BAM Security Recommendations
We recommend that you follow these guidelines for securing and deploying BAM in your environment:
If you are using SQL Server 2014 or SQL Server 2012 SP1, the administration computer must have the following software installed to deploy BAM:
SQL Server 2014 or SQL Server 2012 SP1
SQL Server 2014 or SQL Server 2012 SP1 client tools
SQL Server 2014 or SQL Server 2012 SP1 Integration Services
SQL Server 2014 or SQL Server 2012 SP1 Analysis Services
SQL Server 2005 Service Pack 3 (SP3), if you will be using BAM alerts
Note
SQL Server 2005 SP3 contains SQL Server Notification Services for SQL Server 2014 or SQL Server 2012 SP1.
Note
The user context under which the analysis DTS package runs must be a member of the db_owner SQL Server role of the BAM Primary Import and BAM Star Schema databases. In addition, the service account under which Analysis Services runs must be an OLAP administrator and must be a db_owner of the BAM Star Schema database. For more information, see the Microsoft Help and Support Web site at https://go.microsoft.com/fwlink/?LinkId=22781.
Multiple users need access to the live and archived data: salespeople, business managers, and others. These users must have domain accounts in the domain where the BAM Primary Import and BAM Analysis databases are (corporate domain), but their accounts do not need to have access to BizTalk resources.
For users to access views of the BAM data, you must use the BAM management utility (BM.exe) to grant the users permissions to the views, and the users must have SQL logins. For more information about the BAM management utility, see BAM Management Utility.
To add users to roles that have access to the cubes in the BAM Analysis database, you must have an administration computer in the same domain as the BAM databases.
The person administering BAM must be db_owner for the BAM Primary Import, Star Schema, and BAM Archive databases. That person must also be an OLAP administrator for the BAM Analysis database.
If you are deploying Microsoft Office Excel workbooks (.xls files), Excel must be installed on the administration computer. Before you deploy a workbook, open it and ensure that the macro security is set to high, and that there are no warnings.
If there is no business need to distribute to the users BAM Excel workbooks that connect to the real data, we recommend that you deploy the workbooks by using XML files. This eliminates the need to install Excel on the administration computer, and the need to verify the macro security level.
Important
When you remove a user's permissions on a view, you must also remember to eliminate any subscriptions to alerts that the user has set. For more information about removing subscribers from an alert, see How to Remove Subscribers from an Alert.
See Also
Minimum Security User Rights Security Recommendations for a BizTalk Server Deployment
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for