What Are the Required Database Accounts and Database Role Mappings?
For the latest version of Commerce Server 2007 Help, see the Microsoft Web site.
This topic summarizes the database accounts and database role mappings that you use to help secure a Commerce Server deployment. You use database accounts that correspond to Commerce Server service accounts as Logins for the SQL Server databases. This limits the service accounts to the access needed to perform their functions. When you configure Commerce Server or unpack a site, the SQL Server databases and roles are created.
Note
Several database names start with the name that you provided for your site; <site_name> is used in the following tables.
See the following topics for the database account and role mapping requirements for each of these areas:
Web Application Database Role Mappings
Direct Mailer Service Database Role Mappings
Commerce Server Staging System Database Role Mappings
Data Warehouse and Analytics System Database Role Mappings
Commerce Server Health Monitor Service Database Role Mappings
Web Application Database Role Mappings
The following table lists the accounts on the computers that are running SQL Server in the data tier that you must add to the specified roles. The database account names are identical to the account names that you create for the service identities.
Database account |
Database |
SQL Server 2000 roles |
SQL Server 2005 roles |
|---|---|---|---|
ASPNet |
MSCS_Admin |
db_datareader |
db_datareader |
CatalogWebSvc |
MSCS_Admin |
admin_reader_role |
admin_reader_role |
MSCS_CatalogScratch |
db_owner |
db_ddladmin, db_datareader, db_datawriter |
|
<site_name>_ProductCatalog |
db_owner |
ctlg_CatalogWriterRole, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole, db_datareader, db_datawriter |
|
MarketingWebSvc |
MSCS_Admin |
admin_reader_role |
admin_reader_role |
<site_name>_Marketing |
mktg_MarketingService_role, mktg_promoCodeGenerator_role |
mktg_MarketingService_role, mktg_promoCodeGenerator_role |
|
<site_name>_MarketingLists |
db_owner |
db_owner |
|
OrdersWebSvc |
MSCS_Admin |
admin_reader_role |
admin_reader_role |
MSCS_CatalogScratch |
db_owner |
db_datareader, db_datawriter, db_ddladmin |
|
<site_name>_Marketing |
mktg_runtime_role |
mktg_runtime_role |
|
<site_name>_ProductCatalog |
ctlg_catalogReaderRole, Inventory_ReaderRole |
ctlg_catalogReaderRole, Inventory_ReaderRole |
|
<site_name>_Profiles |
Profile_Reader, Profile_Schema_Reader |
Profile_Reader, Profile_Schema_Reader |
|
<site_name>_TransactionConfig |
Orders_Management |
Orders_Management |
|
<site_name>_Transactions |
Orders_Management, Orders_Runtime |
Orders_Management, Orders_Runtime |
|
ProfilesWebSvc |
MSCS_Admin |
admin_reader_role |
admin_reader_role |
<site_name>_Profiles |
Profile_Schema_Manager, Profile_Runtime |
Profile_Schema_Manager, Profile_Runtime |
|
RunTimeUser |
MSCS_Admin |
admin_reader_role |
admin_reader_role |
MSCS_CatalogScratch |
db_owner |
db_datareader, db_datawriter, db_ddladmin |
|
<site_name>_Marketing |
mktg_runtime_role |
mktg_runtime_role |
|
<site_name>_MarketingLists |
db_datareader |
db_datareader |
|
<site_name>_ProductCatalog |
ctlg_catalogReaderRole, Inventory_RuntimeRole |
ctlg_catalogReaderRole, Inventory_RuntimeRole |
|
<site_name>_Profiles |
Profile_Schema_Reader, Profile_Runtime |
Profile_Schema_Reader, Profile_Runtime |
|
<site_name>_TransactionConfig |
Orders_Runtime |
Orders_Runtime |
|
<site_name>_Transactions |
Orders_Runtime |
Orders_Runtime |
Direct Mailer Service Database Role Mappings
The following table lists the database role mappings that you must make for the Direct Mailer service account on the computer that is running SQL Server in the data tier. Create a SQL Login account for the Direct Mailer service account, CSDMSvc. The account name must match the name assigned in Active Directory. Assign the following role mappings to this account.
