This topic provides a summary of the user accounts and groups that you create. In a multi-computer deployment, Sitecore Commerce accounts and user groups must be created on the domain controller. In a single-server deployment, you can create these accounts and groups on the computer where Sitecore Commerce is installed. For the internal test and development environments, create the same accounts and groups that you create for the data domain in the production environment.
See the following sections for the account and group requirements for each of these areas:
Commerce Server User and Service Accounts
The following table lists the accounts that you create or that are created when you install prerequisite software. You must create the <CS Installer>, <CS Staging User>, CSLOB, and RunTimeUser accounts before you install Commerce Server. Post-installation, you create SQL Server Login accounts and associate the user accounts together with Windows user groups.
| Account name | Description | Windows user group | SQL Server login account |
|---|---|---|---|
| <CS Installer> | Account of person logged on to install and configure Commerce Server. | Administrator, CatalogAdminGroup, MarketingAdminGroup, OrdersAdminGroup, ProfilesAdminGroup | not applicable |
| <CS Staging User> | Account of person who manages Commerce Server Staging. | not applicable | <CS Staging User> |
| CSLOB | Commerce Server Adapters identity. | not applicable | not applicable |
| CSStageSvc | Commerce Server Staging (CSS) service identity. | CSS_SG, CSS Administrators, CSS Operators | CSStageSvc |
Commerce Server Groups and Account Assignments
Commerce Server Administrator Groups
Create the four administrator groups summarized in the following table. These represent the minimum number of groups to define. You should create distinct user groups based on your business needs. You then assign these groups to authorization roles through the Authorization Manager. For more information, see Authorizing Users and Groups to Access Web Services.
| User group | Description | Accounts to assign |
|---|---|---|
| CatalogAdminGroup | Administrator group for the Catalog and Inventory Web services. | <CS Installer>, Business User Accounts |
| MarketingAdminGroup | Administrator group for the Marketing Web services. | <CS Installer>, Business User Accounts |
| OrdersAdminGroup | Administrator group for the Orders Web services. | <CS Installer>, Business User Accounts |
| ProfilesAdminGroup | Administrator group for the Profiles Web services. | <CS Installer>, Business User Accounts |
For a production deployment, you will want to define more groups in order to take full advantage of the role assignment roles available. For descriptions about each predefined role, see the next section.
Commerce Server Web Services and Account and Application Pool Assignments
Commerce Server installs the Web services when you unpack a site, and selects the Web services to install. Each Commerce Server Web service requires definition of a Windows user account, Windows user group, SQL Server login account, and application pool. The following table summarizes the default names Commerce Server and the installation guide use. You create the Windows user accounts before you unpack a site, and you create the SQL Server login accounts and application pools after you unpack the site.
| Commerce Server Web service | Default name | Windows/SQL Login account | Windows user group | Application pool |
|---|---|---|---|---|
| Catalog | CatalogWebService | CatalogWebSvc | CatalogAdminGroup, IIS_IUSRS | CatalogWebSvcAppPool |
| Marketing | MarketingWebService | MarketingWebSvc | MarketingAdminGroup, IIS_IUSRS | MarketingWebSvcAppPool |
| Orders | OrdersWebService | OrdersWebSvc | OrdersAdminGroup, IIS_IUSRS | OrdersWebSvcAppPool |
| Profiles | ProfilesWebService | ProfilesWebSvc | ProfilesAdminGroup, IIS_IUSRS | ProfilesWebSvcAppPool |
For each site that you unpack, we recommend that you create unique Web service account names, SQL Server login account names, Windows user groups, and application pools. You can share application pools, but we do not recommend this action.
Web Service Administrator Role Assignments
The following table lists the Web services and their corresponding authorization stores and administrator roles. You must assign each Web service account to its corresponding authorization role.
| Authorization Store | Role | Account Assignments |
|---|---|---|
| CatalogAuthorizationStore.xml | Administrator | CatalogWebSvc, <CS Installer> |
| MarketingAuthorizationStore.xml | MarketingAdministrator | MarketingWebSvc, <CS Installer> |
| OrdersAuthorizationStore.xml | OrdersAdministrator | OrdersWebSvc, <CS Installer> |
| ProfilesAuthorizationStore.xml | ProfileAdministrator | ProfilesWebSvc, <CS Installer> |
After you assign write permissions to the authorization stores, in order to perform any operation in the Business Management applications, you assign users to the administrator roles for each Web service. By adding <CS Installer> to each administrator role, you can open and use each Business Management application.
