In this third article we are going to cover the permissions side of the Exchange Control Panel, where we will be using RBAC to manage permissions at administrative and end-user level.
Published: Mar 01, 2012
Updated: Mar 16, 2012
Section: Management & Administration
Author: Anderson Patricio
Managing administrative roles…
The RBAC (Role Based Access Control) was introduced in Exchange Server 2010, where we don’t need to manage Access Control Lists in order to have access to resources. Using RBAC we can create rules set to administrators and end-users. Also, we can use all the flexibility provided by the new model to create specific security requirements for our organization.
RBAC allows great flexibility to provide specific permissions to a user or a group, or remove a specific cmdlet from a role assigned to a user. In order to do that, we need to use the Exchange Management Shell, however, most scenarios don’t require that much to configure their permissions. Using either the Exchange Management Console / Toolbox and then the Role Based Access Control (RBAC) User Editor (Figure 01) or by going straight to Exchange Control Panel we are able to manage RBAC permissions with a few clicks without having to memorize all cmdlets.
Figure 01
Let’s click on Roles & Auditing and we should be able to see three items: Administrator Roles, User Roles andAuditing. In the Administrator Roles, all the Role Groups will be listed on the main page (Figure 02) and we can create new ones, delete and copy roles. We can use a built-in role as a template for a new role required by our organization. A great feature of this page is the Role Group on the left which gives us information about the Role Group, such as: assigned roles, Members and write scope.
Figure 02
Let’s say that we have created Organization Units for each of the countries that our company has offices in and we delegate the administration of those OUs to a local group in each country. Let’s say that the OU named Uruguay has a Group called URU-Admins and that group has delegation to manage objects just at Uruguay OU level.
In the main office we need to make sure that the group is able to manage recipients in Exchange Server, so we can click on New…, the first step is to assign a name and we will use URU-Admins and as per our scenario requirements we want the group to manage objects only in the OU where they have delegation in place, and for that reason let’s use domain.local/OUName format in the Organization Unit field, as shown in Figure 03.
Figure 03
The second part of the new Role Group is to define which roles will be assigned to this new group. Let’s click onAdd… and a new page will be displayed with all roles (Figure 04). The best part is that for each role selected a brief description, recipient scope and configuration scope of the role will be displayed on the right side. In our organization we want to make sure that the administrators can see the configuration and for that reason we are going to give them: View-Only Configuration and View-Only Recipient. We also want them to manage their objects and for that matter we are going to assign them the Mail Recipient Creation and Mail Recipients roles as well. After choosing the roles, click OK.
Figure 04
Now that we have the roles in place we can define the members of this new Role Group and based on our scenario set the admin group which is URU-Admins, as shown in Figure 05. Then click Save.
Figure 05
Now, the members of the group URU-Admins can use the Exchange Management Shell, the Exchange Management Console or the Exchange Control Panel to manage their objects. Because we set the delegation permissions in AD to be restricted to their OU plus the current configuration using RBAC, they will be able to manage objects only in their own OU. However, they will be able to see the general configuration of the environment due the View Only roles that we added to them.
Managing User Roles…
Besides of the Administrative permissions we can define end-user configuration using RBAC, and we can manage those roles and assign them to the end-users using either Exchange Control Panel or Exchange Management Shell. The features defined here and assigned to the users will allow the end-users to use such features on their Outlook Web App session. They can also manage their own mailbox object (such as change their Active Directory attributes, phone options and so forth) always based on the permission that they have assigned.
In order to manage User Roles click Role & Auditing, and then User Roles (Figure 06). By default we are going to have a single entry which is Default Role Assignment Policy, we can edit the current policy which is assigned to all users by double clicking on it or just by clicking Details. In the same page we can also delete previously created Role Assignment Policies, however, we must make sure that the policy that is going to be deleted is not assigned to the users. If it is, then the removal process will fail. The last point that I would like to point out is the information on the right side which contains all the information about the selected role on the left side.
Figure 06
Let’s create a new User Role policy by clicking New… In the new page we can define a name and a description and we can select which options we want to enable to the end-users. In this article let’s enable all features and click Save, as shown in Figure 07.
Figure 07
Now, we will be able to see the new Role Assignment Policy listed on the main page. In order to test it, go toUsers & Groups, then Mailboxes and double click on the desired mailbox, expand the Mailbox Settings section, and select the Role assignment policy that we have just created (AndersonPatricio.org – user full features policy) and click Save (Figure 08).
Figure 08
After assigning the new policy to the mailbox, the user can log on to Outlook Web App and the new features will be available. A good example is the ability to change their attributes or change their retention policies through Outlook Web App.
From http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/using-exchange-control-panel-ecp-manage-exchange-organization-part3.html
From http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/using-exchange-control-panel-ecp-manage-exchange-organization-part3.html
0 Comments