extensive amount of BizTalk related articles is the TechNet Wiki itself. The best entry point is BizTalk Server Resources on the TechNet Wiki