Exchange 2013 includes 85 built-in roles that are designed
to cover the majority of administrative and user tasks performed in
Exchange organizations. This is an increase over the 69 built-in roles
included in Exchange 2010 SP1, with the new roles being introduced to
support the management of new objects, such as team mailboxes, or to
accommodate greater flexibility in management, such as enabling users
to manage the apps they want to add to Outlook Web App. The majority of
the roles cover administrative roles, from taking care of address lists
to managing public folders, and there is a small set of roles (all
prefixed with My) that are used to assign rights to users to maintain
their mailbox settings and other options. You can see the complete
collection of roles with the following command:
Get-ManagementRole
A
role can be broken down into a set of cmdlets and parameters that
Exchange makes available to anyone who holds the role. In RBAC terms,
the components of a management role are called management role entries,
each of which identifies a single cmdlet and its parameters, a script,
or a permission. The parameters for a cmdlet can be restricted so that
only certain functionality is made available through a management role
entry. If a role doesn’t include a role entry for a cmdlet, that cmdlet
is unavailable to the user who holds the role.
Some of the roles
included with Exchange are very simple. For instance, if you look at
the Reset Password role by running the Get-ManagementRoleEntry command
to return its details, you see that it contains just one role entry:
Get-ManagementRoleEntry 'Reset Password\*'
Name Role Parameters
-------- ---- ----------
Set-Mailbox Reset Password {Password, ResetPasswordOnNextLogon}
You
might be surprised to see that the role is quite so simple, but in fact
when you think about what permissions you need to be able to set
someone’s Active Directory password, all you need is the ability to run
the Set-Mailbox command with two parameters: the new password and a
flag to say whether the user has to reset that password when she next
logs on. If you look at the management role definition for the Reset
Password role, that’s exactly what Exchange allows the people who are
assigned this role to do.
Because roles have to deal with all
aspects of Exchange administration, they can be much more complex. For
example, the Message Tracking role specifies a set of 19 role entries
describing the cmdlets necessary to search through message tracking
logs:
Get-ManagementRoleEntry 'Message Tracking\*'
Name Role Parameters
---- ------ ----------
Write-AdminAuditLog Message Tracking {Comment, Confirm, Debug, DomainController, ErrorAction, ErrorV…
Set-OrganizationRelationship Message Tracking {DeliveryReportEnabled, Identity}
Set-AvailabilityConfig Message Tracking {Confirm, Debug, DomainController, ErrorAction, ErrorVariable, …
Set-ADServerSettings Message Tracking {ConfigurationDomainController, Confirm, Debug, ErrorAction, Er…
Search-MessageTrackingReport Message Tracking {BypassDelegateChecking, Confirm, Debug, DomainController, DoNo…
Resume-MailboxExportRequest Message Tracking {Confirm, Debug, DomainController, ErrorAction, ErrorVariable, …
Remove-AvailabilityAddressSpace Message Tracking {Confirm, Debug, DomainController, ErrorAction, ErrorVariable, …
New-OrganizationRelationship Message Tracking {DeliveryReportEnabled, DomainNames, Name}
Get-Recipient Message Tracking {Anr, BookmarkDisplayName, Credential, Database, Debug, DomainC…
Get-MessageTrackingReport Message Tracking {BypassDelegateChecking, Debug, DetailLevel, DomainController, …
Get-MessageTrackingLog Message Tracking {Debug, DomainController, End, ErrorAction, ErrorVariable, Even…
Get-Mailbox Message Tracking {Anr, Arbitration, Archive, Credential, Database, Debug, Domain…
Get-ExchangeServerAccessLicenseUser Message Tracking {Debug, ErrorAction, ErrorVariable, LicenseName, OutBuffer, Out…
Get-ExchangeServerAccessLicense Message Tracking {Debug, ErrorAction, ErrorVariable, OutBuffer, OutVariable, Sta…
Get-ExchangeServer Message Tracking {Debug, Domain, DomainController, ErrorAction, ErrorVariable, I…
Get-DomainController Message Tracking {Credential, Debug, DomainName, ErrorAction, ErrorVariable, For…
Get-AvailabilityAddressSpace Message Tracking {Debug, DomainController, ErrorAction, ErrorVariable, Identity,…
Get-ADServerSettings Message Tracking {Debug, ErrorAction, ErrorVariable, OutBuffer, OutVariable, Ver…
Add-AvailabilityAddressSpace Message Tracking {AccessMethod, Confirm, Credentials, Debug, DomainController, E…
Some
of the cmdlets included in the Message Tracking role don’t appear to
have very much to do with interrogating the message tracking logs to
determine the routing of a message within an organization. This is
because it is convenient to use some roles in different role groups to
enable administrators to perform tasks without having to create a
profusion of relatively similar roles.
If a
user holds the Message Tracking role through membership in a role
group, EMS loads the 19 cmdlets and their available parameters set as
listed earlier to make them available during the session. RBAC
definitions differ when you manage an Exchange Online tenant. You don’t
need access to many cmdlets because Microsoft does a lot of the work
with servers and databases that usually has to be done by an
on-premises administrator. For instance, you won’t see any trace of a
New-DatabaseAvailabilityGroup cmdlet when you connect to Exchange
Online.
Individual role entries are named through a combination
of the role group name and the cmdlet, so including the asterisk
wildcard character in the command instructs Exchange to return all the
cmdlets assigned to the role group. To return details of a specific
cmdlet, including the parameters that can be used, include the cmdlet
name:
Get-ManagementRoleEntry 'Move Mailboxes\Get-Recipient' | Format-List
You
can also find the list of roles to which a specific cmdlet is assigned
by using the Get-ManagementRole cmdlet. For example, to list all roles
that can update mailbox information with the Set-Mailbox cmdlet, use:
Get-ManagementRole –Cmdlet 'Set-Mailbox'
