What are the required groups and accounts to create?
This topic provides a summary of the user accounts and groups that you create. In a multi-computer deployment, Sitecore Commerce accounts and user groups must be created on the domain controller. In a single-server deployment, you can create these accounts and groups on the computer where Sitecore Commerce is installed. For the internal test and development environments, create the same accounts and groups that you create for the data domain in the production environment.
See the following sections for the account and group requirements for each of these areas:
Commerce Server User and Service Accounts
Commerce Server Groups and Account Assignments
Commerce Server Groups and Account Assignments
SQL Server Database Instances, Accounts, and Role User Mappings
Commerce Server User and Service Accounts:
The following table lists the accounts that you create or that are created when you install prerequisite software. You must create the <CS Installer>, <CS Staging User>, CSLOB, and RunTimeUser accounts before you install Commerce Server. Post-installation, you create SQL Server Login accounts and associate the user accounts together with Windows user groups.
Account name | Description | Windows user group | SQL Server login account |
|---|---|---|---|
<CS Installer> | Account of person logged on to install and configure Commerce Server. | Administrator, CatalogAdminGroup, MarketingAdminGroup, OrdersAdminGroup, ProfilesAdminGroup | not applicable |
<CS Staging User> | Account of person who manages Commerce Server Staging. | not applicable | <CS Staging User> |
CSLOB | Commerce Server Adapters identity. | not applicable | not applicable |
CSStageSvc | Commerce Server Staging (CSS) service identity. | CSS_SG, CSS Administrators, CSS Operators | CSStageSvc |
Commerce Server Groups and Account Assignments:
Commerce Server Administrator Groups
Create the four administrator groups summarized in the following table. These represent the minimum number of groups to define. You should create distinct user groups based on your business needs. You then assign these groups to authorization roles through the Authorization Manager. For more information, see Authorizing Users and Groups to Access Web Services.
User group | Description | Accounts to assign |
|---|---|---|
CatalogAdminGroup | Administrator group for the Catalog and Inventory Web services. | <CS Installer>, Business User Accounts |
MarketingAdminGroup | Administrator group for the Marketing Web services. | <CS Installer>, Business User Accounts |
OrdersAdminGroup | Administrator group for the Orders Web services. | <CS Installer>, Business User Accounts |
ProfilesAdminGroup | Administrator group for the Profiles Web services. | <CS Installer>, Business User Accounts |
Commerce Server Web Application Accounts:
You use Service user accounts for the Sitecore Commerce web applications to perform these tasks:
To run Internet Information Services (IIS) application pools.
To help secure folders.
To establish anonymous access to the Web site.
To access the Commerce Server databases.
Commerce Server creates the Web applications when you unpack a Commerce Server site, such as the SolutionStorefrontSite, and select the Web services that you want to install. Each Commerce Server Web application requires definition of a Windows user account and a Windows user group.
The following table summarizes the default names that are used in this deployment guide. You create these items and make assignments before or after you install Commerce Server. You create these accounts and user groups on the data tier domain controller. In addition, you create the RunTimeUser account on the Data tier domain controller.
Account name | Description |
|---|---|
RunTimeUser | The account to run the Sitecore site application pool. |
CatalogWebSvc | The account to run the Catalog web service application pool. |
MarketingWebSvc | The account to run the Marketing web service application pool. |
OrdersWebSvc | The account to run the Orders web service application pool. |
ProfilesWebSvc | The account to run the Profiles web service application pool[JV1] . |
For a production deployment, you will want to define more groups in order to take full advantage of the role assignment roles available. For descriptions about each predefined role, see the next section.
Commerce Server Web Services and Account and Application Pool Assignments:
Commerce Server installs the Web services when you unpack a site, and selects the Web services to install. Each Commerce Server Web service requires definition of a Windows user account, Windows user group, SQL Server login account, and application pool. The following table summarizes the default names Commerce Server and the installation guide use. You create the Windows user accounts before you unpack a site, and you create the SQL Server login accounts and application pools after you unpack the site.
Commerce Server Web service | Default name | Windows/SQL Login account | Windows user group | Application pool |
|---|---|---|---|---|
Catalog | CatalogWebService | CatalogWebSvc | CatalogAdminGroup, IIS_IUSRS | CatalogWebSvcAppPool |
Marketing | MarketingWebService | MarketingWebSvc | MarketingAdminGroup, IIS_IUSRS | MarketingWebSvcAppPool |
Orders | OrdersWebService | OrdersWebSvc | OrdersAdminGroup, IIS_IUSRS | OrdersWebSvcAppPool |
Profiles | ProfilesWebService | ProfilesWebSvc | ProfilesAdminGroup, IIS_IUSRS | ProfilesWebSvcAppPool |
WebSite | <site_name> | RuntimeUser | IIS_USRS | <site_name>AppPool |
For each site that you unpack, we recommend that you create unique Web service account names, SQL Server login account names, Windows user groups, and application pools. You can share application pools, but we do not recommend this action.
Users of the scope-level roles have access only to the profile type within the scope name. For example, members of the ProfileWriter_BusinessManager role in the UserObject scope have access to the UserObject profile definition only. You must add users to each scope-level role individually.
SQL Server Database Instances, Accounts, and Role User Mappings:
SQL Server Database Instances Created for Commerce Server
The following table summarizes the Commerce Server databases and default database names that Commerce Server and the installation guide use.
Commerce Server SQL database instance | Default database name | How the database is created |
|---|---|---|
CS Administration | MSCS_Admin | Created by the Commerce Server Configuration wizard. |
CS Catalog Scratch | MSCS_CatalogScratch | Created by unpacking the catalog site resource. |
Site Catalog | <site_name>_productcatalog | Created when you unpack the site resource. |
Site Marketing | <site_name>_marketing | Created when you unpack the site resource. |
Site Marketing List | <site_name>_marketing_lists | Created when you unpack the site resource. |
Site Profiles | <site_name>_profiles | Created when you unpack the site resource. |
Site Transaction Configuration | <site_name>_transactionconfig | Created when you unpack the site resource. |
Site Transactions | <site_name>_transactions | Created when you unpack the site resource. |