Just as in Exchange Server 2010, Lync Server 2010 has
introduced the concept of role-based access control (RBAC). RBAC allows
for a degree of flexibility in management of the infrastructure simply
not possible with a traditional approach to administration control. In
prior versions of the product, an administrator typically had full
control of the environment and was able to modify any part of a
deployment. With RBAC, permissions can be defined in a more granular
method so that different levels of administrators can be delegated
specific settings to manage.
Lync Versus Exchange RBAC
The basis for role-based access control is to provide
a specific set of permissions and actions allowed to a group. For those
familiar with Exchange 2010 RBAC, it should be apparent that the Lync
version is not nearly as flexible. Exchange 2010 administrators can
define the exact cmdlets and attributes allowed for each management
role. With Lync Server 2010, administrators can only base new roles on
an existing template. Individual cmdlets cannot be added or removed.
Assignment of a management role can only be done by placing user
accounts within a security group.
Default Roles
Lync Server 2010 ships with several predefined RBAC
roles. These roles exist in any deployment after the preparation steps
have been completed and have a global scope. The default RBAC roles in
Lync Server 2010 include the following:
CsAdministrator—
This is the equivalent of RTCUniversalServerAdmins from OCS 2007. Users
assigned this role have complete control over any part of the system.
They can modify the topology, manage user accounts, and create
additional RBAC roles. The CS Administrators group in Active Directory
is assigned this role.
CsUserAdministrator—
This role relates to the RTCUniversalUserAdmins group from OCS 2007.
This role is geared toward help desk administrators and allows for
enabling or disabling users for Lync. This role can also move users
between pools and assign policies to accounts. The CS User
Administrators group in Active Directory is assigned this role.
CsVoiceAdministrator— Users
assigned to this role can manage any of the voice features found in
Lync Server 2010. This includes creation and modification of dial plans,
routes, voice policies, and PSTN usages. Typically this is assigned to
telephony or voice team users. The CS Voice Administrators group in
Active Directory is assigned to this role.
CsServerAdministrator—
This role can manage individual Lync servers. It is geared towards
users who manage, monitor, and troubleshoot Lync servers. It is slightly
a step below the CsAdministrator role because no changes that globally
affect the deployment, such as topology modifications, are permitted.
This role typically is assigned to users who are responsible for
day-to-day operations and management of Lync servers. The CS Server
Administrators group in Active Directory is assigned to this role.
CsViewOnlyAdministrator—
Permits read-only access to the Lync Server deployment. This includes
topology, pool, server, and user configuration, but no changes can be
made. The CS View-Only Administrators group in Active Directory is
assigned to this role.
CsHelpDesk—
This role is slightly more advanced than CsViewOnlyAdministrator and
includes the capability to perform basic troubleshooting. This role
cannot modify any user properties or assign policies as
CsUserAdministrator can. The CS Help Desk group in Active Directory is
assigned to this role.
CsArchivingAdministrator—
Allows for modifying the archiving policies and configuration within
the organization. This role is intended for compliance or legal
department users who are responsible for archiving policies. The CS
Archiving Administrators group in Active Directory is assigned to this
role.
CsResponseGroupAdministrator—
This role permits modification of Response Group queues, agent groups,
and workflows. It is intended for users who are responsible for a small
call center or the interactive voice response (IVR) systems in the
organization. The CS Response Group Administrators in Active Directory
is assigned to this role.
CsLocationAdministrator—
This role has the capability to modify and associate the locations and
network subnets involved in E-911. The CS Location Administrators group
in Active Directory is assigned to this role.
Note
Do not modify the default RBAC roles. Instead, create new roles to suit the needs of each organization.
Creating New Roles
Organizations can build on the default RBAC roles by
creating their own custom roles. To create a new role, use the following
steps:
1. | Create a security group with the same name as what the role will be named.
|
2. | Identify
a pre-existing RBAC role that contains most of the cmdlets required for
the new role. It will serve as a template for the new role.
|
3. | Decide on a Lync server scope for the new role. This can be a global site, a single site, or multiple sites.
|
4. | (Optional)
Decide on an organization scope for the new role. A role can be limited
to affect only user accounts within a specific OU in Active Directory.
|
To create a new RBAC role, use the following syntax within the Lync Management Shell:
New-CsAdminRole –Identity <AD Security Group Name> -Template <Pre-Existing
Role Name> -ConfigScopes <Lync Configuration Scope> -UserScopes
<Organizational Units>
For example, to create a new role called SanFranciscoUserAdmins scoped to the SF site and the SF OU, use the following syntax:
New-CsAdminRole –Identity SanFranciscoUserAdmins –Template
CsUserAdministrators –ConfigScopes "site:SF" –UserScopes "OU=SF
Users,OU=Company ABC,DC=companyabc,DC=com"
