What are the required accounts and groups to create?
This topic provides a summary of the user accounts and groups that you create. In a multi-server deployment, Sitecore Commerce accounts and user groups must be created on the domain controller. In a single-server deployment, you can create these accounts and groups on the computer where Sitecore Commerce is installed. For the internal test and development environments, create the same accounts and groups that you create for the data domain in the production environment.
In a multi-computer deployment, Sitecore Commerce accounts and user groups must be created on the domain controller. In a single-server deployment, you can create these accounts and groups on the computer where Sitecore Commerce is installed. For the internal test and development environments, create the same accounts and groups that you create for the data domain in the production environment.
See the following sections for the account and group requirements for each of these areas:
Commerce Server User and Service Accounts
Commerce Server Groups and Account Assignments
Additional User Groups for Granular Security
SQL Server Database Instances, Accounts, and Role User Mappings
Commerce Server User and Service Accounts:
The following table lists the accounts that are created or that you create when you install the prerequisite software. You must create the <CS Installer>, <CS Staging User>, CSLOB, and RunTimeUser accounts before you install Commerce Server. After installation, you will create SQL Server Login accounts, and associate the user accounts with Windows user groups.
|
Account name |
Description |
Windows user group |
SQL Server login account |
|---|---|---|---|
|
<CS Installer> |
Account of person logged on to install and configure Commerce Server. |
Administrator, CatalogAdminGroup, MarketingAdminGroup, OrdersAdminGroup, ProfilesAdminGroup |
not applicable |
|
<CS Staging User> |
Account of person who manages Commerce Server Staging. |
not applicable |
<CS Staging User> |
|
CSLOB |
Commerce Server Adapters identity. |
not applicable |
not applicable |
|
CSStageSvc |
Commerce Server Staging (CSS) service identity. |
CSS_SG, CSS Administrators, CSS Operators |
CSStageSvc |
Commerce Server Groups and Account Assignments:
Commerce Server Administrator Groups
Create the four administrator groups that are listed in the following table. These are the minimum number of groups to define. Create separate user groups based on your business needs, and then assign those groups to authorization roles through the Authorization Manager. For more information, see Authorizing Users and Groups to Access Web Services.
|
User group |
Description |
Accounts to assign |
|---|---|---|
|
CatalogAdminGroup |
Administrator group for the Catalog and Inventory Web services. |
<CS Installer>, Business User Accounts |
|
MarketingAdminGroup |
Administrator group for the Marketing Web services. |
<CS Installer>, Business User Accounts |
|
OrdersAdminGroup |
Administrator group for the Orders Web services. |
<CS Installer>, Business User Accounts |
|
ProfilesAdminGroup |
Administrator group for the Profiles Web services. |
<CS Installer>, Business User Accounts |
Commerce Server Web Application Accounts:
Use the Service user accounts for the Sitecore Commerce web applications to perform the following tasks:
To run Internet Information Services (IIS) application pools.
To help secure folders.
To establish anonymous access to the Web site.
To access the Commerce Server databases.
Commerce Server creates the Web applications when you unpack a Commerce Server site, such as the SolutionStorefrontSite, and select the Web services that you want to install. Each Commerce Server Web application requires the definition of a Windows user account and a Windows user group.
Create the following accounts and user groups on the data tier domain controller, and make assignments before or after you install Commerce Server. Also create the RunTimeUser account on the Data tier domain controller. The following table lists the default names that are used in this deployment guide:
|
Account name |
Description |
|---|---|
|
RunTimeUser |
The account to run the Sitecore site application pool. |
|
CatalogWebSvc |
The account to run the Catalog web service application pool. |
|
MarketingWebSvc |
The account to run the Marketing web service application pool. |
|
OrdersWebSvc |
The account to run the Orders web service application pool. |
|
ProfilesWebSvc |
The account to run the Profiles web service application pool[JV1] . |
For a production deployment, you will want to define more groups so you can take full advantage of the role assignment roles available. For descriptions about each predefined role, see following section.
Commerce Server Web Services and Account and Application Pool Assignments:
When you unpack a site, Commerce Server selects and installs the Web services. Each Commerce Server Web service requires the definition of a Windows user account, Windows user group, SQL Server login account, and an application pool. Create the Windows user accounts before you unpack a site, and create the SQL Server login accounts and application pools after you unpack the site. The following table lists the default names that are used by Commerce Server and in this deployment guide:
|
Commerce Server Web service |
Default name |
Windows/SQL Login account |
Windows user group |
Application pool |
|---|---|---|---|---|
|
Catalog |
CatalogWebService |
CatalogWebSvc |
CatalogAdminGroup, IIS_IUSRS |
CatalogWebSvcAppPool |
|
Marketing |
MarketingWebService |
MarketingWebSvc |
MarketingAdminGroup, IIS_IUSRS |
MarketingWebSvcAppPool |
|
Orders |
OrdersWebService |
OrdersWebSvc |
OrdersAdminGroup, IIS_IUSRS |
OrdersWebSvcAppPool |
|
Profiles |
ProfilesWebService |
ProfilesWebSvc |
ProfilesAdminGroup, IIS_IUSRS |
ProfilesWebSvcAppPool |
|
WebSite |
<site_name> |
RuntimeUser |
IIS_USRS |
<site_name>AppPool |
It is recommended that you create unique Web service account names, SQL Server login account names, Windows user groups, and application pools for each site you unpack. You can share application pools, but it is not recommended.
Users of the scope-level roles only have access to the profile type within the scope name. For example, members of the ProfileWriter_BusinessManager role in the UserObject scope only have access to the UserObject profile definition. You must add users to each scope-level role individually.
SQL Server Database Instances, Accounts, and Role User Mappings:
SQL Server Database Instances Created for Commerce Server
The following table lists the Commerce Server databases and default database names that are used by Commerce Server and in this installation guide:
|
Commerce Server SQL database instance |
Default database name |
How the database is created |
|---|---|---|
|
CS Administration |
MSCS_Admin |
Created by the Commerce Server Configuration wizard. |
|
CS Catalog Scratch |
MSCS_CatalogScratch |
Created by unpacking the catalog site resource. |
|
Site Catalog |
<site_name>_productcatalog |
Created when you unpack the site resource. |
|
Site Marketing |
<site_name>_marketing |
Created when you unpack the site resource. |
|
Site Marketing List |
<site_name>_marketing_lists |
Created when you unpack the site resource. |
|
Site Profiles |
<site_name>_profiles |
Created when you unpack the site resource. |
|
Site Transaction Configuration |
<site_name>_transactionconfig |
Created when you unpack the site resource. |
|
Site Transactions |
<site_name>_transactions |
Created when you unpack the site resource. |