Access Control for Administrative Roles

When a user opens any of the BizTalk Server tools that require access to the databases or to Windows resources, the interactive user of the tool must have the proper SQL Server and Windows user rights in order to perform the various tasks that the tools support.

One or more of the BizTalk Server tools access the BizTalk Server databases. Therefore, BizTalk Server must grant some level of access in each database to the BizTalk Server Administrators. Furthermore, for security reasons, BizTalk Server Administrators should not have more user rights than necessary to perform their jobs. Using SQL Server database roles, BizTalk Server can fulfill both requirements. Anytime you create a BizTalk Server database through installation or the BizTalk Server Administration console, BizTalk Server automatically creates SQL Server database roles for both these administrative roles in that database. BizTalk Server grants each role, and any SQL Server login assigned to the role, the minimum user rights needed by administrators on the SQL Server objects (tables, views, stored procedures, etc) to perform administrative tasks on that database.


There are some administrative tasks that require BizTalk Administrators to have more permission that those given to them through the SQL Server roles such as creating host instances. For more information about these additional permissions, see Minimum Security User Rights.

In BizTalk Server, there are two Administrative Roles: the BizTalk Server Administrator, and the BizTalk Server Operator. The BizTalk Server Administrator is a high privilege role with access to configuration and tracking data. The BizTalk Server Operator is a low privilege role with access only to monitoring and troubleshooting actions. The BizTalk Server Operators group:

  • Is a lower privilege administrative role without access to message data.

  • Enables members to monitor BizTalk Server for errors, query for suspended messages\instances, view configuration.

  • Prevents members from changing BizTalk Server configuration. For example BizTalk Server Operators cannot change send ports, receive locations, filters on ports, deploy new artifacts.

    BizTalk Server creates the default BizTalk Server Administrator Role when you install the product for the first time. By default, BizTalk Server calls this BizTalk Server Administrators, although you can choose a different name.

    Similarly, BizTalk Server creates in each database a SQL Server Database role for the user group for each host, and grants this role the minimum user rights it needs for the user group to perform tasks for that host. You must add the BizTalk Server Administrators to the Single Sign-On Affiliate Administrators Group. For more information about Enterprise Single Sign-On, see Using SSO.


BizTalk administrators must ensure they trust the source of the assembly they will deploy in the system. If they deploy assemblies with code you do not trust, they may expose the BizTalk environment to potential attacks. BizTalk Server does not enforce any restrictions on the actions that custom code components can perform when the BizTalk engine invokes them.

See Also

Access Control and Data Security
Windows Groups and User Accounts in BizTalk Server