The BizTalk360 service account (the one used by IIS application pool and monitoring service) must have adequate rights on the server, it should be part of the following groups
- Local Administrators Group (in all servers)
- BizTalk Server Administrators Group
- BizTalk Application Users Group
- BizTalk Isolated Host Users Group
- SSO Administrators Group
The service account will have powerful access, but all other users who access BizTalk360 will have very limited access, they don't even need to belong to any BizTalk groups, BizTalk360 abstracts all the security requirements.
BizTalk360 service account user without Local (Windows) Admin permission:
BizTalk360 installation will not be proceeded using the service account user privileges.Service account should have local (Windows) admin privileges in the all the servers (BizTalk Server, SQL Server).
Considerations while installing BizTalk360: Login to the machine with the service account which has Local Admin privileges. Open command prompt with Admin privileges and navigate to the downloaded BizTalk360.msi file to proceed with the installation
Note: If the BizTalk360 installation is started with no admin privileges it will encounter the runtime access issue
If the service account is not been provided with the local admin privilege, the following functionalities will not work as expected:
1. In Advanced event viewer, only the installed machine details were fetched.
2. BizTalk Server and SQL server system related details will not be displayed under Operations, BizTalk360 UI -> Operations -> Infrastructure Settings -> BizTalk Services/SQL Services. It will just spin for a long time.
3. BizTalk Server and SQL server system related details will not be displayed and exceptions will be thrown under BizTalk360 UI -> Monitoring -> Manage Mapping -> BizTalkServers/SQLServers.
4. File monitoring will become “Orphaned” if you configure.
5. Analytics will work partially; for some of the counters, details are fetched from the database directly; another system related information like CPU, Available Memory will not be shown as it requires elevated permissions.
BizTalk360 service account user without SYS Admin permission:
1. When the BizTalk360 service account (domain user account) which doesn’t have Sys admin privileges on the BizTalk360 Database, you will not able to open BizTalk360 web page, it will throw a login failed exception.
Cannot open database requested by the login. The login failed. Login failed for user
To solve this the user must be provided "db_owner" permission or sysadmin access in the BizTalk360 Database security.
2. When the BizTalk360 service account (domain user account) which doesn’t have Sys admin privileges on the BizTalk Database (BizTalkMgmtDb), you might face the below exception during the activation of license.
3. BizTalk360 makes a direct query to some of the BizTalk databases for performance reasons. For that, you need to provide SELECT/EXECUTE permission for the BizTalk360 service account.
Some of our customers hesitate to provide the higher level permissions like Local Admin and System Admin due to security reasons. So we recommed to create a separate account for the BizTalk360 service and provide all the necessary permissions to isolate the credentials.