- Create new management role:
To create a new management role, you should be a member of Organization Management role group. New management roles are based on the existing roles. In other words, when you create a new management role, you are actually copying all the role entries from an existing role. That means you must choose a management role that contains all the parameters you need to use while creating the new rule. For e.g. you want to create a new role that should contain the import-mailbox command, then you should choose the Mailbox Import Export role and then remove the cmdlets other than import-mailbox.
Example:
Use the following command to create a new role:
New-ManagementRole -Parent <existing role> -Name <your new role>
Scenario: Create a new role from an existing role called “Mail Recipients” which will only have the view cmdlets (‘Get-‘cmdlets) in it. Because the role Mail Recipients contains list of cmdlets including create(‘New-‘ cmdlets), view(‘Get-‘ commands), modify(‘Set-‘ commands), manage(‘Test-‘ cmdlets) etc.
Step 1. Open the Exchange Management Shell and execute the below cmdlets.
New-ManagementRole -Parent "Mail Recipients" -Name "View Mail Recipients” and hit enter. The output will look like below:
Step 2. After the role is created, the Remove-ManagementRoleEntry cmdlet is used along with the Where cmdlet to remove all the management role entries that aren't needed on the role. You can't add role entries to the newly created role bcause it already has all the role entries that exist on its parent role, Mail Recipients. The WhatIf switch is used to verify that the correct role entries are removed. Remove the cmdlets other than Get commands, for which execute the below commands:
Get-ManagementRoleEntry "View Mail Recipients\*" | Where { $_.Name -NotLike "Get*" } | Remove-ManagementRoleEntry –Whatif.
The above command will show up all the entries that will be deleted/removed from the newly created role, some what like the below picture.
Step 3. Now we are all set to execute the amount command without the switch –Whatif.
Get-ManagementRoleEntry "View Mail Recipients\*" | Where { $_.Name -NotLike "Get*" } | Remove-ManagementRoleEntry. This will ask you for a confirmation before the removal of management role entries.
Press” A” and hit Enter. We have successfully created the Management role with only view permission on Mail Recipeints. This can be now used for role assignments.
The below sections explains you how to view the list of Role Entries on a Management Role and the list of roles that contains a specific Role Entry.
- How to view the list of Management Roles that cotain a specific Role Entry
To view the list of roles that contains a specific role entry, you can use the below,
Syntax: Get-ManagementRoleEntry *\<cmdlet name>
Example: Get-ManagementRoleEntry *\Get-Mailbox
There are some cases we may nee to see the list of similar cmdlets, for e.g roles that contains cmdlets related the mailbox administration. We can use the below command to get this desired output.
Syntax: Get-ManagementRoleEntry *\<*partial cmdlets*>
Example: Get-ManagementRoleEntry *\*Mailbox* (execute it and view the result).
This section helps you to find the list of cmdlets inside a specific role, let us take the example of the newly created role Mail Recipients.
Syntax: Get-ManagementRoleEntry “<Management Role>\*”
Example: Get-ManagementRoleEntry "View Mail Recipients\*"
To know more about the Exchange 2010 RBAC, read Role Based Access Control
Did you feel comfortable with Exchange RBAC? Want more?
-Praveen (http://www.exchangedictionary.com)