Elevating permissions for BizTalk Server Operators group

This post was orignally published here.

The out-of-the-box BizTalk Server Operators group has limited access to the BizTalk environment. An extract from MSDN:

Members of the BizTalk Server Operators group can do the following:

  • View service state and message flow
  • Start or stop applications
  • Start or stop orchestrations
  • Start or stop send ports or send port groups
  • Enable or disable receive locations
  • Terminate and resume service instances

Members of the BizTalk Server Operators group cannot do the following:

  • Modify the configuration for BizTalk Server
  • View message context properties classified as Personally Identifiable Information (PII) or message bodies.
  • Modify the course of message routing, such as removing or adding new subscriptions to the running system, including the ability to publish messages into the BizTalk Server runtime.

Lately, I had a request to elevate the permissions for BizTalk Operators, so they were able to see the tracked message bodies.  The content of a message is often needed for a decent troubleshooting.  Because BizTalk security is actually based on SQL Server security, it was pretty easy to implement this request.  It’s sufficient to give the database role “BTS_OPERATORS” additional EXECUTE rights on specific BizTalk stored procedures, which are related to the retrieval of BizTalk message bodies.  All details can be found in the script below:

USE BizTalkDTADb; 
   GRANT EXECUTE ON OBJECT::bts_GetTrackedMessage
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageFragments
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageParts
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessageContext
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessages
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedPart
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartByID
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartFragment
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartNames
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedParts
      TO BTS_OPERATORS;
GO 
 
USE BizTalkMsgBoxDb;
   GRANT EXECUTE ON OBJECT::bts_GetTrackedMessage
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageFragments
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::bts_GetTrackedMessageParts
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadMessageContext
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadMessages
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadPart
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadPartFragment
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadPartNames
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadParts
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessageContext
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedMessages
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedPart
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartByID
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartFragment
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedPartNames
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::ops_LoadTrackedParts
      TO BTS_OPERATORS;
GO 
 
USE BizTalkMgmtDb;
   GRANT EXECUTE ON OBJECT::dpl_MessageType_Part_Save
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::dpl_MessageType_Save
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::dpl_Operation_MsgType_Save
      TO BTS_OPERATORS;
   GRANT EXECUTE ON OBJECT::dpl_SaveItem
      TO BTS_OPERATORS;
GO

By executing this SQL Server script, you can easily grant them the rights to view BizTalk message bodies which allows easy debugging or follow up in different scenarios without having to change memberships.

Please note that the above method is not supported by Microsoft, so be sure to know what you are doing!  Also note that database schemas and security may vary depending on the version of BizTalk you are using.

About me

Hi! I’m Toon Vanhoutte, a hands-on Azure architect – based in Belgium – with a big passion for teaching and helping people out. I’m happy to assist you during your Azure journey with high-quality advisory and I would love to teach you Azure’s possibilities via my tailored training courses.

Subscribe to the blog