Commerce Server Resource Security CmdLets

Management permissions are defined as read and write actions on a resource. These activities are similar to the authoring activities carried out on a Content Management server in Sitecore, instead of the read-only activities that are carried out on a Content Delivery server. You can grant user Management permissions to a user by using the following CmdLets:

To grant management permissions to all resources in a site for a user, such as the app pool of a Content Management server, run the following commands:

Grant-CSManagementPermissions –Name MySiteName –Identity $siteAppPoolUser

To grant management permissions to a specific resource, such as the application pools of the Commerce Server web services, use one of the following commands:

Grant-CSCatalogManagementPermissions –Name MySiteName –Identity $catalogWSAppPoolUser
Grant-CSProfilesManagementPermissions –Name MySiteName –Identity $profilesWSAppPoolUser
Grant-CSMarketingManagementPermissions –Name MySiteName –Identity $marketingWSAppPoolUser
Grant-CSOrdersManagementPermissions –Name MySiteName –Identity $ordersWSAppPoolUser

To revoke a user's database permissions for all site resources, use the following commands:

Revoke-CSOrdersManagementPermissions –Name MySiteName –Identity $ordersWSAppPoolUser

To revoke a user's database permissions for a specific resource, use the following commands:

Revoke-CSManagementPermissions –Name MySiteName –Identity $siteAppPoolUser
Revoke-CSCatalogManagementPermissions –Name MySiteName –Identity $catalogWSAppPoolUser
Revoke-CSProfilesManagementPermissions –Name MySiteName –Identity $profilesWSAppPoolUser
Revoke-CSMarketingManagementPermissions –Name MySiteName –Identity $marketingWSAppPoolUser

Depending on your environment, you may not be able to run CmdLets against an SQL Server, or you may want more granular control over what permissions are applied. You can use the following CmdLets to export the SQL scripts that are used to apply roles to a specific user, and then modify these scripts as necessary.

Export-CSManagementPermissions -Name MySiteName -Identity "Domain\User" -Folder "C:\Scripts\CSPermissions\"
Export-CSRuntimePermissions -Name MySiteName -Identity "Domain\User" -Folder "C:\Scripts\CSPermissions\"

Runtime permissions are defined as read-only actions on a resource, and are similar to delivery activities that are carried out on a Content Delivery server in Sitecore, unlike the read-only activities on a Content Management server. This mode still allows writing of new profile and orders data.

To grant Runtime permissions to all resources in a site for a user, such as the app pool of a Content Delivery server, run the following commands:

Grant-CSRuntimePermissions –Name MySiteName –Identity $siteAppPoolUser

To grant runtime permissions to a specific resource, such as the application pools of the Commerce Server web services in the Content Delivery environment, run one of the following commands:

Grant-CSCatalogRuntimePermissions –Name MySiteName –Identity $catalogWSAppPoolUser
Grant-CSProfilesRuntimePermissions –Name MySiteName –Identity $profilesWSAppPoolUser
Grant-CSMarketingRuntimePermissions –Name MySiteName –Identity $marketingWSAppPoolUser
Grant-CSOrdersRuntimePermissions –Name MySiteName –Identity $ordersWSAppPoolUser

To revoke a user's database permissions, use the following commands:

Revoke-CSRuntimePermissions –Name MySiteName –Identity $siteAppPoolUser

To revoke a user's database permissions for a specific resource, use the following commands:

Revoke-CSCatalogRuntimePermissions –Name MySiteName –Identity $catalogWSAppPoolUser
Revoke-CSProfilesRuntimePermissions –Name MySiteName –Identity $profilesWSAppPoolUser
Revoke-CSMarketingRuntimePermissions –Name MySiteName –Identity $marketingWSAppPoolUser
Revoke-CSOrdersRuntimePermissions –Name MySiteName –Identity $ordersWSAppPoolUser

Depending on your environment, you might not be allowed to run CmdLets against a SQL Server, or you may want more granular control over what permissions are applied. Use the following CmdLets to export the SQL scripts that are used to apply roles to a specific user. You can then modify these scripts as necessary.

Export-CSManagementPermissions -Name MySiteName -Identity "Domain\User" -Folder "C:\Scripts\CSPermissions\"
Export-CSRuntimePermissions -Name MySiteName -Identity "Domain\User" -Folder "C:\Scripts\CSPermissions\"

The Commerce Server web services use Windows Authorization Stores to manage who can perform what actions against a web service. Each web service has an authorization store XML file that stores the permissions. You manage the stores by using Windows Authorization Manager (AzMan.msc), but you can now add users using the following CmdLets:

Each CmdLet must be pointed to the appropriate authorization store XML file, and have the user/group and role to add the user to specified. You can discover the list of potential roles by opening the XML file in Windows Authorization Manager (AzMan.msc).

Grant-CSCatalogWebServicePermissions -File"c:\inetpub\wwwroot\CatalogWebService\CatalogAuthorizationStore.xml" -Identity "Domain\User" -Role "Administrator"
Grant-CSProfilesWebServicePermissions -File"c:\inetpub\wwwroot\CatalogWebService\CatalogAuthorizationStore.xml" -Identity "Domain\User" -Role "ProfilesAdministrator"
Grant-CSOrdersWebServicePermissions -File"c:\inetpub\wwwroot\CatalogWebService\CatalogAuthorizationStore.xml" -Identity "Domain\User" -Role "OrdersAdministrator"
Grant-CSMarketingWebServicePermissions -File"c:\inetpub\wwwroot\CatalogWebService\CatalogAuthorizationStore.xml" -Identity "Domain\User" -Role "MarketingAdministrator"

For more information about the CmdLets, you can run the following command:

Get-Help –detailed CmdLet-Name

Previously, PuP packages were the only way to setup Commerce Server web services in IIS, but now there are other options, both of which use Web Deploy packages.

