In this post we will see a scenario where customer who are using Microsoft BizTalk Server can maximize their investment by reusing the environment for multiple business units/departments or projects by taking advantage of BizTalk 360 fine grained authorization.
Scenario: Let us take a scenario, where Woodgrove bank has made a huge investment in Microsoft BizTalk Server and they got 3 core mission critical applications “Loan Processing”, “Mortgage Processing”, and “Personal Account”deployed in their environment as shown below.
After a while there is a new requirement to build 2 new BizTalk applications to deal with “Business Accounts” and “Credit Card Processing”. But the challenge here is these two applications will be developed and supported by a completely different business units (Business accounts department). They also aware the new applications are NOT high volume, and the current production environments are capable of taking the additional load.
The biggest concern for them is on supporting the applications and making sure business units are not interfering or seeing each others data.
Here are the challenges and options the bank faces
1. The simplest option will be to build a brand new environment for the business account department to deploy these new applications. This will solve the problem but it comes with additional cost and managing additional environments.
2. Take the risk and deploy all the applications in the same environment and hope your support staff will behave nicely.
BizTalk 360 to the rescue:
BizTalk 360 tries to address this problem seamlessly by providing a fine grained authorization module. It allows administrators to setup customized user access policy as shown below.
You deploy all the applications in a single BizTalk environment (provided you got spare capacity or you know the applications will be used in different times of business etc) and set the user access policy appropriately. In this scenario the administrator will provide users with appropriate application rights based on the business units/departments as shown above. In addition he can set other access rights like (access to BAM, EventViewer, Global Query etc) making it really powerful. If required the administrator can provide only READ-ONLY access to certain users for the applications.
The administrator can view all the user access policy for the environment anytime as shown below via the admin module.
Administrator will be able to view all the applications deployed in the environment. He/She can query against instances across all the deployed BizTalk Applications as shown below.
Users from Business Unit 1 (Ex: Personal Account):
Users from personal accounts department will only be able to see applications related to them. In this case that is “Loan Processing”, “Mortgage Processing” and “Personal Account”
Users from Business Unit 2 (Ex: Business Account):
Users from business accounts department will only be able to see applications related to them. In this case that is “Business Account” and “Credit Card Processing”
Instances restricted at application level
Once the user access policy is setup, the users will be able to query instances (running, suspended etc) only at application level. They won’t have ability to see the instances for which they don’t have access to.
In the below screen shot you can see the query instance module restricted to “Loan Processing” application.
Note: BizTalk 360 is a web based (RIA) application, built using Microsoft SilverLight. The above screens are accessible via browser. There is no necessity to install anything on the client PC except Microsoft SilverLight.