Exchange 2010: Role Based Access Control (RBAC) Deep Dive · Exchange 2010: Role Based Access...
Transcript of Exchange 2010: Role Based Access Control (RBAC) Deep Dive · Exchange 2010: Role Based Access...
Exchange 2010: Role Based Access
Control (RBAC) Deep Dive
Mike PfeifferSystems InstructorInterface Technical Training
What is RBAC?
o Simplified access control administration
o Admins don’t deal with ACLs in AD or Exchange
o Permissions are focused on tasks, not objects
o Granular Delegation of Rights
o Self-Service management
How RBAC Works
o Tasks are carried out by cmdletsthrough Remote Powershell
o Tasks run under the security context of the Exchange servers
o Exchange servers have rights in Active Directory
How RBAC Works
o Scope (Where):Defines objects a role can act on
o Role (What):Set of cmdlets and parameters
o Role Group (Who):Active Directory Security Group
o Role Assignment (Glue):Links the Who, What, and Where
The Whereo Management Scope Defines the “Where”o Default Scope is Inheritedo Recipients
– Recipient Root– Recipient Filter
o Servers– Server List– Server Filter
o Databases– Database List– Database Filter
The What
o Management Roles Defines the “What”
o Get-ManagementRole
o Get-ManagementRoleEntry
o Defines:
– Cmdlets
– Parameters
The Glue
o Management Role Assignments
o Define:
– Scope
– Role
– Group or User
o Everything gets stuck together using a Role Assignment
Demo – RBAC for Administrators
o Scenario
– Support personnel should be able to create Exchange recipients in the Sales OU in AD
– Support personnel should not be able to create Exchange recipients in any other OU in AD
– Support personnel should not be able to remove recipients in the Sales OU, or any other OU in AD
RBAC for End-Users
o Role Assignment Policies
o Set Per Mailbox using the RoleAssignmentPolicy attribute
o One Created by Default
Demo – RBAC for End-Users
o Scenario
– End-Users can currently modify their Work, Fax, Mobile, and Home Phone numbers in ECP
– End-Users should be only be allowed to modify their Home Phone number in ECP
Distribution Group Management
o MyDistributionGroups Role
o Not Assigned by Default
o Allows End-Users to manage membership of DG’s they own
o Allows End-Users to add DG’s
Demo – RBAC for End-Users
o Scenario
– End-Users need to manage the membership of DG’s they own
– End-Users should not be able to add or remove DG’s
Troubleshooting RBACo Get-ManagementRoleAssignment
– GetEffectiveUsers
– WritableRecipient, WritableServer, WriteableDatabase
o Get-ManagementRoleEntry
– Supports Wildcards
o Get-ManagementRole
– Cmdlet
– CmdletParameters