So far, you have looked at direct assignment of roles to
role groups by which users receive rights through their membership in
the group that enable them to perform administrative operations such as
viewing transport queues or conducting discovery searches. Every RBAC
system needs a default policy to provide a basic set of functions that
users can run. Exchange 2013 includes the concept of a management role
assignment policy to enable users to perform certain functions that
have to be performed by administrators in previous versions of
Exchange. Table 1
lists the roles covered by the default role assignment policy, which is
assigned automatically to an end user when his mailbox is created
unless the administrator overrides it by specifying another role
assignment policy or by changing the default role assignment policy.
The role assignment policy specified for a mailbox can be changed at
any time by running the Set-Mailbox cmdlet. For instance:
Table 1. User roles in default role assignment policy
Role | Use | Enabled by default |
|---|
MyBaseOptions | Base option that allows end users to access Outlook Web App options | Y |
MyContactInformation | Enables end users to update their phone and contact information | Y |
MyProfileInformation | Enables end users to update their first name, last name, initials, and display name | N |
MyVoiceMail | Enables end users to manage their voice mail options such as greetings | N |
MyTextMessaging | Enables end users to manage options for text messaging | N |
MyDistributionGroupMembership | Enables end users to manage their membership in distribution groups (list groups, leave groups, join new groups) | Y |
MyDistributionGroups | Enables end users to create new groups and to manage the membership of groups they own | N |
MyTeamMailboxes | Enables end users to manage team mailboxes they own | Y |
MyMarketPlaceApps | Enables end users to add apps to Outlook Web App | Y |
MyRetentionPolicies | Enables end users to select personal retention tags to apply to items in their mailbox | N |
Set-Mailbox –Identity JSmith –RoleAssignmentPolicy 'New User Role Assignment Policy'
Note
End-user
roles are different from management roles in that they only affect data
relating to the end users, such as their personal information, or the
distribution groups that include the end users. By comparison,
management roles have a much broader scope in that they can affect data
relating to other users or other components of Exchange.
A
mailbox can have only one management role assignment policy. Individual
mailboxes or groups of mailboxes can be assigned different management
role assignment policies. You can use the following command to see the
roles included in the default role assignment policy:
Get-ManagementRoleAssignment -RoleAssignee 'Default Role Assignment Policy'
If
you want to check the roles assigned to a specific user through a role
assignment policy, you can substitute the user’s name for the name of
the assignment policy. For example:
Get-ManagementRoleAssignment -RoleAssignee 'Akers, Kim'
You
can remove any of these roles from the default role assignment policy
and thus make them unavailable to users through Outlook Web App
options. For example, to remove the text messaging options from Outlook
Web App options:
Remove-ManagementRoleAssignment 'MyTextMessaging-Default Role Assignment Policy'
Administrators can also change the default role assignment policy to
make other options available to users. In addition, you have the
flexibility to create a new role assignment policy and apply it to
selected users to allow them access to a different set of tasks than is
available to standard users. To set a new default role assignment
policy:
Set-RoleAssignmentPolicy 'New End-User Default Role Assignment Policy' –IsDefault
Management
role assignment policies are assigned with the New-Mailbox cmdlet or
Enable-Mailbox cmdlet when you create a new user account or enable an
existing account with a mailbox or with the Set-Mailbox cmdlet to
change the policy for an existing mailbox. These assignments are
explicit, whereas the assignment of the default policy is implicit. An
explicit assignment always takes precedence over an implicit
assignment. Here’s how you would assign an explicit policy to a mailbox:
Set-Mailbox –Identity 'Jack Jones' –RoleAssignmentPolicy 'VIP Users'
Sometimes
it is useful to be able to process a group of users. For example,
assume that you want to run a Unified Messaging pilot in just one
office and want to enable the users in that office to update their
voice mail settings through Outlook Web App options. The voice mail
options are not enabled in the default policy, so you must create a new
policy, assign the voice mail options to the policy, and then enable
the policy for the mailboxes in the specific office. This set of
commands does that. You create the policy, assign the necessary roles,
including voice mail and the other roles users need to update their
contact and personal information through Outlook Web App, and then
assign the new role to all mailboxes that belong to the Chicago office:
New-RoleAssignmentPolicy –Name 'VoiceMail Pilot Users'
New-ManagementRoleAssignment –Role 'MyBaseOptions' –Policy 'VoiceMail Pilot Users'
New-ManagementRoleAssignment –Role 'MyVoiceMail' –Policy 'VoiceMail Pilot Users'
New-ManagementRoleAssignment –Role 'MyProfileInformation' –Policy 'VoiceMail Pilot Users'
New-ManagementRoleAssignment –Role 'MyContactInformation' –Policy 'VoiceMail Pilot Users'
Get-Mailbox –Filter {Office –eq 'Chicago'} | Set-Mailbox –RoleAssignmentPolicy 'VoiceMail Pilot Users'
Users will pick up the new management role assignment policy the next time they log on to Outlook Web App.
