What Are the Required Accounts and Groups?
For the latest version of Commerce Server 2007 Help, see the Microsoft Web site.
This topic summarizes the accounts and groups that you use to help secure a Commerce Server deployment. These accounts are required to run the various Commerce Server services, ASP.NET, and Web applications. Commerce Server creates some of these accounts when you configure a server. Other accounts require that you create them.
See the following sections for the account and group requirements for each of these areas:
Commerce Server Installer and Staging User Accounts
Commerce Server ASP.NET Account
Commerce Server Windows Service Accounts and User Groups
Commerce Server Web Application Accounts and User Groups
Commerce Server Adapter and BizTalk Server Accounts and User Groups
Data Warehouse and Analysis Service Accounts
Note the following:
Commerce Server 2007 supports only <NetBIOS domain name>\<user> name formats for service accounts and Windows groups.
We recommend that you use Active Directory domain groups and user accounts when you use multiple-computer configurations, including SQL Server. Domain groups include domain local groups, global groups, and universal groups, which are supported in both single-server and multiple-computer environments. You must manually create all the domain groups and accounts before you configure Commerce Server.
Note
Commerce Server supports domain local groups only if Commerce Server and SQL Server are both joined to the same domain, and the user who logs on and configures Commerce Server is a member of the domain where the domain local groups exist.
Commerce Server Installer and Staging User Accounts
The Commerce Server installer account, known as <CS Installer> in this deployment guide, must have the following rights to configure Commerce Server servers:
Administrator rights on the local computer.
SQL System Administrator rights on the computer that is running SQL Server.
Add the Commerce Server installer account to the Windows user groups indicated in the following table. This lets the installer access the Web services associated with these user groups.
Account name |
Description |
Windows user group |
|---|---|---|
<CS Installer> |
Account of person logged on to install and configure Commerce Server. |
Administrator, CatalogAdminGroup, MarketingAdminGroup, OrdersAdminGroup,ProfilesAdminGroup |
<data domain>\Staging user> |
Account of person who manages Commerce Server Staging. |
Not applicable |
Commerce Server ASP.NET Account
Registering ASP.NET version 2.0 as the default framework creates the ASPNET account.
.gif "Important note") Important Note: |
|---|
The ASPNET account only exists on IIS 5.1 or when running in compatibility mode on IIS 6. |
Account name |
Description |
|---|---|
ASPNET |
Account that Commerce Server uses to run the ASP.NET worker process (aspnet_wp.exe). |
Commerce Server Windows Service Accounts and User Groups
Each Commerce Server Windows service requires the definition of a Windows service account. The following table summarizes the default names that are used in this deployment guide.
Account name |
Description |
|---|---|
CSDMSvc |
Account for running the Commerce Server Direct Mailer service. |
CSHealthMonitorSvc |
Account for running the Commerce Server Health Monitoring service. |
CSStageSvc |
Account for running the Commerce Server Staging (CSS) service. |
These three accounts must be created manually. The Commerce Server Configuration Wizard configures Commerce Server to use these accounts specifically, but the Configuration Wizard does not create these accounts.
Commerce Server Web Application Accounts and User Groups
You use Service user accounts for the Commerce Server Web applications to perform these tasks:
To run Internet Information Services (IIS) application pools.
To help secure folders.
To establish anonymous access to the Web site.
To access the Commerce Server databases.
Commerce Server installs the Web applications when you unpack a Commerce Server site, such as the StarterSite, and select the Web services that you want to install. Each Commerce Server Web application requires definition of a Windows user account and a Windows user group.
The following table summarizes the default names that are used in this deployment guide. You create these items and make assignments before or after you install Commerce Server. You create these accounts and user groups on the data tier domain controller. In addition, you create the RunTimeUser account on the Data tier domain controller.
Account name |
Description |
|---|---|
RunTimeUser |
IIS account for Commerce Server. The identity Commerce Server uses to run the IIS worker process that forms the trusted subsystem. |
CatalogWebSvc |
Account for running the Catalog Web service. |
MarketingWebSvc |
Account for running the Marketing Web service. |
OrdersWebSvc |
Account for running the Orders Web service. |
ProfilesWebSvc |
Account for running the Profiles Web service. |
For each Web application, you create the associated administrative user groups and assign accounts as indicated in the following table. IIS automatically creates the IIS_WPG group.
Commerce Server Web application default name |
User account |
User group |
|---|---|---|
CatalogWebService |
CatalogWebSvc |
CatalogAdminGroup, IIS_WPG |
MarketingWebService |
MarketingWebSvc |
MarketingAdminGroup, IIS_WPG |
OrdersWebService |
OrdersWebSvc |
OrdersAdminGroup, IIS_WPG |
ProfilesWebService |
ProfilesWebSvc |
ProfilesAdminGroup, IIS_WPG |
<site_name> |
RunTimeUser |
Not applicable |
For each site that you unpack, we recommend that you create unique Web service account names and Windows user groups.
Commerce Server Adapter and BizTalk Server Accounts and User Groups
Installing BizTalk Server creates the BizTalkAdmin and BizTalkSvc accounts. You must create the RunTimeUser and CSLOB accounts before you install Commerce Server. After installation, you create SQL Server login accounts and associate the user accounts with Windows user groups.
Account name |
Description |
Windows user group |
|---|---|---|
BizTalkAdmin |
BizTalk Server Administrator identity |
Administrators, BizTalk Server Administrators, BizTalk Server Operators |
BizTalkSvc |
BizTalk Server service identity |
BizTalk Application Users, BizTalk Isolated Host Users, IIS_WPG , SQLServer2005NotificationServicesUser, SSO Administrators |
CSLOB |
Commerce Server adapters line-of-business service identity |
Not applicable |
Data Warehouse and Analysis Service Accounts
The Data Warehouse and Analytics system use the following service accounts. You create these accounts on the data tier domain controller.
Account name |
Description |
|---|---|
DTSImport |
Data Transformation Services (DTS) import service identity. |
ReportingSvc |
Reporting service identity. |
See Also
Other Resources
What Are the Secure Deployment Requirements?