To summarize, you have defined scopes to say which objects
a role can access and update, a role to say which cmdlets and
parameters are made available to the holders of the role, and role
groups to help manage who can do what. Role assignments provide what
Microsoft refers to as the glue for RBAC in that they link roles and
their scope to users or groups. To see the complete set of role
assignments in the organization, type:
Get-ManagementRoleAssignment
Exchange
2013 includes some hundreds of role assignments ordered by assignee
name. All the roles assigned to the Organization Management role group
are found together, as are all the roles assigned to the other role
groups such as Hygiene Management, Discovery Management, Move
Mailboxes, and so on. Because it is the most powerful and functional
role group, Organization Management has the most role assignments.
Toward the bottom of the list, you’ll find the roles assigned to the
default role assignment, which is what Exchange assigns automatically
to every user when the user’s mailbox is created. These assignments
include MyBaseOptions and MyContactInformation, which are the
assignments necessary to enable a user to edit her own personal
information through Outlook Web App options. Custom role assignments
are found at the end of the list.
Role assignments are named
using a convention of Role-Role Group, which results in names such as
Message Tracking-Records Management and Transport Queues-Organization
Management. Assume that the Help Desk Level 2 role group you created
earlier includes seven roles, so you would then expect to see these
represented by seven role assignments when you run
Get-ManagementRoleAssignment, which is exactly what happens:
Get-ManagementRoleAssignment –RoleAssignee 'Help Desk Level 2'
Name Role
------- ----
Distribution Groups-Help Desk Level 2 Distribution Groups
Mail Recipient Creation-Help Desk Level 2 Mail Recipient Creation
Mail Recipients-Help Desk Level 2 Mail Recipients
Message Tracking-Help Desk Level 2 Message Tracking
Move Mailboxes-Help Desk Level 2 Move Mailboxes
Recipient Policies-Help Desk Level 2 Recipient Policies
Mailbox Import Export-Help Desk Level 2 Mailbox Import Export
To examine a specific role assignment, pass the name of the assignment to the Get-ManagementRoleAssignment cmdlet:
Get-ManagementRoleAssignment –Identity 'Mail Recipient Creation-Help Desk Level 2' | Format-List
RBAC
does not function in the same way as regular security permissions, by
which the operating system normally applies the most restrictive
permission to secure access to an object. Instead, RBAC operates on the
principle that it provides users with the combination of all the roles
that have been assigned to them. This enables them to accomplish any of
the tasks covered by those roles. Consider when you make an account a
domain administrator. Immediately, the account gains a great deal of
power within the domain, and there is a huge difference between the
capabilities of that account and those of another standard user
account. Now consider what happens when you add an account to a role
group. It gains the ability to run any of the cmdlets covered by the
role. Gradually, as you add the account to other role groups, it gains
access to more cmdlets until you arrive at the Organization Management
level, which is an accumulation of nearly every role available to
Exchange. You begin to realize how roles build on roles to create a
highly customizable framework to enable all kinds of users to do their
work. Unity through role accumulation delivers a more granular security
assignment mechanism than any of the previous Exchange ACL-based
authorization schemes, even if there is no explicit deny mechanism that
positively blocks someone from doing something.
1. Using role assignment policy to limit access
Role assignments can limit access down to the parameter level
for a cmdlet. Exchange uses this capability to restrict users to
writing to specific data items within a larger set. For example, the
default role assignment policy enables users to update their contact
details but not their display name through the Options section of
Outlook Web App. You can interrogate Exchange to discover the role
assignments that underpin this capability by looking for the
assignments that control users’ ability to use the Set-User cmdlet to
update their mobile phone number (one of the data items permitted by
the default role assignment policy) as follows:
Get-ManagementRole -Cmdlet Set-User –CmdletParameters MobilePhone| Get-ManagementRoleAssignment
-GetEffectiveUsers -Delegating $False | Where-Object {$_.Effectiveusername -ne "All Group Members"}
| Format-Table Role, RoleAssigneeName, EffectiveUserName
This code does the following:
Looks for all roles that permit access to the MobilePhone property through Set-User.
Pipes
the roles to Get-ManagementRoleAssignment to return a list of users who
have been delegated access through a role assignment. (If the
–Delegating parameter is set to $True, you will see a list of users who
can delegate access to others.)
Filters the list to remove All Group Members because you want to see only individual users.
Outputs the role, assignee name, and username.
Here is the output:
Role RoleAssigneeName EffectiveUserName
---- ---------------- -----------------
Mail Recipients Organization Management Administrator
Mail Recipients Organization Management Halstead, Dean
Mail Recipients Help Desk Level 2 Support Ruth, Andy
Mail Recipients EMEA Help Desk Pelton, David
Mail Recipients EMEA Help Desk Smith, John
Mail Recipients APJ Help Desk Akers, Kim
User Options Organization Management Administrator
User Options Organization Management Redmond, Tony
MyContactInformation Default Role Assignment Policy All Policy Assignees
Caution
RBAC
currently allows restrictions to be placed on cmdlets that write data
(cmdlets beginning with New- and Set-). It does not support
restrictions on the Get- cmdlets that allow users to retrieve the
properties of an object. This means that restricted users can read all
the data for an object even though they might not be able to update
some or even all the attributes.