BizTalk Adapters Role Assignments
The following table lists the role assignments to which CSLOB, the BizTalk adapters identity, must be added.
| Authorization Store | Role | Description |
|---|---|---|
| CatalogAuthorizationStore | CatalogAdministrator | Gives the catalog adapter permission to import catalog changes and export catalogs. |
| MarketingAuthorizationStore | InventoryAdministrator | Gives the inventory adapter permission to import inventory catalog changes and export inventory catalogs. |
| OrdersAuthorizationStore | OrdersAdapter | Enables the orders adapter to perform all basic functions, such as Update Purchase Order, Save Purchase Order, Accept Basket, Orders Query, and Orders Export. |
| ProfilesAuthorizationStore | UserObject, ProfileWriter_Adapter | Enables the profiles adapter to update profile objects when it uses the following operations: Profile Delete, Profile Update, Profile Import, Profile Query, and Profile Export. |
Additional User Groups for Granular Security
The following sections summarize the various authorization roles that are predefined for the Commerce Server systems. For each authorization role of interest, create an associated user group on the domain controller. You can then add business user accounts to the user group.
For each user group you create, you must assign the groups to authorization roles through the Authorization Manager. For more information, see Authorizing Users and Groups to Access Web Services.
Catalog and Inventory Systems
The following table describes the predefined authorization roles for the Catalog System and the Inventory System.
| Role | Description |
|---|---|
| CatalogAdministrator | Members can manage the Catalog System. |
| CatalogViewer | Members have read access to the Catalog System. |
| CatalogManager | Members can manage all the catalogs in the Catalog System. |
| SchemaManager | Members can manage the catalog and inventory schema, including property, category, and product definitions. |
| CatalogSetsAdministrator | Members can manage all the catalog sets. |
| CatalogSetsViewer | Members can view all the catalog sets in the Catalog System. |
| InventoryAdministrator | Members can manage the Inventory System. |
| InventoryViewer | Members can view all the catalogs in the Inventory System. |
| InventorySynchronizationManager | Members can synchronize the run-time Inventory System with the management system. |
| Administrator | Members can manage the Catalog System and the Inventory System. |
Marketing System
The following table describes the predefined authorization roles for the Marketing System.
| Role | Description |
|---|---|
| MarketingAdministrator | Members have full access to every operation in the Marketing System. |
| MarketingApprover | Members can approve or reject marketing items, such as campaigns, discounts, and expressions. |
| MarketingAuthor | Members can create marketing-related items, including customers, campaigns, discounts, and expressions. |
| MarketingViewer | Members can view and search marketing items, including campaign event logs. |
| GlobalExpressionAuthor | Members can create, edit, and delete global expressions across multiple discounts. |
| RuntimeSiteManager | Members can refresh the Discounts and Advertisements caches of the run-time site. |
Orders System
The following table describes the predefined authorization roles for the Orders System.
| Role | Description |
|---|---|
| OrdersAdministrator | Members can manage data integrity and cleanup issues. |
| OrdersConfigurationEditor | Members can manage orders configuration data for the site. |
| OrdersViewer | Members have read access to view orders. |
| OrdersAdapter | Members can search orders for order processing and updates. |
Profiles System
The following table describes the predefined authorization roles for the Profiles System.
| Role | Description |
|---|---|
| ProfileAdministrator | Members have complete access to the Profiles System. |
| ProfileWriter_BusinessManager | Members of this scope-level role have access to the profile definition within the scope. There are six profile definitions: UserObject, Address, Organization, BlanketPO, CreditCard, and Currency. |
| ProfileWriter_CSR | Members of this scope-level role have access to the profile definition within the scope. |
| ProfileWriter_Adapter | Members of this scope-level role have access to the profile definition within the scope. |
Users of the scope-level roles have access only to the profile type within the scope name. For example, members of the ProfileWriter_BusinessManager role in the UserObject scope have access to the UserObject profile definition only. You must add users to each scope-level role individually.
