As mentioned previously, people are the weakest link in the security chain. The best security measure is to keep them away from your BizTalk application. Unfortunately, this is not a very realistic solution. Instead, try to limit the people who have access to the BizTalk application, and limit the level of access these people have.
Employees who will have access to the BizTalk application should have a legitimate need to do so before they are granted access. Perform the following steps to assess the roles of employees who will be working with the BizTalk application:
1. Make an overview of all the roles and put them in groups, based on the type of use they will make of the application. Try to minimize the number of groups—the more groups, the more administration involved, and the greater the chance of error.
2. Determine for each group which parts of the BizTalk solution they will need to use, and what type, or level, of access this will require. Be very strict about this. If users only need read-only access, that should be all they get.
3. Add only the usernames of the employees you have identified as needing access to the BizTalk solution to the groups. Review these group members at least twice a year, since employees have a tendency to change jobs.
4. Never give access rights at user level, as this only complicates the system administration tasks.
During the installation of BizTalk, only two groups are created: BizTalk Server Administrators and BizTalk Server Report Users, which might be enough for most solutions. Remember that with BizTalk Server, you create multitier solutions in which nearly all users will only need to have access to the outer tier.
For the XLANG Scheduler, four roles are created: Creator, User,Administrator, and Application. Except for the Administrator role, everyone has default membership in these roles.This needs some adjustment, which we discuss later.
Was this article helpful?