Commerce Server Resource Security CmdLets

Current version: 8.2

Securing Commerce Server resource databases has become simpler with the introduction of the CmdLets. Instead of reviewing a list of SQL Server roles and adding app pool users, there are a set of CmdLets to secure each database. The CmdLets also reduce confusion as to which roles users need to be added to.

Management Database Permissions

Management permissions are defined as read and write actions on a resource. These activities are similar to the authoring activities carried out on a Content Management server in Sitecore, instead of the read-only activities that are carried out on a Content Delivery server. You can grant user Management permissions to a user by using the following CmdLets:

To grant management permissions to all resources in a site for a user, such as the app pool of a Content Management server, run the following commands:

RequestResponse

Grant-CSManagementPermissions –Name MySiteName –Identity $siteAppPoolUser

To grant management permissions to a specific resource, such as the application pools of the Commerce Server web services, use one of the following commands:

RequestResponse

Grant-CSCatalogManagementPermissions –Name MySiteName –Identity $catalogWSAppPoolUser
Grant-CSProfilesManagementPermissions –Name MySiteName –Identity $profilesWSAppPoolUser
Grant-CSMarketingManagementPermissions –Name MySiteName –Identity $marketingWSAppPoolUser
Grant-CSOrdersManagementPermissions –Name MySiteName –Identity $ordersWSAppPoolUser

To revoke a user's database permissions for all site resources, use the following commands:

RequestResponse

Revoke-CSOrdersManagementPermissions –Name MySiteName –Identity $ordersWSAppPoolUser

To revoke a user's database permissions for a specific resource, use the following commands:

RequestResponse

Revoke-CSManagementPermissions –Name MySiteName –Identity $siteAppPoolUser
Revoke-CSCatalogManagementPermissions –Name MySiteName –Identity $catalogWSAppPoolUser
Revoke-CSProfilesManagementPermissions –Name MySiteName –Identity $profilesWSAppPoolUser
Revoke-CSMarketingManagementPermissions –Name MySiteName –Identity $marketingWSAppPoolUser

Exporting Database Permissions

Depending on your environment, you may not be able to run CmdLets against an SQL Server, or you may want more granular control over what permissions are applied. You can use the following CmdLets to export the SQL scripts that are used to apply roles to a specific user, and then modify these scripts as necessary.

RequestResponse

Export-CSManagementPermissions -Name MySiteName -Identity "Domain\User" -Folder "C:\Scripts\CSPermissions\"
Export-CSRuntimePermissions -Name MySiteName -Identity "Domain\User" -Folder "C:\Scripts\CSPermissions\"

Runtime Database Permissions

Runtime permissions are defined as read-only actions on a resource, and are similar to delivery activities that are carried out on a Content Delivery server in Sitecore, unlike the read-only activities on a Content Management server. This mode still allows writing of new profile and orders data.

To grant Runtime permissions to all resources in a site for a user, such as the app pool of a Content Delivery server, run the following commands:

RequestResponse

Grant-CSRuntimePermissions –Name MySiteName –Identity $siteAppPoolUser

To grant runtime permissions to a specific resource, such as the application pools of the Commerce Server web services in the Content Delivery environment, run one of the following commands:

RequestResponse

Grant-CSCatalogRuntimePermissions –Name MySiteName –Identity $catalogWSAppPoolUser
Grant-CSProfilesRuntimePermissions –Name MySiteName –Identity $profilesWSAppPoolUser
Grant-CSMarketingRuntimePermissions –Name MySiteName –Identity $marketingWSAppPoolUser
Grant-CSOrdersRuntimePermissions –Name MySiteName –Identity $ordersWSAppPoolUser

To revoke a user's database permissions, use the following commands:

RequestResponse

Revoke-CSRuntimePermissions –Name MySiteName –Identity $siteAppPoolUser

To revoke a user's database permissions for a specific resource, use the following commands:

RequestResponse

Revoke-CSCatalogRuntimePermissions –Name MySiteName –Identity $catalogWSAppPoolUser
Revoke-CSProfilesRuntimePermissions –Name MySiteName –Identity $profilesWSAppPoolUser
Revoke-CSMarketingRuntimePermissions –Name MySiteName –Identity $marketingWSAppPoolUser
Revoke-CSOrdersRuntimePermissions –Name MySiteName –Identity $ordersWSAppPoolUser

Exporting Database Permissions

Depending on your environment, you might not be allowed to run CmdLets against a SQL Server, or you may want more granular control over what permissions are applied. Use the following CmdLets to export the SQL scripts that are used to apply roles to a specific user. You can then modify these scripts as necessary.

