I was talking to Saravana over drinks about a feature I would like to see in BizTalk 360 and thought id share it to see what people think.
The problem is that most customers of BTS360 have a load of users who log directly into the BizTalk server and its a bit of a culture change for them to have to stop doing this. When they start doing things in BizTalk 360 and find there is a task which cant be done in BTS360 and needs the user to access the server they just do it and there isnt really any auditing around this.
My suggestion was that all users should be completely removed from access to the BizTalk servers and removed from the BizTalk admin group. This means they can not access the server directly and also can not access BizTalk through the admin console.
When the BTS360 user has an action which they need to use the BizTalk Admin console or the local server (eg: a deployment) then the user would use BTS360 to make a request for access. The user would indicate if they need just BTS Admin access or if they also need access to the servers. The user would also add a note to say what they are going to do, and a category so BTS360 can track different reasons people are accessing the server (a bit like a windows shut down dialog). When the request is made BTS360 would then interact with the local or active directory groups to add this user to the appropriate groups. The auditing feature of BTS360 would record the access request.
The user would then go and perform the activity they need to.
Once complete the user would then come back to BTS360 and mark that the access is no longer required and BTS360 would then go and remove the user from the appropriate groups.
Additional features could also include:
- Something on the dashboard to indicate a user has access open (eg if a user forgot to revoke access when done)
- An email alert to the administrators group to tell others that someone has taken access and the reason why
- For larger teams possibly an approval step (maybe overkill)
I feel that this feature would be significant to getting support teams properly transitioned to the mature support and operations processes offered by BTS360 and not to keep using local logon and the admin console just because thats what they are used to.