The first option is to use the Web Deploy packages for each subsystem and deploy them using IIS, or the standard IIS CmdLets. Inside the Commerce Server installation folder is a new WebServices directory, C:\Program Files (x86)\Commerce Server 11\WebServices\, which contains a WebDeploy package for each subsystem.

The second option is to use the following Commerce Server CmdLet, which will choose the correct WebDeploy package based on the resource you chose, and deploy it into a new or existing virtual directory under an existing IIS site. This CmdLet will also automatically update the web.config of the service with the correct Commerce Server site name.

New-CSWebService -Name MySiteName -Resource Catalog -IISSite CSServices

There are additional optional properties that you can specify on this CmdLet. For more information, run this command:

Get-Help –detailed CmdLet-Name

Commerce Server Applications are typically web sites, web services, or other forms of web applications that use a Commerce Server Site. By registering with a Commerce Server site, this enables the Applications to be notified that data has changed in a resource and that it should drop the cache and reread the resource. Because Commerce Server now has a cache drop notification API, there is no need to register Applications. These CmdLets are required for backward compatibility, and are unneeded when developing a new site.

To get a list of all existing Applications, run the following command:

Get-CSSiteApplications

To add a new Application, run the following command:

Add-CSSiteApplication -Name "MySiteName" -Application "MySite_Application"

To remove an Application, run the following command:

Remove-CSSiteApplication -Name "MySiteName" -Application "MySite_Application"

Because an Application, such as a web site, could have instances on multiple servers, you can register these servers underneath the Application. To add a new server, run the following command:

Add-CSSiteApplicationServer -Name "MySiteName" -Application "MySite_Application" -WebServerMachine "MyServerName”

To remove a server, run the following command:

Remove-CSSiteApplicationServer -Name "MySiteName" -Application "MySite_Application" -WebServerMachine "MyServerName”

Applications, such as Site Resource and Global Resources, contain properties that you can get and set. To get a full list of the properties on an Application, run the following command:

Get-CSSiteApplicationProperties -Name "MySiteName" -Application "MySite_Application"

To get a specific property value, run this command:

Get-CSSiteApplicationProperty -Name "MySiteName" -Application "MySite_Application" –PropertyName “b_SyncLogFile”

To set a property value, run this command:

Set-CSSiteApplicationProperty -Name "MySiteName" -Application "MySite_Application" –PropertyName “b_SyncLogFile" -PropertyValue $false

There are additional optional properties that you can specify on these CmdLets. For more information, run this command:

Get-Help –detailed CmdLet-Name

A Global Resource is a resource that can be shared between sites. Previously, Commerce Server had a number of Global Resources, but Profiles is currently the only one you will work with. The CmdLets available for Global Resource are similar to ones for regular resources. The difference is that you cannot create a Global Resource directly, you can only do it by using the Add-CSProfilesResource to create a Profile resource.

To get a list of Global Resources, run the following command:

Get-CSGlobalResources

To remove a global resource, run the following command:

Remove-CSGlobalResource “Profiles(MyServer_MySiteName_profiles)”

By default the remove commands will not delete the associated database. You can delete it at the same time by adding the DeleteDatabases parameter:

Remove-CSGlobalResource -ResourceName “Profiles(MyServer_MySiteName_profiles)” -DeleteDatabases $true

All Global Resources contain a collection of properties that allow you to configure how the resource runs. You can manipulate these properties using the following CmdLets.

To get a list of all of the properties on a Global Resource, run the following command:

Get-CSGlobalResourceProperties -ResourceName “Profiles(MyServer_MySiteName_profiles)”

To get a specific property value, run the following command:

Get-CSGlobalResourceProperty -ResourceName “Profiles(MyServer_MySiteName_profiles)” -PropertyName “s_BizDataStoreConnectionString”

To can set a property value, run the following command:

Set-CSGlobalResourceProperty -ResourceName “Profiles(MyServer_MySiteName_profiles)” -PropertyName “s_BizDataStoreConnectionString” -PropertyValue “my_profiles_db_connection_string”

There are additional optional properties that you can specify on these CmdLets. For more information, run this command:

Get-Help –detailed CmdLet-Name

Database Creation and Authentication Mechanisms

By default, any of the CmdLets that create databases will use the connection string of the MSCS_Admin database as the template for what server to create the databases on and what authentication mechanism to use. For example, Windows Authentication or SQL Authentication. If the authentication mechanism is Windows Authentication, then the credentials of the user running the CmdLet will be used. If the authentication mechanism is SQL Authentication then the user name and password on the connection string will be used.

If Windows Authentication is being used, and the user running the CmdLet does not have permission to create databases on the target SQL Server, then you will need to run a new PowerShell instance as a user that does have permission to create databases on the target SQL Server and re-run the CmdLet(s).

If SQL Authentication is being used and the credentials on the MSCS_Admin database do not have permissions to create databases on the target SQL Server, then you can use the –SqlUserName and –SqlUserPassword parameters to specify a user that does have the appropriate permissions.

Azure SQL

If you are creating your databases against an Azure SQL Server, then you can use the following parameters to specify to that you get the correct size and edition of the database created.