RequestResponse

Export-CSManagementPermissions -Name MySiteName -Identity "Domain\User" -Folder "C:\Scripts\CSPermissions\"
Export-CSRuntimePermissions -Name MySiteName -Identity "Domain\User" -Folder "C:\Scripts\CSPermissions\"

Web Service Permissions

The Commerce Server web services use Windows Authorization Stores to manage who can perform what actions against a web service. Each web service has an authorization store XML file that stores the permissions. You manage the stores by using Windows Authorization Manager (AzMan.msc), but you can now add users using the following CmdLets:

Each CmdLet must be pointed to the appropriate authorization store XML file, and have the user/group and role to add the user to specified. You can discover the list of potential roles by opening the XML file in Windows Authorization Manager (AzMan.msc).

RequestResponse

Grant-CSCatalogWebServicePermissions -File"c:\inetpub\wwwroot\CatalogWebService\CatalogAuthorizationStore.xml" -Identity "Domain\User" -Role "Administrator"
Grant-CSProfilesWebServicePermissions -File"c:\inetpub\wwwroot\CatalogWebService\CatalogAuthorizationStore.xml" -Identity "Domain\User" -Role "ProfilesAdministrator"
Grant-CSOrdersWebServicePermissions -File"c:\inetpub\wwwroot\CatalogWebService\CatalogAuthorizationStore.xml" -Identity "Domain\User" -Role "OrdersAdministrator"
Grant-CSMarketingWebServicePermissions -File"c:\inetpub\wwwroot\CatalogWebService\CatalogAuthorizationStore.xml" -Identity "Domain\User" -Role "MarketingAdministrator"

For more information about the CmdLets, you can run the following command:

RequestResponse

Get-Help –detailed CmdLet-Name

Commerce Server Web Service CmdLets

Previously, PuP packages were the only way to setup Commerce Server web services in IIS, but now there are other options, both of which use Web Deploy packages.

The first option is to use the Web Deploy packages for each subsystem and deploy them using IIS, or the standard IIS CmdLets. Inside the Commerce Server installation folder is a new WebServices directory, C:\Program Files (x86)\Commerce Server 11\WebServices\, which contains a WebDeploy package for each subsystem.

The second option is to use the following Commerce Server CmdLet, which will choose the correct WebDeploy package based on the resource you chose, and deploy it into a new or existing virtual directory under an existing IIS site. This CmdLet will also automatically update the web.config of the service with the correct Commerce Server site name.

RequestResponse

New-CSWebService -Name MySiteName -Resource Catalog -IISSite CSServices

There are additional optional properties that you can specify on this CmdLet. For more information, run this command:

RequestResponse

Get-Help –detailed CmdLet-Name

Commerce Server Application CmdLets

Commerce Server Applications are typically web sites, web services, or other forms of web applications that use a Commerce Server Site. By registering with a Commerce Server site, this enables the Applications to be notified that data has changed in a resource and that it should drop the cache and reread the resource. Because Commerce Server now has a cache drop notification API, there is no need to register Applications. These CmdLets are required for backward compatibility, and are unneeded when developing a new site.

To get a list of all existing Applications, run the following command:

RequestResponse

Get-CSSiteApplications

To add a new Application, run the following command:

RequestResponse

Add-CSSiteApplication -Name "MySiteName" -Application "MySite_Application"

To remove an Application, run the following command:

RequestResponse

Remove-CSSiteApplication -Name "MySiteName" -Application "MySite_Application"

Because an Application, such as a web site, could have instances on multiple servers, you can register these servers underneath the Application. To add a new server, run the following command:

RequestResponse

Add-CSSiteApplicationServer -Name "MySiteName" -Application "MySite_Application" -WebServerMachine "MyServerName”

To remove a server, run the following command:

RequestResponse

Remove-CSSiteApplicationServer -Name "MySiteName" -Application "MySite_Application" -WebServerMachine "MyServerName”

Applications, such as Site Resource and Global Resources, contain properties that you can get and set. To get a full list of the properties on an Application, run the following command:

RequestResponse

Get-CSSiteApplicationProperties -Name "MySiteName" -Application "MySite_Application"

