Creating a new role group
Now
that you understand the connections among roles, role groups, and
assignments, consider how to create a new role group and see what
happens to instantiate it. First, decide whether you actually need a
new role group. The general approach to creating a new role group is as
follows:
Write
down the need for the new role group and why none of the out-of-the-box
role groups is appropriate. It’s always preferable to use one of the
default role groups because creation of new role groups increases the
level of complexity within the organization.
Determine
the list of management roles that should be assigned to the new role
group and why the members of the role group need to be able to use
these roles.
Create the new role group with EAC or by running the New-RoleGroup command and assign the roles incorporated in the role group.
Assign users to the new role group.
Most
companies have help desks that need access to certain functionality to
do their work. Exchange 2013 includes a standard Help Desk role group
that includes two management roles: the User Options role, which allows
access to the Outlook Web App options for other users, and the
View-Only Recipients role, which allows view-only access to a number of
sections within EAC, including recipients. In some respects, you might
consider these roles insufficient for help desk agents to help users
simply because they are so limited, and you might wonder why Exchange
includes such a relatively insipid role. However, if more capabilities
had been assigned to the Help Desk role, help desk personnel might have
been given more permissions than necessary. This discussion proves that
although the default RBAC roles cover a wide range of scenarios, it is
impossible to satisfy everyone unless the ability exists to tailor
roles and role groups to meet the specific needs of organizations.
Assume
that the Help Desk role group is insufficient for the kind of help desk
used by your company. You could edit the standard Help Desk role group
and assign additional management roles to the group. You can do this
easily with EAC by selecting the Help Desk role group and editing its
properties. You can then click Add in the Roles section of the
properties to reveal the Select a Role screen illustrated in Figure 3.
All known management roles are listed and can be added to the role
group. In this instance, the Help Desk personnel should be able to
update details for mail recipients (mailboxes, groups, contacts), so
you have selected the Mail Recipients management role. After you save
the updated role information, the members of the Help Desk role group
can run commands such as Set-Mailbox to update properties for a mailbox
or Enable-Mailbox to enable an archive through either EAC or EMS. If
you run the Get-ManagementRoleEntry command to see the cmdlets that are
available to role group members who hold the Mail Recipients role,
you’ll note that Mail Recipients is actually quite a powerful role in
terms of the number of cmdlets. However, the Mail Recipients role is
also restricted in that the vast majority of permissions are for
commands that update objects rather than create objects. For instance,
you can’t create a new mailbox or contact because the Mail Recipient
Creation management role group must be assigned to gain that capability.
For
performance reasons, Exchange caches RBAC assignments, so the update
for a role group might not be effective for up to 15 minutes after it
is made.
Many
companies organize help desks into different levels of support. Your
adjusted Help Desk role group is probably adequate for the needs of
entry-level help desk personnel. Assume now that you want to create a
new role group that you assign to level 2 personnel who handle
escalations and tasks that require a greater degree of knowledge. One
way of achieving your goal is to use another standard role group. For
example, the Recipient Management role group contains the following
management roles:
Distribution Groups. Enables holders to create and manage groups, including dynamic distribution groups
Mail Recipient Creation. Enables holders to create new mail-enabled recipients such as mailboxes
Mail Recipients. Enables holders to set properties of mail-enabled recipients, including the ability to enable or disable an archive
Message Tracking. Enables
holders to track the route messages take through an organization,
including those to external recipients up to the point that they are
processed by a connector and leave the organization
Migration. Enables holders to create and manage migration batches
Move Mailboxes. Enables holders to move mailboxes by using the New-MoveRequest and associated commands
Recipient Policies. Enables holders to create and amend throttling, Outlook Web App, and ActiveSync policies
Team Mailboxes. Enables
holders to manage team mailboxes, including creating new team mailboxes
and using commands such as New-SiteMailbox and
Get-SiteMailboxDiagnostics
To demonstrate what’s
possible, create a new role group instead of just editing the Recipient
Management role group. The new role group will include most of the
management roles included in Recipient Management and add the Mailbox
Import Export role group so that the members of the new role group can
import and export mailbox data from and to PSTs.
EAC makes it
easy to create a new custom role group based on an existing group by
providing a copy option. Select the role group that you want to use as
the base and click Copy. EAC then copies the properties of the base
group and displays them so that you can make whatever changes are
necessary to create the new group. Figure 4
shows the new role group being edited. The new group name is set to
Help Desk Level 2, and some descriptive text is provided to inform
administrators and other interested parties about why the new role
group is needed. To complete the new group, edit the assigned roles as
explained earlier, add the names of the users and groups you want to
include in the group membership, and then click Save. In addition to
creating the new management role group, Exchange also creates a new
universal security group with the same name in the Microsoft Exchange
Security Groups OU. The new USG is necessary to enable Exchange to
assign security principals to the group.
The
equivalent EMS command is New-RoleGroup. Here’s an example that creates
a new role group and defines the management roles covered by the group
and the users who form the group membership:
New-RoleGroup 'Help Admins' –Roles 'Message Tracking', 'Mail Recipients', 'Move Mailboxes'
–Members '[email protected]', '[email protected]' –ManagedBy '[email protected]',
'[email protected]' –Description 'This group is used by Help Admins'
In
this example, specific users are named who will manage the new group.
The users specified in the ManagedBy parameter are allowed to manage
the group, but they are not members of the group and don’t possess the
role unless they are explicitly included in the group membership.
At
least one role must be assigned to a new role group when it is created.
If you do not assign a scope to the role group, it takes the default
scope of the roles included in the group, which is usually
organization-wide.
