Thanks to TechNet

Minimum Security Rights for BizTalk Server 2013 R2

Table of Contents

• Introduction
• Security Rights Table
• See Also

Introduction

A few years ago, I think it was 2005 or so, a customer asked me to try to boil down the security you need for each type of BizTalk Server rights. Below is a list of table that is my best attempt to summarize how to do this.

1. Identify the task that the user needs to perform.
2. From that, look in the level 0 - 4 columns to find the right column.
3. Once identified, then walk down the column and adjust the permissions identified.

This is the first of a series of articles for BizTalk Server security, I will upload the BizTalk Server 2013 and 2010 on a later date.

Security Rights Table

	Level 0 Basic administration and monitoring	Level 1 BizTalk application administration	Level 2 BizTalk group administration	Level 3 BizTalk host instance administration	Level 4 SQL and SSO administration
Tasks enabled are to the right.	NOTE: No ability to change configuration settings No access to message properties or content - Start or stop applications, orchestrations, send ports, and send port groups- Enable or disable receive locations - Search for artifacts - View Group Hub page, perform queries, save and load queries - View query results  - Read only of general configuration and tracking configuration  - View message flow, message events  Suspend, terminate, or resume instances	All rights not listed in Levels 2 through 4 In this area, if you do not find a specific task in any other area, then the user most likely needs this level of security access.	- Create and delete BizTalk hosts  - Change host tracking property  - Add and delete servers  - Add and delete receive handlers  - Add adapters	- Create and delete host instances	- Create a Message Box database  - Manage the SSO Secret - Manage the server holding the SSO Master Secret
Active Directory or Local Groups ACTION: Add user to group	BizTalk Server Operators	BizTalk Server Administrators (BizTalk Server Operators not needed)	BizTalk Server Administrators SSO Affiliate Administrators	BizTalk Server Administrators SSO Affiliate Administrators	BizTalk Server Administrators SSO Administrators SSO Affiliate Administrators
BizTalk Server(s) ACTION: Add user to local group				BUILTIN\Administrators	BUILTIN\Administrators
SQL Server(s) ACTION: Add user toSQL Server Roles				Security Administrators	System Administrators
SQL Database ACTION: In each database, add user todatabase role			Databases:  - BizTalkDTADb   - BizTalkRuleEngineDb  - BizTalkMgmtDb   - BAMPrimaryImport   - BizTalkMsgBoxDb  Roles:  - db_securityadmin   - db_accessadmin  Database:  - BizTalkMsgBoxDb  Roles:  - db_ddladmin	Databases:  - BizTalkDTADb   - BizTalkRuleEngineDb   - BizTalkMgmtDb   - BAMPrimaryImport   - BizTalkMsgBoxDb  Roles:  - db_securityadmin   - db_accessadmin  Database:  - BizTalkMsgBoxDb  Roles:  - db_ddladmin	No database roles needed due to SQL Server role membership