As we all know ‘Role Based Access Control’ or RBAC is the permission model introduced with the Exchange Server 2010. By now almost all of us are having a fairly good understanding about the topic RBAC. I decided to write another post on RBAC because; recently I come across a query on confusion about role assignment and role groups. Why should we create role group, why don’t we use the role assignment to assign permission to users? Looks to be a valid question, but can we stay only with role assignment? Of course not, role assignment has its own important, without a role assignment there are no role groups but at the same time role assignments alone are not enough too.
I hope you already have read enough about Role Based Access Control. If you did not get clarity about the RBAC permission model please read few of my previous articles listed below,
In simple words, Management Role Assignment is a link between one management role and a role assignee. A role assignee can be a role group, role assignment policy, user or a universal security group. When you create a role group by clubbing more roles together, it in turn creates individual role assignment for each role specified.
Now, let us create a role group to see the role assignee and the assignment type
New-RoleGroup -Name ED_PF_Admin -Roles "Public Folder Replication","Public Folders"
The above cmdlet will create a new role group by clubbing both the roles mentioned.
Now, see the role assignments created when we created the role group, run Get-RoleGroup ED_PF_Admin | fl Name,RoleAssignments,Roles
As you see in the above screen shot, one role assignment is created for each of the role specified (Public Folder Replication-ED_PF_Admin, Public Folders-ED_PF_Admin). Now let’s see the details of one of the role assignments
Run “Get-ManagementRoleAssignment "Public Folders-ED_PF_Admin" |fl Role*,assign*”
You can see the assignee type is role group, and the role assignee is one of the Exchange Security Group. As like the role group assignee, we can link the role to a user, USG or to a role assignment policy by using a management role assignment. In case of role assignment policy, the assigned permissions will take to effect when that policy applied to any users. You may read RBAC Management Role Assignment Policy to know more about the permission delegation using the role assignment policy.
Hope you are clear and left with no confusions about RBAC Management Role Assignment concept. So my advice is, if you want to delegate the permission only to a single person use role assignment other wise use a role assignment policy or a role group depends on the situation. Read the assignment policy topic mentioned above to understand the situation where a policy to be created for permission delegation. The only option to understand the concept is to do practice it at your LAB, read as much as you can... it is really simple.
If you still confused, write me