May 21, 2013

Exchange 2010 and RBAC roles

RBAC roles are "Role Based Access Control" in Exchange 2010. If you are familiar with previous versions of Exchange say 2003, these permissions were already included and accessible through the Systems Manager. 
In Exchange 2010, you have to assign these permissions based on a persons level of administrative rights.

Some key RBAC roles are used almost immediately such as Organization Management, Discovery management, Server Management and Public Folder Management

Assigning RBAC role example:

For individuals:

New-ManagementRoleAssignment -Role "Mailbox Import Export" -User <username>
For groups (ie: the Enterprise team) 

New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup "Enterprise Support" 

To find all Management roles in your organisation including custom built ones:

1) Go to EMC, click on Toolbox and click on RBAC to see a list of Management Roles

2) Get-RoleGroup | ft Name, Roles

There are about 11 pre-defined Management Role groups in Exchange 2010. They can be found within the Exchange Management Console under Tool Box > RBAC and are as listed below:

  1. Delegated Setup - For admins who need to deploy Exchange 2010 servers but not administer, a new Exchange 2010 server.Deployment can only be performed on servers that have already been provisioned by an administrator with additional permissions.
  2. Discovery Management - For admins who need to perform searches of mailboxes for data that meet specific criteria as well as implement the Legal Hold feature of Exchange 2010.
  3. Help Desk - For HelpDesk Admins who are trusted with level 1 tasks such as modifying users’ details such as their address and phone number.
  4. Hygiene Management - For administrators who need to manage and configure the antivirus and anti-spam features of Exchange.
  5. Organization Management - For admins who need to have full administrative access to the entire Exchange 2010 organization. This gives the administrator the ability to perform pretty much any task in Exchange 2010 except for tasks related to the Discovery Management Role.
  6. Public Folder Management - For administrators who need to manage public folders and databases on servers running Exchange 2010.
  7. Recipient Management - For admins who need to manage Exchange 2010 recipients.
  8. Records Management - For administrators who need to configure The Exchange compliance features such as retention policies, message classifications, and transport rules configured on the Hub Transport server.
  9. Server Management - For admins who need to set server-specific configurations of transport, Unified Messaging, client access, and mailbox features.
  10. UM Management - For admins who need to manage Unified Messaging related server configurations.
  11. View-Only Organization Management - For administrators who need to view the properties of any object in Exchange.


No comments:

Post a Comment