There is always a confusion in a real time production biztalk environment about the user rights. Most of the time when run ConfigFramework, btsdeploy, deployment wizard, accessing the admin tool. Do I need to be part of just “Biztalk Server Administrators” group, or do I need to be part of “SSO Administrators” as well to perform some task. The following link gives you all the required information
Key point is:
*Ensure that the service account running the Enterprise Single Sign-On (SSO) service is a member of the SSO Administrators group on each computer.
*The administrator installing and configuring BizTalk Server must be a member of the following groups: SSO Administrators (only when configuring the master secret server); Windows administrator; SQL Server administrator; OLAP administrator.
*Running the admin stuff like BTSDeploy, deployment wizard and admin console requires only Biztalk Adminstrator group permission.
*The BizTalk Server Administrators group must be a member of the SSO Affiliate Administrators group account. The SSO Affiliate Administrators is a Domain Local group; all others are Global.