• Print
  • Share

Scenarios

  • Updated on 01 May 2018
  • 6 minutes to read
  • Contributors

In this article, we will show you some of the common BizTalk Server security use case scenarios that are faced across enterprises and how BizTalk360 helps to solve it.

Giving Read-Only access to users in BizTalk360

Many enterprises face the challenge to provide access to their BizTalk Server environment to outsourced partners in different parts of the globe. The simplest way (in current practice) to achieve this is to share the Remote Desktop Protocol (RDP) information of the BizTalk server(s) and provide them access to BizTalk Server Administration Console. The problem with this approach is that BizTalk Server Administration Console works on the concept of "All-or-Nothing". Once the users have access to administration console, they can pretty much do anything on the environment such as starting/stopping of host instances, terminating service instances and so on which could lead to serious consequences for the organization.

Let's consider a scenario, ACME has a BizTalk Server environment in the United Kingdom and they want their partners (first level people) in India to have access to the BizTalk server environment. Bob is the Super User (administrator). He looks after all the configured BizTalk environments in the company. The business requirement is to allow read-only access to the environment to one of their partner user (Scott) who is in India. This means Scott will only be able to view the information in the environment and will not have the permission to make any changes to the configurations.

To achieve this, Bob's first task is to create a User account for Scott in BizTalk360. Bob must:

  • Click the 'New button' in the User Access Policy screen under the Settings
  • User/Group Name – Enter the username as 'Scott'
  • Domain Name – Enter the domain name. If setting up the user on a local machine that is not a part of the domain, enter the machine name as the domain name.
  • Is Super User – This option should not be turned on since Scott is a normal user and requires restricted access to the application
  • Environments – Select the environment for which Scott needs to have access
  • Click 'Next' to set up the applications that Scott access in the environment (if required)
  • Select the applications that Scott will have access in the environment
  • Click 'Next' to set up the permissions
  • In this section, Bob (Super User) can select all the check boxes except the ones under Can Action section. By doing this, Bob sets the access restriction for Scott to be only able to view the information in the application (read-only access). Scott cannot make any changes to the configuration information
  • Click 'OK' in the Add Permissions screen to create Scott's information into the system
  • The Predefined User Access Profiles section lists the default access permission for different support levels. Users can also create custom profiles to Operate, Access and/or View. 1 UAP-Scenario-.png Once Scott's information is available in the system, ACME Corporation can share the URL (to access BizTalk360) to their partner company along with Scott's user credentials to access the system. When Scott accesses BizTalk360, he will see all the information in the environment for which he has access, but will not be able to modify any information.

Restricting Users to only selected BizTalk Applications

A typical BizTalk environment can have many applications belonging to different business units or departments within the organization. With the BizTalk Server Administration Console, it is not possible to segregate the applications for a specific set of users — say, "user 1 should only be able to access application 1, and user 2 should be able to access application 2 and application 3 and so on". With the administration console, it is basically "All-or-Nothing". Once a user gets access to the console, he can pretty much have access to all the applications in the environment. If an user makes, by mistake, any changes to any of the applications, this could lead to catastrophes in the business operations. Let's say, Scott, is the support person in ACME who is responsible to monitor the applications BizTalk EDI Application and BTS2013002_CustomerOrderRouting. He must be able to access only these applications and it is the responsibility of Bob, the Super User (administrator) to set up the access rights for Scott. To do this, Bob must,

  • Fill the basic details in the 'Add New User' screen and click Next
  • Select the applications BizTalk EDI Application and BTS2013002_CustomerOrderRouting that Scott will have access in the environment.
  • Click 'Next' to set up the permissions
  • In this section, Bob needs to select the check box against Applications under Can Action section. By doing this, Scott will only have access to the specific two applications and can perform the operations on the applications like starting/stopping the artifacts, and so on
  • Click 'OK' in the Add Permissions screen to create Scott's information in the system
  • The Predefined User Access Profiles section lists the default access permission for different support levels. Users can also create custom profiles to Operate, Access and/or View.

2 UAP-Scenario-.png

Once Scott's information is available in the system and when he logs in to BizTalk360, he will only see the selected applications and will be able to perform operations on the applications. He will not be able to see the rest of the applications in the environment.

Restricting users from viewing/downloading Message Context & Content

BizTalk360 offers the identical capabilities as the BizTalk Server administration console with respect to querying the message box to list the suspended and running service instances. In addition, BizTalk360 offers an additional capability that allows users to download the message content and context (in zip format) and email to their team members to diagnose specific issues.

Let's say, Scott the support person at ACME who has access to Message Box (Queries) and Graphical Flow (Tracking) section in BizTalk360. The business requirement is that Scott should only be responsible to monitor the status of service instances and messages that pass through the BizTalk Server, and should not be able to view/download the context and content of the messages since they contain confidential information. It is the duty of Bob, who is the Superuser (administrator), to set up the access restrictions for Scott's user profile.

To set up the access restriction, Bob must first set up the application level restriction for Scott in order to be able to set up the restriction for message context/content information. If Scott only requires access to few applications, say BizTalk EDI Application and BTS2013002_CustomerOrderRouting, in the environment, Bob must select the applications first and then set up the restriction on the message context/content information. To do this, Bob must:

  • Fill the basic details in the 'Add New User' screen and click Next
  • Select the applications BizTalk EDI Application and BTS2013002_CustomerOrderRouting that Scott will have access in the environment
  • Click 'Next' to set up the permissions
  • In this section, Bob needs to select the check box against Message Box (Queries) and Graphical Flow (Tracking) under Data Access section. But Bob must not select the checkbox against Messages Content/Context. By doing this, Scott will only have access to the specific two applications and can only view the status of the messages in Message Box (Queries) and Graphical Flow (Tracking) sections in the application. Scott cannot view the Message content/context information.
  • Click 'OK' in the Add Permissions screen to create Scott's information into the system
  • The Predefined User Access Profiles section lists the default access permission for different support levels. Users can also create custom profiles to Operate, Access and/or View.

3 UAP-Scenario-.png