SQL Server Database Instances, Accounts, and Role User Mappings
SQL Server Database Instances Created for Commerce Server
The following table summarizes the Commerce Server databases and default database names that Commerce Server and the installation guide use.
| Commerce Server SQL database instance | Default database name | How the database is created |
|---|---|---|
| CS Administration | MSCS_Admin | Created by the Commerce Server Configuration wizard. |
| CS Catalog Scratch | MSCS_CatalogScratch | Created by unpacking the catalog site resource. |
| Site Catalog | <site_name>_productcatalog | Created when you unpack the site resource. |
| Site Marketing | <site_name>_marketing | Created when you unpack the site resource. |
| Site Marketing List | <site_name>_marketing_lists | Created when you unpack the site resource. |
| Site Profiles | <site_name>_profiles | Created when you unpack the site resource. |
| Site Transaction Configuration | <site_name>_transactionconfig | Created when you unpack the site resource. |
| Site Transactions | <site_name>_transactions | Created when you unpack the site resource. |
SQL Database Account, Database, and Database Role User Mapping
The following table lists the accounts on the computers that are running SQL Server that you must add to the specified roles. By default, the database names start with StarterSite. However, you might have specified different database names when you unpacked your site.
| Database Account | Database | Roles |
|---|---|---|
| CatalogWebSvc | MSCS_Admin | admin_reader_role, admin_cache_poller_role |
| MSCS_CatalogScratch | db_datareader, db_datawriter, db_ddladmin | |
| StarterSite_ProductCatalog | ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole | |
| MarketingWebSvc | MSCS_Admin | admin_reader_role, admin_cache_poller_role |
| StarterSite_Marketing | mktg_MarketingService_role, mktg_promoCodeGenerator_role | |
| StarterSite_MarketingLists | db_owner | |
| StarterSite_ProductCatalog | ctlg_catalogReaderRole | |
| StarterSite_Profiles | Profile_Reader, Profile_Schema_Reader, ctlg_catalogReaderRole | |
| OrdersWebSvc | MSCS_Admin | admin_reader_role, admin_cache_poller_role |
| MSCS_CatalogScratch | db_datareader, db_datawriter, db_ddladmin | |
| StarterSite_Marketing | mktg_runtime_role | |
| StarterSite_ProductCatalog | ctlg_catalogReaderRole, Inventory_ReaderRole | |
| StarterSite_Profiles | Profile_Reader, Profile_Schema_Reader | |
| StarterSite_TransactionConfig | Orders_Management | |
| StarterSite_Transactions | Orders_Management, Orders_Runtime | |
| ProfilesWebSvc | MSCS_Admin | admin_reader_role, admin_cache_poller_role |
| StarterSite_Profiles | Profile_Schema_Manager, Profile_Runtime, ctlg_CatalogWriterRole | |
| RunTimeUser | MSCS_Admin | admin_reader_role, admin_cache_poller_role |
| MSCS_CatalogScratch | db_datareader, db_datawriter, db_ddladmin | |
| StarterSite_Marketing | mktg_runtime_role | |
| StarterSite_MarketingLists | db_datareader | |
| StarterSite_ProductCatalog | ctlg_catalogReaderRole, ctlg_CatalogWriterRole, Inventory_RuntimeRole, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole, db_datareader, db_datawriter | |
| StarterSite_Profiles | Profile_Schema_Reader, Profile_Runtime | |
| StarterSite_TransactionConfig | Orders_Runtime | |
| StarterSite_Transactions | Orders_Runtime | |
| CSStageSvc | MSCS_Admin | admin_reader_role |
| MSCS_CatalogScratch | db_datareader, db_datawriter, db_ddladmin | |
| StarterSite_Marketing | db_ddladmin, mktg_staging_role | |
| StarterSite_MarketingLists | db_datareader | |
| StarterSite_ProductCatalog | ctlg_CatalogWriterRole, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, Inventory_ReaderRole, Inventory_WriterRole | |
| StarterSite_Profiles | Profile_Schema_Manager | |
| StarterSite_TransactionConfig | Orders_Management | |
| <CS Staging User> | MSCS_Admin | db_datareader |
| MSCS_CatalogScratch | db_datareader, db_datawriter, db_ddladmin | |
| StarterSite_ProductCatalog | ctlg_CatalogWriterRole, Inventory_ReaderRoles |