3662_plan and manage role based access control rbac
TRANSCRIPT
Design and Manage an
Exchange Infrastructure: Plan and Manage Role Based
Access Control (RBAC)
Plan and manage Role Based Access Control (RBAC)
This objective may include but is not limited to:
– Determine appropriate RBAC roles and cmdlets
– Limit administration using existing role groups
– Configure a custom-scoped role group
– Evaluate differences between RBAC and Active Directory split permissions
– Configure delegated setup
•Company: Micromanagement Moguls – They love being able to assist companies in
breaking up responsibilities
•Problem: – Unlike earlier versions of Exchange that used
ACLs, role based control, although easy on the surface through the GUI can become a bit more complicated on the PowerShell level
•Goal: – To demonstrate how they can work with
PowerShell to accomplish more detailed RBAC work
Scenario: Micromanagement Moguls
Prior to RBAC permission configuration was handled through ACLs
RBAC is actually, at the core, PowerShell cmdlets and parameters
Rather than having administrators concerned with cmdlets, those cmdlets are grouped into roles which are organized into role groups
Role Based Access Control 101
Role Groups: There are 12 different built-in admin role groups
– Note: These role groups are also security groups in Active Directory
Roles: One or more Roles are assigned to each role group
Roles have underlying cmdlets and parameters but the EAC doesn’t show you too much
– Assigning built-in role groups can all be done through the EAC
RBAC Defined Role Groups
Cmdlets that you will be using with RBAC include the following:
EMS Control of RBAC
Verbs Component Example
New/Get/Remove ManagementRole New-ManagementRole
Add/Get/Remove/Set ManagementRoleEntry Get-ManagementRoleEntry
Get/New/Remove/Set RoleGroup Set-RoleGroup
Add/Get/Remove/Update RoleGroupMember Update-RoleGroupMember
Get/New/Remove/Set RoleAssignmentPolicy Remove-RoleAssignmentPolicy
Get/New/Remove/Set ManagementRoleAssignment Get-ManagementRoleAssignment
Get/New/Remove/Set ManagementScope New-ManagementScope
Note: You might enjoy using other tools to work with RBAC, like the RBAC Manager from CodePlex (and can see quite a bit through ADSI Edit
Let’s pick a built-in role group like Public Folder Management which contains only two assigned roles: Mail Enabled Public Folders and Public Folders
To get the list of management role entries use : Get-ManagementRoleEntry “<role name>\*” | fl name
To get the list of parameters for a specific entry: (Get-ManagementRoleEntry “<role name>\get-mailbox”).parameters
To see which roles allow certain cmdlets to run: Get-ManagementRoleEntry “*\New-MailboxImportRequest”
What’s in a Role?
First try to work with built-in role groups and roles
To create a new custom management role you need to start with an existing management (which is the parent)
To create a new role based on the “Mailbox Import Export”: New-ManagementRole “Mailbox Import Only” –Parent “Mailbox Import Export”
To view the newly created role with the same role entries as the parent: Get-ManagementRoleEntry “Mailbox Import Only\*”
To remove the Mailbox Export Request: Get-ManagementRoleEntry "Mailbox Import Only\*-MailboxExportRequest" | Remove-ManagementRoleEntry -confirm:$false
Role Customization
You can use the EMS, EAC, RBAC Manager or add an account directly to a security group in AD to assign permission
You can also directly assign roles to
Administrators: New-ManagementRoleAssignment -User “Alan Wright” -Role “Mailbox Import Only”
Directly Assign Roles to Administrators
Assigned to users using a role assignment policy
Mailboxes can only have one policy applied
Default Roles include – MyBaseOptions
– MyContactInformation
– MyVoiceMail
– MyTextMessaging
– MyDistributionGroupMembership
– MyMarketPlaceApps
– MyTeamMailboxes
User Roles
The default permissions model is called shared permissions where management of Exchange is not split and you can use the Exchange tools to create security principles (like user objects) in AD
In larger organizations there is a line between administrators that handle Exchange and those that handle Active Directory and you can implement this using a split permissions model
A Split Permissions Model
A Split Permissions Model (cont.)
The Delegated Setup management role group allows administrators to deploy Exchange 2013
Just because you can deploy Exchange doesn’t mean you can manage the server (that requires you to be part of the Server Management role group)
Note: Provision a new server by using the command:
setup /NewProvisionedServer:servername
Delegated Setup
We’ve recommended they use built-in role groups but these folks are all about control to the parameter level, so they are going to be making new “child” roles and new role groups
Circumstances do not require split permissions model in their case nor do they need to be concerned with delegated setup
Scenario: Micromanagement Moguls
Additional Research
•RBAC Manager R2 for Exchange 2010/2013/Office 365
• http://rbac.codeplex.com/
•Understanding Split Permissions
• http://technet.microsoft.com/en-us/library/dd638106(v=exchg.150).aspx
•Mastering Exchange 2013
• http://www.amazon.com search for “Mastering Exchange 2013”