Microsoft Provisioning System (MPS) provisioning components use a variety of security identities, groups, and roles to implement security. This section describes MPS security components for user accounts, security groups, and roles.

The following MPS security components are related to user accounts. These accounts are automatically created when you deploy MPS with the MPS Deployment Tool:

• MPFClientAcct - This account only has a few permissions. Most important among these is the ability to submit requests to MPS with caller's credentials. MPFClientAcct is a member of the MPFClientAccts group.
  
• MPFServiceAcct - The systems services for MPS run under this account. All requests automatically inherit the security permissions of the MPFServiceAcct, which is the default service account for provisioning services.
  
• MPSPlansAcct - This account is a domain account that belongs to the Domain Users and MPSPlansAccts security groups. It is used to control access to the Customer Plan database.
  
• MPSPrivAcct-xxxxxx - This account name has a randomly generated six-digit suffix and a randomly generated password. This user is added as a member of the MPSFrontPageAccts group in order to grant sufficient permissions to perform provisioning operations.
  

The following MPS security components are related to security groups.

• MPFClientAccts - By default, MPFClientAcct is the only member of this group. Other members can be added, which can be desirable if client-side services sending MPS requests must run under other accounts for security reasons.
  
• MPSPlanAccts - This security group is used to grant limited access to the Customer Plan database. This group is added as a SQL Server logon to the server hosting the plan database. This logon is then added to the HECustomerRole database role.
  

The following MPS security components are related to roles:

• HECustomerRole - This SQL Database Role is granted execute privileges on the Customer Service Plan database stored procedures. The MPSPlansAccts security group is a member of this role in Microsoft hosting solution deployments.
  
• OrgCreators - This is an MPS role implemented by the MPS Managed Namespaces. This role provides the caller with permissions to create, delete, and modify organizations and users in an organization. A caller will have this authorization for myOrganization if the caller is a member of either Admins@Hosting, Admins@myParentOrganization, or CSRAdmins@myParentOrganization, where myParentOrganization is the parent of myOrganization.
  
• UserCreators - This is a MPS role implemented by the MPS Managed Namespaces. This role provides the caller with permissions to create and delete users within that organization. A caller will have this authorization for myOrganization if the caller is a member of either Admins@myOrganization, Admins@Hosting, Admins@myParentOrganization, or CSRAdmins@myParentOrganization, where myParentOrganization is the parent of myOrganization.
  

The named procedures for objects with fully implemented Microsoft Windows Server 2003 or Windows Server 2008 security can implement security properly by simply attempting to manipulate the object with the caller as the security identity. If the caller has permissions on the object, the call will succeed. If not, the call will fail due to security restrictions.

However, this straightforward process will not work for objects that cannot use Windows Server 2003 or Windows Server 2008 security or for objects that only partially implement Windows Server 2003 or Windows Server 2008 security. Procedures that manipulate these objects therefore perform explicit permissions checking to ensure that the caller is authorized to perform the requested operation.

There are two categories of authorization for which named procedures test, as follows:

• OrgCreators
  
• UserCreators
  

These authorizations are implemented using Active Directory objects, but they are not themselves Active Directory objects or any other kind of object. They exist only as programming constructs within the named procedures.