Monday, 21 June 2010 11:46

Create New Management Role - RBAC

Written by
The management role contains a list of role entries or cmdlets grouped together. Basically a management role is used to define a specific task like recipient management, Mailbox Import Export etc. If you are a beginner to Role Based Access Control, see RBAC Exchange 2010.

There are number of built-in management roles available in exchange 2010 for our needs. We can club together the required management roles to a group and use it as required. But there are some situations where we may need to remove few of the management role entries from a role. Such case it is recommended to create a new role from an existing role and remove the entries from the new role, you will be denied when you try to remove a management role entry from built-in management role using the Exchange Management Shell.
  • Create new management role:

To create a new management role, you should be a member of Organization Management role group. New management roles are based on the existing roles. In other words, when you create a new management role, you are actually copying all the role entries from an existing role. That means you must choose a management role that contains all the parameters you need to use while creating the new rule. For e.g. you want to create a new role that should contain the import-mailbox command, then you should choose the Mailbox Import Export role and then remove the cmdlets other than import-mailbox.

Example:
Use the following command to create a new role:

New-ManagementRole -Parent <existing role> -Name <your new role>

Scenario: Create a new role from an existing role called “Mail Recipients” which will only have the view cmdlets (‘Get-‘cmdlets) in it. Because the role Mail Recipients contains list of cmdlets including create(‘New-‘ cmdlets), view(‘Get-‘ commands), modify(‘Set-‘ commands), manage(‘Test-‘ cmdlets) etc.

Step 1. Open the Exchange Management Shell and execute the below cmdlets.
New-ManagementRole -Parent "Mail Recipients" -Name "View Mail Recipients” and hit enter. The output will look like below:

new-role  
Step 2. After the role is created, the Remove-ManagementRoleEntry cmdlet is used along with the Where cmdlet to remove all the management role entries that aren't needed on the role. You can't add role entries to the newly created role bcause it already has all the role entries that exist on its parent role, Mail Recipients. The WhatIf switch is used to verify that the correct role entries are removed. Remove the cmdlets other than Get commands, for which execute the below commands:

Get-ManagementRoleEntry "View Mail Recipients\*" | Where { $_.Name -NotLike "Get*" } | Remove-ManagementRoleEntry –Whatif.

The above command will show up all the entries that will be deleted/removed from the newly created role, some what like the below picture.

what-if  
Step 3. Now we are all set to execute the amount command without the switch –Whatif.
Get-ManagementRoleEntry "View Mail Recipients\*" | Where { $_.Name -NotLike "Get*" } | Remove-ManagementRoleEntry. This will ask you for a confirmation before the removal of management role entries.

remove-confirm  
Press” A” and hit Enter. We have successfully created the Management role with only view permission on Mail Recipeints. This can be now used for role assignments.

The below sections explains you how to view the list of Role Entries on a Management Role and the list of roles that contains a specific Role Entry.  

  • How to view the list of Management Roles that cotain a specific Role Entry

To view the list of roles that contains a specific role entry, you can use the below,

Syntax:   Get-ManagementRoleEntry *\<cmdlet name>

Example: Get-ManagementRoleEntry *\Get-Mailbox  

get-managementroleentry

There are some cases we may nee to see the list of similar cmdlets, for e.g roles that contains cmdlets related the mailbox administration. We can use the below command to get this desired output.

Syntax: Get-ManagementRoleEntry *\<*partial cmdlets*>

Example: Get-ManagementRoleEntry *\*Mailbox* (execute it and view the result).  

  • How to view the list of all Role Entries on a Management Role

This section helps you to find the list of cmdlets inside a specific role, let us take the example of the newly created role Mail Recipients.

Syntax: Get-ManagementRoleEntry “<Management Role>\*”

Example: Get-ManagementRoleEntry "View Mail Recipients\*"

Get-role_entries_on_a_Role

To know more about the Exchange 2010 RBAC, read Role Based Access Control

Did you feel comfortable with Exchange RBAC? Want more?

-Praveen (http://www.exchangedictionary.com)

theme by reviewshub