To get a specific property value, run this command:

RequestResponse

Get-CSSiteApplicationProperty -Name "MySiteName" -Application "MySite_Application" –PropertyName “b_SyncLogFile”

To set a property value, run this command:

RequestResponse

Set-CSSiteApplicationProperty -Name "MySiteName" -Application "MySite_Application" –PropertyName “b_SyncLogFile" -PropertyValue $false

There are additional optional properties that you can specify on these CmdLets. For more information, run this command:

RequestResponse

Get-Help –detailed CmdLet-Name

Commerce Server Global Resource CmdLets

A Global Resource is a resource that can be shared between sites. Previously, Commerce Server had a number of Global Resources, but Profiles is currently the only one you will work with. The CmdLets available for Global Resource are similar to ones for regular resources. The difference is that you cannot create a Global Resource directly, you can only do it by using the Add-CSProfilesResource to create a Profile resource.

To get a list of Global Resources, run the following command:

RequestResponse

Get-CSGlobalResources

To remove a global resource, run the following command:

RequestResponse

Remove-CSGlobalResource “Profiles(MyServer_MySiteName_profiles)

By default the remove commands will not delete the associated database. You can delete it at the same time by adding the DeleteDatabases parameter:

RequestResponse

Remove-CSGlobalResource -ResourceName “Profiles(MyServer_MySiteName_profiles) -DeleteDatabases $true

All Global Resources contain a collection of properties that allow you to configure how the resource runs. You can manipulate these properties using the following CmdLets.

To get a list of all of the properties on a Global Resource, run the following command:

RequestResponse

Get-CSGlobalResourceProperties -ResourceName “Profiles(MyServer_MySiteName_profiles)

To get a specific property value, run the following command:

RequestResponse

Get-CSGlobalResourceProperty -ResourceName “Profiles(MyServer_MySiteName_profiles) -PropertyName “s_BizDataStoreConnectionString”

To can set a property value, run the following command:

RequestResponse

Set-CSGlobalResourceProperty -ResourceName “Profiles(MyServer_MySiteName_profiles) -PropertyName “s_BizDataStoreConnectionString” -PropertyValue “my_profiles_db_connection_string”

There are additional optional properties that you can specify on these CmdLets. For more information, run this command:

RequestResponse

Get-Help –detailed CmdLet-Name

General CmdLet Notes

Database Creation and Authentication Mechanisms

By default, any of the CmdLets that create databases will use the connection string of the MSCS_Admin database as the template for what server to create the databases on and what authentication mechanism to use. For example, Windows Authentication or SQL Authentication. If the authentication mechanism is Windows Authentication, then the credentials of the user running the CmdLet will be used. If the authentication mechanism is SQL Authentication then the user name and password on the connection string will be used.

If Windows Authentication is being used, and the user running the CmdLet does not have permission to create databases on the target SQL Server, then you will need to run a new PowerShell instance as a user that does have permission to create databases on the target SQL Server and re-run the CmdLet(s).

If SQL Authentication is being used and the credentials on the MSCS_Admin database do not have permissions to create databases on the target SQL Server, then you can use the –SqlUserName and –SqlUserPassword parameters to specify a user that does have the appropriate permissions.

Azure SQL

If you are creating your databases against an Azure SQL Server, then you can use the following parameters to specify to that you get the correct size and edition of the database created.

  • RequestResponse
    
                    Edition [<string>]
                  
    
    • Specifies the edition of the SQL Azure database to create (e.g. basic, standard, premium, etc.).

  • RequestResponse
    
                    MaxSize [<string>]
                  
    
    • Specifies the maximum size of the SQL Azure database to create, such as 500 MB, 5 GB, 500 GB, and so on.

  • RequestResponse
    
                    ServiceObjective [<string>]
                  
    
    • Specifies service objective of the SQL Azure database to create, such as basic, S3, P6, and so on. If a value is provided, the ElasticPool parameter cannot be specified.

  • RequestResponse
    
                    ElasticPool [<string>]
                  
    
    • Specifies the name of the SQL Azure Elastic Pool that the database will be added to. If a value is provided, the ServiceObjective parameter cannot be specified.

  • RequestResponse
    
                    SqlTimeout [<int>]
                  
    
    • Specifies the SQL command timeout in seconds. This useful if you are running the CmdLets from on-site.

Do you have some feedback for us?

If you have suggestions for improving this article,