Active Directory security groups

AD security groups must be Universal if more than one trusted domain is involved, but can be Universal or Global if only one domain is involved. If your AD domain functional level is Windows 2000 server mixed mode then the AD security groups must be domain Global.

Shopping Console Access groups

Three separate AD groups are required to enable access to the Shopping Admin Console and optionally support the Shopping Console node security feature.

Shopping Full Database Admin Access (SHOPPINGCONSOLEADMINUSERS)
Shopping Configuration Manager Database Access (SHOPPINGCONSOLESMSUSERS)
Shopping Limited Database Admin Access (SHOPPINGCONSOLEUSERS)

You cannot use the same group to serve all three roles, these must be handled using three separate groups. Any attempt to use the same group for more than one role will result in the installation failing with database errors and rolling back.

The Shopping Console node security feature is enabled by default, but can be disabled in the Shopping Console settings panel. If the Shopping Admin Console Node Security feature is to be used, then the Shopping Full Database Admin Access (SHOPPINGCONSOLEADMINUSERS) group must have Modify permissions in Active Directory to manage membership of itself and the other two Shopping Access groups in the table below. You can permission each group, or permission an OU which contains the groups.

If the Shopping Console node security feature is not used, then the groups should have the following membership. The names in brackets are the Shopping Central installer properties, which are referenced elsewhere in this documentation.

Shopping AD Group	Members	Member of	Notes
Shopping Full Database Admin Access (SHOPPINGCONSOLEADMINUSERS)	Shopping Administrators (ADMINACCOUNT)	None	Used to grant access to the Shopping database. If the Shopping Admin Console Node Security feature is to be used, then this group must have Modify permissions in AD, on itself, and the other two Shopping Console Access groups. This allows members of this group to add other administrators and configure security their rights in the Shopping Admin Console.
Shopping Configuration Manager Database Access (SHOPPINGCONSOLESMSUSERS)	Shopping Administrators(ADMINACCOUNT) Shopping Central service account (SVCUSER)	None	Used to grant access to the Configuration Manager database. This group requires db_datareader rights on the Configuration Manager database. If the Shopping Central installer account has rights to the Configuration Manager database, then it will grant rights to this group during installation.
Shopping Limited Database Admin Access (SHOPPINGCONSOLEUSERS)	None	None	Required for installation, but only used if the Shopping Console node security feature is used.

Shopping Administrator groups

These are accounts or groups that have administrator rights in the Shopping Admin Console and web portal.

In addition to the Shopping Access groups, you need three further role-based security groups. Shopping allows these groups to be specified as individual domain user accounts, but then you are restricted to only these users being administrators, and using the Shopping Admin Console Node Security to manage additional user accounts. If your organization prefers to manage access rights through AD or other identity managements system, then you should use groups and disable the Shopping Admin Console Security feature.

Shopping AD Group	Members	Member of	Notes
Shopping Administrators (ADMINACCOUNT)	Shopping Central installation account (this is mandatory) Individual administrator accounts and groups	Shopping Full Database Admin Access (SHOPPINGCONSOLEADMINUSERS) Shopping Configuration Manager Database Access (SHOPPINGCONSOLESMSUSERS)	This account/group contains users accounts of Shopping administrators responsible for Applications in the Shopping Console and the Administration tab in Shopping Web portal. This account/group has full rights to all features in the Shopping Admin Console. This account/>group and any members must be email enabled. The Shopping Central installer will use this email address as the mail-from address used by Shopping Central when it sends emails to users and administrators. This Admin Email address can be changed later in the Shopping Admin Console. If the Shopping Admin Console Node Security feature is used, then this account/group can add other administrators and configure security their rights in the Shopping Admin Console. If the Shopping Central installation account has modify or write permissions on the Shopping Console Access groups, then the installer will automatically add this account/group as a member of the two Access groups during installation, otherwise this account/group will need to be added to Console groups prior to installation. The name of this account/group cannot be changed after installation.
Reporting Managers (REPORTSACCOUNT)	Individual user accounts and groups	None	Can run reports from the Shopping Web portal Does not need to be email enabled The name of this account/group can be changed after installation.
Licensing Managers (LICENSEMGRACCOUNT)	Individual user accounts and groups	None	Gets email notifications when license thresholds and maximum counts are exceeded. This account/group and any members must be email enabled. The name of this account/group can be changed after installation.

As Shopping makes extensive use of automated email processing, the accounts and groups must have email addresses defined in AD. Where groups are used, the member accounts must also have email addresses defined in AD.

When configuring an AD security group to have an email address, this does not mean it has to be changed to a Distribution group type; it must remain as a Security group type.

Shopping Receiver Account group

During a Shopping Central installation, you must provide details for a Receiver Account. Instead of specifying an account, we recommend you specify an AD Security group, which contains individual Receiver service accounts. See Shopping Receiver service account.

Active Directory Server

During a Shopping Central installation, you must provide details for an Active Directory Server. This can be an AD domain controller or an actual domain name. By default, Shopping performs AD queries using the global catalog, in which case you can specify the Active Directory Server as the domain name or nominate a domain controller server that is a global catalog server.

If the global catalog is not available or not required (for example, in a single domain environment) then select a domain controller with the primary domain controller (PDC) emulator FSMO role if it is well connected. The PDC emulator is the preferred domain controller because it manages account and group changes for the domain. If the PDC emulator role is transferred, then update the Shopping Central installer properties setting in the Admin Console settings.

Groups and Organisation Units

Shopping does not support mixed domain AD Groups, i.e. AD Groups in one domain that contain AD users, computers or groups from another domain. To use AD Groups with Shopping, ensure that the Groups and the objects it contains belong to the same domain. Nested OUs, up to 5 levels deep, are supported but it does not support Groups within OUs.