This blog is a part of the series of blog articles we are publishing on the topic “Why we built XYZ feature in BizTalk360”. Read the main article here.
Why do we need this feature?
In the previous article “Why did we built User Access Policy to Manage BizTalk Server Security?”, we looked at the importance of securing the BizTalk Server environments, what are the limitations of existing security mechanisms in BizTalk Server and how BizTalk360 User Access Policy mechanism helps to address the gaps. The other important aspect that’s more closely related to security is the governance & auditing.
In a nutshell, Governance and Auditing simply means recording all the activities performed by a BizTalk Administrator or Operations person in your BizTalk Server environments. Auditing is such a crucial part for any enterprise software. Let’s take some example scenarios and see how the impact of such activities can cause huge business disruption.
Let’s imagine you have an integration scenario picking up purchase orders from a FTP location, processing it via a BizTalk Orchestration and finally sending it to the SAP system. In this simplest scenario, a BizTalk Administrator can potentially do the following 5 activities intentionally or accidentally —
- Disabling the BizTalk FTP Receive Location
- Unenlisting the BizTalk Orchestration
- Stopping the BizTalk SAP Send Port
- Stopping the Host Instances that run receive location, send port and orchestration
- Terminate a BizTalk Service Instance that’s processing the purchase order
Any one of the above activity would have resulted in a business impact of not processing that purchase order.
When such incidents happen, you must have the system in place to look at the audit logs and see who actually performed such activity and take necessary steps. In critical industries like Healthcare and Financial institutions, Auditing and Governance are mandatory and governed by industry bodies like SOX and HIPAA.
What is the current limitation in BizTalk Server?
The standard BizTalk Server Admin console doesn’t come with any in-built auditing capabilities for user activities. Once someone has access to BizTalk Admin Console (i.e pretty much your entire BizTalk support team), they are free to perform any activities without a trace.
As mentioned in the previous section, pretty much every single activity the BizTalk Server administrator or support person performs in a controlled environment like Production will have significant consequences.
It’s a very common scenario in large teams for no one taking the blame when things go wrong. Question like “Do you know who stopped that host instance?” are common. The difficult part is you probably don’t know how long that particular host instance was in stopped state, since you don’t have the audit trace.
How does BizTalk360 solve this problem?
Once we built the web based BizTalk Server Admin console, the first top most priority we addressed in the product is sorting out the Security and Audit capabilities for administrative activities. As you can see from the below picture, all the actions performed by the BizTalk Administrators are logged/audited.
The actions could be something related to BizTalk Applications like starting/stopping Receive Locations, Send Port, Orchestration, it could be related BizTalk Host Instance like starting/stopping host instances, Service Instance activities like terminating, resuming, suspending, ESB management activities like resubmitting messages, and so on.
For every new feature we add to BizTalk360, we make sure auditing capabilities are also taken care of. The organisations can keep the audit data for however long they want based on their corporate policy; you can easily configure the data retention period in BizTalk360.
In order for us to build a system that’s capable of auditing user activities, we need to make sure BizTalk Administrators can use BizTalk360 instead of the standard BizTalk Admin console, that means covering each and every feature that’s available in BizTalk Admin Console needs a counter part in BizTalk360. Apart from deployment and configuration changes (ex: changing the password of FTP receive location), BizTalk Administrators can perform every activity in BizTalk360 that can be performed in the standard BizTalk Admin Console.
Can we audit user activities if it’s performed via BizTalk Admin Console?
This is one of the common questions we receive when we talk about Governance and Auditing. Unfortunately we cannot capture activities that’s performed outside BizTalk360. The idea is you restrict access to standard BizTalk Admin Console to very few people (super users) and force majority of the people to use BizTalk360 for controlled environments.
Get started with a Free Trial today!
Download and try BizTalk360 on your own environments free for 30 days. Installation will not take more than 5-10 minutes.