Saturday, 19 June 2010 18:53

Role Based Access Control Exchange 2010

Written by

Role Based Access Control(RBAC) is the new permission control feature introduced by Microsoft in Microsoft Exchange 2010. By using the RBAC, we can define/control what resources or actions or controls a user or an administrator can access. RBAC in Exchange Server 2010 allows you manage your exchange server permissions effectively. Using a combination of management role groups, management role assignment policies, and management scopes etc, you can grant permissions to administrators and end users. RBAC allows the permission control in broad and granular levels, what an administrator or an end user can do.

RBAC has two primary ways of assigning permissions to users, depends on whether the user is an administrator or specialist or an end user (using Management Role Groups and Management Role Assignment Policies). You may also use direct role assignment to the users.

Now let us discuss what a Management Role Group and Management Role Assignment Policy.

ü  Management Role Assignment Policy

Management role assignment policies associate end-user management roles to users. Role assignment policies consist of roles that control what a user can do with his or her mailbox or distribution groups. When we create an assignment policy we can define all action that a user can do with his or her mailbox. Sometimes a role assignment policy may allow a user to set the display name, configure Inbox rules, update their addresses etc. Another role assignment policy might allow a user to use text messaging, and set up distribution groups. Exchange will have a default role assignment policy, we can create a new one and make it as default if needed. We will not discuss more about management role assignment policy in this post. 

ü  Management Role Group:

Management Role Group is nothing but one more role that are clubbed together to grant permission to the administrators or specialist users. A Management Role Group consists of the following,

  • Management Role Group: The management role group is a special USG (universal security group) that contains users, mailboxes and USGs and some time other role group. You can add or remove members in it, and the roles are assigned to it using the management assignments. The combination of all the roles in the role group defines what a specialist user and administrator those are added to this group can do.
  • Management Role: A management role contains a list of role entries or cmdlets grouped together. Basically a management role is used to define a specific task like recipient management, Mailbox Import Export etc. Read more about Management Role
  • Management Role Assignment: A management role assignment links a role to a role group. Assigning a role to role group grants member of that role group to execute the cmdlets defines in the role.
  • Management Role Scope: A management role scope says where the roles are apply. For e.g. when we assign a role to a group we also can specify the target scope to which the role is assigned for (It can be restricted only to particular OU, Users etc).

The below picture will give an idea how RBAC works.

RBAC Overview

The role assignment links the “Who”, “What” and “Where” together and it gives the effective permission using the Exchange 2010 RBAC. In other word Role entries are put together or grouped into role and then roles are assigned using role assignments to role group by specifying the role scope and the members are added into the role group.

Example:

Scenario - You want to delegate the administration of recipients(create, delete, manage user mailboxes) on a purticular OU in your domain to a Mail Admin user. Will this be possible in exchange 2007 or 2003, I will not say it is not possible. But how easy was the process, not easy isn't it? Now let us see how can we achieve this in exchange 2010 using couple of commands.

Steps in brief:

Note - Exchange 2010 already have number of built in management roles, for the above scenario we can use the role called 'Mail Recipient Creation' which has the following roles entries(you may execute the command get-ManagementRoleEntry " Mail Recipient Creation\*").

Set-ADServerSettings, Remove-Mailbox, Remove-MailUser,Remove-MailContact,Remove-LinkedUser, New-Mailbox, New-MailUser, New-MailContact, New-LinkedUser, Get-User, Get-ThrottlingPolicy, Get-SharingPolicy, Get-RoleAssignmentPolicy, Get-ResourceConfig,Get-OrganizationalUnit, Get-ManagementRoleAssignment, Get-ManagedFolderMailboxPolicy, Get-MailboxDatabase, Get-Mailbox, Get-MailUser, Get-MailContact, Get-LinkedUser, Get-DomainController, Get-ADServerSettings, Add-MailboxPermission, Add-MailboxFolderPermission,

We will use the role 'Mail Recipient Creation' to create the role group.

  1. Create a management role scope(name the scope as ExchangeDictionary Mail Admin)
  2. Create a role group assigning the role ' Mail Recipient Creation' and the scope created in the step1,in the same command we can club the group member addition as well.

That's it! you have achieved the goal! below sections shows the implementation and the testing part of above request.

Step1:Create the scope

Open the Exchange Management Shell and execute the below command.

New-ManagementScope -Name "ExchangeDictionary Mail Admin" -RecipientRoot "ExchangeDictionary.com/ExchangeDictionary-DLs" -RecipientRestrictionFilter { RecipientType -eq 'usermailbox' }

You can verify the role scope using the command get-managementscope cmdlet.

    Command explanation:

  1. Target Organization Unit - ExchangeDictionary.com/ExchangeDictionary-DLs
  2. Type of target object -  User Mailbox
  3. Scope Name - ExchangeDictionary Mail Admin

Step2:Create the role group by assigning role, scope and member into it

Execute the below command to create a new role group for delegating the mail recipient administration permission to the user PraveenB

New-RoleGroup -Name "ED Mail Admin" -Roles "Mail Recipient Creation" -CustomRecipientWriteScope "ExchangeDictionary Mail Admin" -Members praveenb

The role group has been successfully created now, you can verify the group using either ADUC or exchange management shell.

     Command explanation:

  1. Management Roles used(What) -  Mail Recipient Creation (you can use more roles separated by comma)
  2. Role Group Name - ED Mail Admin
  3. Target Scope(where) - ExchangeDictionary Mail Admin
  4. Member of the new role group(Who) - PraveenB

Test the configuration:

1. Login to the server using the ID PraveenB (note - you may have to add the user into remote desktop user group).

2. Open the Exchange Management Console(you can even open the management shell to test it).

EMC_Org_level_permission

From the above screen shot you can see that the user does not have permission to view or edit any Organization configuration.

3. Expand Recipient Configuration/Mailbox

4. Create a new user by not specifying an OU for creating the new mailbox, let it take the default location, "Exchangedictionary.com/Users" ,.

Continue with the wizard and on finish page you will receive an error as shown in the below screen shot.

creation-wo-OU-2

The error message clearly says that ExchangeDictionary.com/Users/ExchangeDictionary isn't within the write scope, we have created the management scope with the following OU path 'ExchangeDictionary.com/ExchangeDictionary-DLs'.

5. Now let us create the user by specifying the OU "ExchangeDictionary-DLs".

creation-with-OU-1

We have selected the OU as 'ExchangeDictionary.com/ExchangeDictionary-DLs". Continue with the user creation wizard and now let us look at the wizard stage"finish".

creation-with-OU-2

Now let us think about the permission model in exchange 2007 and earlier, we were using the Access Control List. Now in Exchange 2010 we use the easy to use RBAC not the ACLs. Hope this  was helpful in understanding the concept of RBAC.

-Praveen

theme by reviewshub