Database account |
Database |
SQL Server 2000 roles |
SQL Server 2005 roles |
|---|---|---|---|
CSDMSvc |
DirectMailer |
db_owner |
db_owner |
MSCS_Admin |
admin_reader_role |
admin_reader_role |
|
<site_name>_Marketing |
mktg_directmailer_role |
mktg_directmailer_role |
|
<site_name>_MarketingLists |
db_owner |
db_owner |
|
<site_name>_Profiles |
Profile_Schema_Reader, Profile_Reader |
Profile_Schema_Reader, Profile_Reader |
Commerce Server Staging System Database Role Mappings
The following table lists the roles required to use Commerce Server 2007 staging. Create a SQL Login account for the Commerce Server Staging (CSS) service account, CSStageSvc, and for the CSS user account, <data domain>/<Staging user>. The account name must match the name assigned in Active Directory. Assign the following role mappings to this account.
Database account |
Database |
SQL Server 2000 roles |
SQL Server 2005 roles |
|---|---|---|---|
CSStageSvc |
MSCS_Admin |
admin_reader_role |
admin_reader_role |
MSCS_CatalogScratch |
db_owner |
db_datareader, db_datawriter, db_ddladmin |
|
<site_name>_Marketing |
db_ddladmin, mktg_staging_role |
db_ddladmin, mktg_staging_role |
|
<site_name>_MarketingLists |
db_owner |
db_datareader |
|
<site_name>_ProductCatalog |
db_owner |
ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole |
|
<site_name>_Profiles |
Profile_Schema_Manager |
Profile_Schema_Manager |
|
<site_name>_TransactionConfig |
Orders_Management |
Orders_Management |
|
<data domain>/<Staging user>. |
<SiteName>_ProductCatalog |
ctlg_CatalogReaderRole, Inventory_ReaderRole |
ctlg_CatalogReaderRole, Inventory_ReaderRole |
MSCS_Admin |
db_datareader |
db_datareader |
|
MSCS_CatalogScratch |
db_datareader, db_datawriter, db_ddladmin |
db_datareader, db_datawriter, db_ddladmin |
Additional role mappings are required when you add users to the system to stage specific projects. For more information, see What Database Access Permissions Must You Grant to CSS Authentication Accounts?
Data Warehouse and Analytics System Database Role Mappings
The following tables list the roles required to use the Commerce Server 2007 Data Warehouse.
Commerce Server Production Database Server
The following table lists the database role mappings that you must make for the Data Warehouse service account on the computer that is running SQL Server in the data tier. Create a SQL Login account for the DTS Import service account, DTSImport. The account name must match the name created when you unpack the Data Warehouse resource. Assign the following role mappings to this account.
Database account |
Database |
SQL Server 2000/2005 roles |
|---|---|---|
DTSImport |
ms_db |
db_datareader, db_dtsadmin, db_dtsltduser , db_dtsadmin, db_dtsoperator |
<sitename>_DataWarehouse |
db_datareader, db_datawriter, db_owner, db_ddladmin |
|
MSCS_Admin |
admin_reader_role |
|
<sitename>_DataWarehouse |
db_datareader |
|
<sitename>_marketing |
db_datareader |
|
<sitename>_marketing_lists |
db_datareader |
|
<sitename>_productcatalog |
db_datareader |
|
<sitename>_profiles |
db_datareader, Profile_Schema_Reader |
|
<sitename>_transactionconfig |
db_datareader |
|
<sitename>_transactions |
db_datareader |
|
MSCS_Admin |
admin_reader_role |
|
<sitename>_DataWarehouse |
db_datareader |
Data Warehouse and Analytics Server
The following table lists the database role mappings that you must make for the Data Warehouse service account on the computer that is running SQL Server for the Data Warehouse. Create a SQL Login account for the DTS Import service account, DTSImport. The account name must match the name created when you unpack the Data Warehouse resource. Assign the following role mappings to this account.
Database account |
Database |
SQL Server 2000/2005 roles |
|---|---|---|
DTSImport |
msdb |
db_datareader, db_dtsadmin, db_dtsltduser , db_dtsoperator |
<sitename>_DataWarehouse |
db_datareader, db_datawriter, db_owner, db_ddladmin |
For more information on creating the DTSImport database login account and granting access, see How to Grant Permissions for Data Import.
Commerce Server Health Monitoring Database Role Mapping
The following table lists the database role mapping that you must make for the Commerce Server Health Monitoring service account on the computer that is running SQL Server in the data tier. Create a SQL Login account for the Health Monitoring service account, CSHealthMonitorSvc. The account name must match the name created in Active Directory. Assign the following role mapping to this account.
Database account |
Database |
SQL Server 2000/2005 roles |
|---|---|---|
CSHealthMonitorSvc |
MSCS_Admin |
admin_reader_role |
See Also
Other Resources
How to Create the Database Accounts