This post was orignally published here.
The out-of-the-box BizTalk Server Operators group has limited access to the BizTalk environment. An extract from MSDN:
Members of the BizTalk Server Operators group can do the following:
- View service state and message flow
- Start or stop applications
- Start or stop orchestrations
- Start or stop send ports or send port groups
- Enable or disable receive locations
- Terminate and resume service instances
Members of the BizTalk Server Operators group cannot do the following:
- Modify the configuration for BizTalk Server
- View message context properties classified as Personally Identifiable Information (PII) or message bodies.
- Modify the course of message routing, such as removing or adding new subscriptions to the running system, including the ability to publish messages into the BizTalk Server runtime.
Lately, I had a request to elevate the permissions for BizTalk Operators, so they were able to see the tracked message bodies. The content of a message is often needed for a decent troubleshooting. Because BizTalk security is actually based on SQL Server security, it was pretty easy to implement this request. It’s sufficient to give the database role “BTS_OPERATORS” additional EXECUTE rights on specific BizTalk stored procedures, which are related to the retrieval of BizTalk message bodies. All details can be found in the script below:
USE BizTalkDTADb; GRANT EXECUTE ON OBJECT::bts_GetTrackedMessage TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageFragments TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageParts TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessageContext TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessages TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedPart TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartByID TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartFragment TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartNames TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedParts TO BTS_OPERATORS; GO USE BizTalkMsgBoxDb; GRANT EXECUTE ON OBJECT::bts_GetTrackedMessage TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageFragments TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageParts TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadMessageContext TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadMessages TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadPart TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadPartFragment TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadPartNames TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadParts TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessageContext TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessages TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedPart TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartByID TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartFragment TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartNames TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::ops_LoadTrackedParts TO BTS_OPERATORS; GO USE BizTalkMgmtDb; GRANT EXECUTE ON OBJECT::dpl_MessageType_Part_Save TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::dpl_MessageType_Save TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::dpl_Operation_MsgType_Save TO BTS_OPERATORS; GRANT EXECUTE ON OBJECT::dpl_SaveItem TO BTS_OPERATORS; GO
By executing this SQL Server script, you can easily grant them the rights to view BizTalk message bodies which allows easy debugging or follow up in different scenarios without having to change memberships.
Please note that the above method is not supported by Microsoft, so be sure to know what you are doing! Also note that database schemas and security may vary depending on the version of BizTalk you are using.