Introduction

A few years ago, I think it was 2005 or so, a customer asked me to try to boil down the security you need for each type of BizTalk Server rights. Below is a list of table that is my best attempt to summarize how to do this.

  1. Identify the task that the user needs to perform.
  2. From that, look in the level 0 - 4 columns to find the right column.
  3. Once identified, then walk down the column and adjust the permissions identified.
This is the first of a series of articles for BizTalk Server security, I will upload the BizTalk Server 2013 and 2010 on a later date.

Security Rights Table

Level 0
Basic administration and monitoring
Level 1
BizTalk application administration
Level 2
BizTalk group administration
Level 3
BizTalk host instance administration
Level 4
SQL and SSO administration
Tasks enabled are to the right.NOTE: No ability to change configuration settings
No access to message properties or content
- Start or stop applications, orchestrations, send ports, and send port groups- Enable or disable receive locations - Search for artifacts - View Group Hub page, perform queries, save and load queries - View query results 

- Read only of general configuration and tracking configuration 

- View message flow, message events 

Suspend, terminate, or resume instances
All rights not listed in Levels 2 through 4
In this area, if you do not find a specific task in any other area, then the user most likely needs this level of security access.
- Create and delete BizTalk hosts 

- Change host tracking property 

- Add and delete servers 

- Add and delete receive handlers 

- Add adapters
- Create and delete host instances 
- Create a Message Box database 

- Manage the SSO Secret

- Manage the server holding the SSO Master Secret 
Active Directory or Local Groups

ACTION: Add user to group
BizTalk Server OperatorsBizTalk Server Administrators
(BizTalk Server Operators not needed)
BizTalk Server Administrators
SSO Affiliate Administrators
BizTalk Server Administrators
SSO Affiliate Administrators
BizTalk Server Administrators
SSO Administrators
SSO Affiliate Administrators
BizTalk Server(s)

ACTION: Add user to local group
BUILTIN\AdministratorsBUILTIN\Administrators
SQL Server(s)

ACTION: Add user toSQL Server Roles 
Security AdministratorsSystem Administrators
SQL Database

ACTION: In each database, add user todatabase role 
Databases:

 - BizTalkDTADb 

 - BizTalkRuleEngineDb

 - BizTalkMgmtDb 

 - BAMPrimaryImport 

 - BizTalkMsgBoxDb 



Roles:

 - db_securityadmin 

 - db_accessadmin 



Database:

 - BizTalkMsgBoxDb 



Roles:

 - db_ddladmin 
Databases:

 - BizTalkDTADb 

 - BizTalkRuleEngineDb 

 - BizTalkMgmtDb 

 - BAMPrimaryImport 

 - BizTalkMsgBoxDb 



Roles:

 - db_securityadmin 

 - db_accessadmin 



Database:

 - BizTalkMsgBoxDb 



Roles:

 - db_ddladmin 
No database roles needed due to SQL Server role membership