RBAC in Exchange is often described in the form of a triangle (Figure 1) to show how roles, role groups, scopes, and assignments fit together.
These are the major elements of RBAC as implemented in Exchange:
Management role. A
collection of role entries that define the set of cmdlets and
parameters a user can run. For example, the Mailbox Import Export role
permits users to import or export mailbox data to and from PSTs.
Management role group. A
container for a group of management role entries that collectively
enable a user to function in a role such as recipient management.
Exchange includes a default set of management role groups, and you can
define new management role groups to meet specific needs that are not
served by a default role group. For example, the Discovery Management
role group allows members to execute discovery searches. The EAC refers
to management role groups as admin roles.
Management role assignment. The
ability to assign a management role to an individual user or to the
members of a role group (universal security group). You make a
management role assignment through the Permissions section of the EAC
or by running the New-ManagementRoleAssignment command.
Management role assignment policies. Management
role groups predominantly intended for use by administrators to enable
them to perform administrative tasks such as recipient management. The
ability of users to work with personal data is controlled by management
role assignment policies. Out of the box, Exchange provides a default
role assignment policy that defines how users can update the
information in their profile (contact phone numbers, display name, and
so on) and distribution group membership. The default role assignment
policy is automatically assigned to users when their mailbox is created
or moved to an Exchange server unless another role assignment policy is
explicitly assigned. A mailbox can only be assigned a single role
assignment policy at a time.
Management role scope. The
definition of the scope or the collection of objects with which a
management role can work. A role such as Organization Management has a
scope of the complete organization because the users who hold this role
have to be able to manage any object in the entire organization. Other
roles might be restricted to a particular scope such as an
organizational unit (OU) in Active Directory to enable a fine
granularity of management operations, such as the ability to manage
mailboxes that belong to a certain region. Exchange 2013 also supports
scopes based on servers and databases to enable specific administrators
to manage certain objects.
Management role entries. Permit
access to one or more cmdlets to enable a user to perform a certain
task. For example, access to the New-Mailbox cmdlet enables a user to
create a new mailbox. It is possible to restrict role entries to
selected parameters for a cmdlet. A management role is composed of one
or more management role entries.
Another way of
understanding RBAC is to look at it from the perspective of the work
someone does with Exchange. This will be as an administrator or as an
end user. The methods RBAC uses to associate the rights the two groups
need to do their work are as follows:
Administrators
and other specialist users who have to perform operational tasks with
an Exchange server gain the rights to do their work through membership
in appropriate role groups. Each role group consists of a number of
roles. To give an administrator permission to do something, just assign
him the correct management role by putting him in the appropriate role
group.
Note
The
Organization Management role group is the most powerful because it
includes nearly every role available to Exchange (with some exceptions).
Users
don’t need to be granted membership in role groups to be able to
interact with Exchange because control of their data (mailbox and
mailbox settings) is granted through the default management role
assignment policy. That’s a long and complicated term to explain
default settings. You can access the default management role assignment
policy through the user roles section under Permissions in EAC.
Before we plunge into the details of what roles, assignments, and policies mean, Table 1
helps establish a context for the discussion by associating various
tasks different individuals perform in an Exchange organization with
the role group that provides access to the permissions required to
execute each task.
Table 1. Linking role groups to tasks
Task | Role Group required | Notes |
|---|
I want to be the manager of the complete Exchange organization | Organization Management | Some
roles have to be explicitly delegated before even a member of the
Organization Management group can perform a task. The need to assign
the Mailbox Import Export role to an account to gain access to the
cmdlets to import or export mailbox data is the best example. |
I want to be able to see the objects in the Exchange organization, but I don’t need to edit anything. | View-Only Organization Management | This
role enables its holders to view details of configuration objects
(servers, connectors, and so on) and recipients anywhere in the
organization. |
I want to be able to manage mailboxes and distribution groups. | Recipient Management | Members of this role group can create, edit, and delete any mail-enabled object except public folders. |
I want to be able to help users maintain the settings for their mailboxes. | Help Desk | The
Help Desk role group includes the User Options and View-Only Recipients
roles. This set of roles might limit the effectiveness of the Help Desk
role group in some companies, which is why you can modify role groups
to add new roles to expand what the role group members are allowed to
do. |
I want to be able to manage Exchange server configuration settings. | Server Management | Members
of this role group are not able to manage recipient objects unless they
are also members of the Recipient Management role group. Customizations
are possible to restrict the ability to manage specific servers or
databases. |
I need to be able to perform discovery searches and respond to legal actions. | Discovery Management | This role group also enables its members to manage the process of putting mailboxes on an in-place hold. |
I need to be able to manage public folders. | Public Folder Management | Members of this group can use the public folder management options in EAC to manage public folders. |
I need to manage different aspects of compliance across the organization. | Records Management | This
role group allows its members to manage administrative auditing,
message tracking, journaling, retention policies and tags, message
classifications, and transport rules. |
I need to manage the Unified Messaging servers and set up objects such as dial plans. | UM Management | This
role group enables administrators to manage the Exchange Unified
Messaging application (if deployed within the organization). |
Now
that you have some idea of how RBAC might affect the work
administrators do and are familiar with the formal definitions of the
terms you’ll meet, consider what these entities mean in practical terms.
