Design and Manage an

Exchange Infrastructure:
Plan and Manage Role Based
Access Control (RBAC)


Plan and manage Role Based Access
Control (RBAC)
This objective may include but is not
limited to:
Determine appropriate RBAC roles and cmdlets
Limit administration using existing role groups
Configure a custom-scoped role group
Evaluate differences between RBAC and Active
Directory split permissions
Configure delegated setup
Company: Micromanagement Moguls
They love being able to assist companies in
breaking up responsibilities

Problem:
Unlike earlier versions of Exchange that used
ACLs, role based control, although easy on the
surface through the GUI can become a bit more
complicated on the PowerShell level

Goal:
To demonstrate how they can work with
PowerShell to accomplish more detailed RBAC
work
Scenario: Micromanagement Moguls
Prior to RBAC permission configuration was
handled through ACLs

RBAC is actually, at the core, PowerShell cmdlets
and parameters

Rather than having administrators concerned with
cmdlets, those cmdlets are grouped into roles
which are organized into role groups
Role Based Access Control 101
Role Groups: There are 12 different built-in admin
role groups
Note: These role groups are also security groups in Active Directory

Roles: One or more Roles are assigned to each
role group

Roles have underlying cmdlets and parameters but
the EAC doesnt show you too much
Assigning built-in role groups can all be done through the EAC
RBAC Defined Role Groups
Cmdlets that you will be using with RBAC include
the following:


EMS Control of RBAC
Verbs Component Example
New/Get/Remove ManagementRole New-ManagementRole
Add/Get/Remove/Set ManagementRoleEntry Get-ManagementRoleEntry
Get/New/Remove/Set RoleGroup Set-RoleGroup
Add/Get/Remove/Update RoleGroupMember Update-RoleGroupMember
Get/New/Remove/Set RoleAssignmentPolicy Remove-RoleAssignmentPolicy
Get/New/Remove/Set ManagementRoleAssignment Get-ManagementRoleAssignment
Get/New/Remove/Set ManagementScope New-ManagementScope
Note: You might enjoy using other tools to work with RBAC, like
the RBAC Manager from CodePlex (and can see quite a bit through ADSI Edit
Lets pick a built-in role group like Public Folder
Management which contains only two assigned
roles: Mail Enabled Public Folders and Public
Folders

To get the list of management role entries use :
Get-ManagementRoleEntry <role name>\* | fl name

To get the list of parameters for a specific entry:
(Get-ManagementRoleEntry <role name>\get-mailbox).parameters

To see which roles allow certain cmdlets to run:
Get-ManagementRoleEntry *\New-MailboxImportRequest


Whats in a Role?
First try to work with built-in role groups and roles

To create a new custom management role you need to
start with an existing management (which is the parent)

To create a new role based on the Mailbox Import Export:
New-ManagementRole Mailbox Import Only Parent Mailbox Import Export

To view the newly created role with the same role entries
as the parent:
Get-ManagementRoleEntry Mailbox Import Only\*

To remove the Mailbox Export Request:
Get-ManagementRoleEntry "Mailbox Import Only\*-MailboxExportRequest" | Remove-
ManagementRoleEntry -confirm:$false



Role Customization
You can use the EMS, EAC, RBAC Manager or add
an account directly to a security group in AD to
assign permission

You can also directly assign roles to
Administrators:
New-ManagementRoleAssignment -User Alan Wright -Role Mailbox Import Only



Directly Assign Roles to Administrators
Assigned to users using a role assignment policy

Mailboxes can only have one policy applied

Default Roles include
MyBaseOptions
MyContactInformation
MyVoiceMail
MyTextMessaging
MyDistributionGroupMembership
MyMarketPlaceApps
MyTeamMailboxes
User Roles
The default permissions model is called shared
permissions where management of Exchange is
not split and you can use the Exchange tools to
create security principles (like user objects) in AD

In larger organizations there is a line between
administrators that handle Exchange and those
that handle Active Directory and you can
implement this using a split permissions model
A Split Permissions Model
A Split Permissions Model (cont.)
The Delegated Setup management role group
allows administrators to deploy Exchange 2013

Just because you can deploy Exchange doesnt
mean you can manage the server (that requires
you to be part of the Server Management role
group)

Note: Provision a new server by using the
command:
setup /NewProvisionedServer:servername
Delegated Setup
Weve recommended they use built-in role groups
but these folks are all about control to the
parameter level, so they are going to be making
new child roles and new role groups

Circumstances do not require split permissions
model in their case nor do they need to be
concerned with delegated setup
Scenario: Micromanagement Moguls
Additional Research
RBAC Manager R2 for Exchange 2010/2013/Office 365
http://rbac.codeplex.com/

Understanding Split Permissions
http://technet.microsoft.com/en-us/library/dd638106(v=exchg.150).aspx

Mastering Exchange 2013
http://www.amazon.com search for
Mastering Exchange 2013