Design and Manage an

Exchange Infrastructure: Plan and Manage Role Based

Access Control (RBAC)

Plan and manage Role Based Access Control (RBAC)

This objective may include but is not limited to:

– Determine appropriate RBAC roles and cmdlets

– Limit administration using existing role groups

– Configure a custom-scoped role group

– Evaluate differences between RBAC and Active Directory split permissions

– Configure delegated setup

•Company: Micromanagement Moguls – They love being able to assist companies in

breaking up responsibilities

•Problem: – Unlike earlier versions of Exchange that used

ACLs, role based control, although easy on the surface through the GUI can become a bit more complicated on the PowerShell level

•Goal: – To demonstrate how they can work with

PowerShell to accomplish more detailed RBAC work

Scenario: Micromanagement Moguls

Prior to RBAC permission configuration was handled through ACLs

RBAC is actually, at the core, PowerShell cmdlets and parameters

Rather than having administrators concerned with cmdlets, those cmdlets are grouped into roles which are organized into role groups

Role Based Access Control 101

Role Groups: There are 12 different built-in admin role groups

– Note: These role groups are also security groups in Active Directory

Roles: One or more Roles are assigned to each role group

Roles have underlying cmdlets and parameters but the EAC doesn’t show you too much

– Assigning built-in role groups can all be done through the EAC

RBAC Defined Role Groups

Cmdlets that you will be using with RBAC include the following:

EMS Control of RBAC

Verbs Component Example

New/Get/Remove ManagementRole New-ManagementRole

Add/Get/Remove/Set ManagementRoleEntry Get-ManagementRoleEntry

Get/New/Remove/Set RoleGroup Set-RoleGroup

Add/Get/Remove/Update RoleGroupMember Update-RoleGroupMember

Get/New/Remove/Set RoleAssignmentPolicy Remove-RoleAssignmentPolicy

Get/New/Remove/Set ManagementRoleAssignment Get-ManagementRoleAssignment

Get/New/Remove/Set ManagementScope New-ManagementScope

Note: You might enjoy using other tools to work with RBAC, like the RBAC Manager from CodePlex (and can see quite a bit through ADSI Edit

Let’s pick a built-in role group like Public Folder Management which contains only two assigned roles: Mail Enabled Public Folders and Public Folders

To get the list of management role entries use : Get-ManagementRoleEntry “<role name>\*” | fl name

To get the list of parameters for a specific entry: (Get-ManagementRoleEntry “<role name>\get-mailbox”).parameters

To see which roles allow certain cmdlets to run: Get-ManagementRoleEntry “*\New-MailboxImportRequest”

What’s in a Role?

First try to work with built-in role groups and roles

To create a new custom management role you need to start with an existing management (which is the parent)

To create a new role based on the “Mailbox Import Export”: New-ManagementRole “Mailbox Import Only” –Parent “Mailbox Import Export”

To view the newly created role with the same role entries as the parent: Get-ManagementRoleEntry “Mailbox Import Only\*”

To remove the Mailbox Export Request: Get-ManagementRoleEntry "Mailbox Import Only\*-MailboxExportRequest" | Remove-ManagementRoleEntry -confirm:$false

Role Customization

You can use the EMS, EAC, RBAC Manager or add an account directly to a security group in AD to assign permission

You can also directly assign roles to

Administrators: New-ManagementRoleAssignment -User “Alan Wright” -Role “Mailbox Import Only”

Directly Assign Roles to Administrators

Assigned to users using a role assignment policy

Mailboxes can only have one policy applied

Default Roles include – MyBaseOptions

– MyContactInformation

– MyVoiceMail

– MyTextMessaging

– MyDistributionGroupMembership

– MyMarketPlaceApps

– MyTeamMailboxes

User Roles

The default permissions model is called shared permissions where management of Exchange is not split and you can use the Exchange tools to create security principles (like user objects) in AD

In larger organizations there is a line between administrators that handle Exchange and those that handle Active Directory and you can implement this using a split permissions model

A Split Permissions Model

A Split Permissions Model (cont.)

The Delegated Setup management role group allows administrators to deploy Exchange 2013

Just because you can deploy Exchange doesn’t mean you can manage the server (that requires you to be part of the Server Management role group)

Note: Provision a new server by using the command:

setup /NewProvisionedServer:servername

Delegated Setup

We’ve recommended they use built-in role groups but these folks are all about control to the parameter level, so they are going to be making new “child” roles and new role groups

Circumstances do not require split permissions model in their case nor do they need to be concerned with delegated setup

Scenario: Micromanagement Moguls

Additional Research

•RBAC Manager R2 for Exchange 2010/2013/Office 365

• http://rbac.codeplex.com/

•Understanding Split Permissions

• http://technet.microsoft.com/en-us/library/dd638106(v=exchg.150).aspx

•Mastering Exchange 2013

• http://www.amazon.com search for “Mastering Exchange 2013”