Exchange 2010: Role Based Access

Control (RBAC) Deep Dive

Mike PfeifferSystems InstructorInterface Technical Training

What is RBAC?

o Simplified access control administration

o Admins don’t deal with ACLs in AD or Exchange

o Permissions are focused on tasks, not objects

o Granular Delegation of Rights

o Self-Service management

How RBAC Works

How RBAC Works

o Tasks are carried out by cmdletsthrough Remote Powershell

o Tasks run under the security context of the Exchange servers

o Exchange servers have rights in Active Directory

How RBAC Works

o Scope (Where):Defines objects a role can act on

o Role (What):Set of cmdlets and parameters

o Role Group (Who):Active Directory Security Group

o Role Assignment (Glue):Links the Who, What, and Where

How RBAC Works

The Whereo Management Scope Defines the “Where”o Default Scope is Inheritedo Recipients

– Recipient Root– Recipient Filter

o Servers– Server List– Server Filter

o Databases– Database List– Database Filter

The What

o Management Roles Defines the “What”

o Get-ManagementRole

o Get-ManagementRoleEntry

o Defines:

– Cmdlets

– Parameters

The Who

o Role Groups

o Active Directory Security Groups

o User Accounts

The Glue

o Management Role Assignments

o Define:

– Scope

– Role

– Group or User

o Everything gets stuck together using a Role Assignment

Demo – RBAC for Administrators

o Scenario

– Support personnel should be able to create Exchange recipients in the Sales OU in AD

– Support personnel should not be able to create Exchange recipients in any other OU in AD

– Support personnel should not be able to remove recipients in the Sales OU, or any other OU in AD

RBAC for End-Users

o Role Assignment Policies

o Set Per Mailbox using the RoleAssignmentPolicy attribute

o One Created by Default

Demo – RBAC for End-Users

o Scenario

– End-Users can currently modify their Work, Fax, Mobile, and Home Phone numbers in ECP

– End-Users should be only be allowed to modify their Home Phone number in ECP

Distribution Group Management

o MyDistributionGroups Role

o Not Assigned by Default

o Allows End-Users to manage membership of DG’s they own

o Allows End-Users to add DG’s

Demo – RBAC for End-Users

o Scenario

– End-Users need to manage the membership of DG’s they own

– End-Users should not be able to add or remove DG’s

Troubleshooting RBACo Get-ManagementRoleAssignment

– GetEffectiveUsers

– WritableRecipient, WritableServer, WriteableDatabase

o Get-ManagementRoleEntry

– Supports Wildcards

o Get-ManagementRole

– Cmdlet

– CmdletParameters

Thank You!

o Blog: www.mikepfeiffer.net

o E-Mail: mike.pfeiffer@interfacett.com

o Twitter: @mike_pfeiffer