all Technical posts

Elevating permissions for BizTalk Server Operators group

This blog post is about elevating the permissions for members of the BizTalk Server Operators group. By executing a SQL Server script, you can easily grant them the rights to view BizTalk message bodies which allows easy debugging or follow up in different scenarios without having to change memberships.

The out-of-the-box BizTalk Server Operators group has limited access to the BizTalk environment. An extract from MSDN:

Members of the BizTalk Server Operators group can do the following:

  • View service state and message flow
  • Start or stop applications
  • Start or stop orchestrations
  • Start or stop send ports or send port groups
  • Enable or disable receive locations
  • Terminate and resume service instances

Members of the BizTalk Server Operators group can do the following:

  • Modify the configuration for BizTalk Server
  • View message context properties classified as Personally Identifiable Information (PII) or message bodies.
  • Modify the course of message routing, such as removing or adding new subscriptions to the running system, including the ability to publish messages into the BizTalk Server runtime.

Lately, I had a request to elevate the permissions for BizTalk Operators, so they were able to see the tracked message bodies.  The content of a message is often needed for a decent troubleshooting.  Because BizTalk security is actually based on SQL Server security, it was pretty easy to implement this request.  It’s sufficient to give the database role “BTS_OPERATORS” additional EXECUTE rights on specific BizTalk stored procedures, which are related to the retrieval of BizTalk message bodies.  All details can be found in the script below:

USE BizTalkDTADb;
GRANT EXECUTE ON OBJECT::bts_GetTrackedMessage
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageFragments
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageParts
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessageContext
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessages
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedPart
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartByID
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartFragment
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartNames
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedParts
TO BTS_OPERATORS;
GO

USE BizTalkMsgBoxDb;
GRANT EXECUTE ON OBJECT::bts_GetTrackedMessage
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageFragments
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageParts
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadMessageContext
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadMessages
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadPart
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadPartFragment
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadPartNames
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadParts
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessageContext
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessages
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedPart
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartByID
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartFragment
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartNames
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::ops_LoadTrackedParts
TO BTS_OPERATORS;
GO

USE BizTalkMgmtDb;
GRANT EXECUTE ON OBJECT::dpl_MessageType_Part_Save
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::dpl_MessageType_Save
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::dpl_Operation_MsgType_Save
TO BTS_OPERATORS;
GRANT EXECUTE ON OBJECT::dpl_SaveItem
TO BTS_OPERATORS;
GO

By executing this SQL Server script, you can easily grant them the rights to view BizTalk message bodies which allows easy debugging or follow up in different scenarios without having to change memberships.

Update

Please note that the above method is not supported by Microsoft, so be sure to know what you are doing!
Also note that database schemas and security may vary depending on the version of BizTalk you are using.

Subscribe to our RSS feed