Currently many firms using BizTalk Server have a single production environment for all of their BizTalk applications. The security architecture for BizTalk is such that there are a couple of groups, viz. BizTalk Administrators and BizTalk Operators. BizTalk Administrators have complete control over the BizTalk Server Group and can make any configuration change to the environment and to all deployed applications. The BizTalk Operators group has fewer privileges and allows the user to perform troubleshooting and monitoring actions across all deployed applications. For an administrator of a BizTalk application to be able to interact with their application, they must be in either of the aforementioned groups. Recently I had a customer come to me with multiple applications deployed to a single BizTalk environment and a requirement for separate administrators per application. They did not want the application administrators to be able to see or affect other applications that they had not been given rights to. So, I set about creating a web application that shows only the BizTalk applications that the user has been granted access to. The user can stop, start, enable, disable, etc, all application artifacts, and suspend, resume and terminate any messages that form part of those applications. The web site makes use of the ExplorerOM and WMI (Windows Management Instrumentation) calls.
Layout
While I can’t have the code downloadable as it forms part of the intellectual property of the firm that I work for, I can explain how the web site works. The web site is similar to BizTalk Administration Console in that it has a page for Platform (Platform Settings in the BTS Admin Console), Parties, Applications, and Messages (Group Hub in the BTS Admin Console). I’ve also added a Logs page that displays all event logs. The following diagram shows the Platform page:
None of the Platform settings are configurable as changing them will affect other applications that are dependant on them.
Security
The security for BizTalk application administrators is set in Active Directory. A group is created for each BizTalk application and the user who will be an application administrator is added to the group. The web site associates the groups with the BizTalk applications and if the user is a member of the application group, they can view and interact with the application. The following diagram shows the applications page:
Applications
The applications page lists all application that the user has access to and allows them to stop and start an application. Each application can be drilled into as well and each artifact can be stopped, started, enabled, disabled, etc. These actions are implemented through WMI calls against the BizTalk Management database. An artifact can also be drilled into to show all properties associated with the artifact. The following diagram shows the Send Ports for an application:
Messages
The message page allows the user to view the basic message queries as on the Group Hub page of the BTS Admin Console, and allows them to suspend, resume and terminate messages where applicable. Also added are the built-in HAT (Health and Activity Tracker) queries which are run against the BizTalk Tracking database. Another feature is the ability to drill down into a service instance message and to view some of the properties associated with the message, as shown in the following diagram:
Logs
The logs page allows for all application logs to be viewed. There is also a BTS Admin log that applies to the BizTalk Delegated Admin web site. It shows entries whenever an administrator stops, starts, enables, disables, etc. an artifact or suspends, resumes or terminates a message. The following diagram shows the events for the web application:
The Future
While there is much more that can be done in future releases, it must be expected that Microsoft will extend the security model around the BizTalk Administration Console in a future release of BizTalk Server. In the meantime, firms wanting a more granular security model around their BizTalk applications have no option other than custom code.
Links
Microsoft BizTalk ExplorerOM
Windows Management Instrumentation
BizTalk 2006, BizTalk Delegated Administration, BizTalk Administration, WMI, Windows Management Instrumentation, BizTalk ExplorerOM
Bookmark and Share
October 9th, 2007 at 7:30 am
Great work Sergio!!