Tuesday, July 15, 2014

How To Create CUSTOM RBAC ROLE Exchange 2010 & 2013

We would like to utilize RBAC Role model and create custom RBAC Role for specific needs for a business. These needs could be different from one environment to another. This article will be good reference for you to get your customization. Having said that, first thing to understand is the RBAC Layers.

There are 6 Layers which make up the Role Group Model

  • Role group member
  • Management role group
  • Management role assignment
  • Management role scope
  • Management role
  • Management role entries

clip_image001[4]

Goal:

  1. Create Custom Role Group
  2. Create Custom RBAC Role Entry with desired cmdlet's
  3. Add Custom Role entry to Role
  4. Add role to Custom Role Group
  5. Add Members to Custom Role Group

In this example we will use following template

image

Note: You can build your own management Role , and modify management role entries same way in this article. The process is pretty straight forward.

Task#1

Figure out all role entry contains set-mailbox (set-mailbox is one of the cmdlet we have as our requirement)

Get-ManagementRoleEntry *\Set-Mailbox

clip_image002[4]

 

Task#2

Create the management role with related parent Role

New-ManagementRole -Name “Assign Mailbox Access” -Parent “Mail Recipients”

clip_image003[4]

Task#3

Get-ManagementRoleEntry "Assign Mailbox Access\*"

Verify all cmdlet assign to newly created management role, as you can see we have many cmdlet we don’t want, therefore we will need to remove most of them and only keep what we need.

clip_image004[4]

Task#4

Remove what you don’t need

Get-ManagementRoleEntry “Assign Mailbox Access\*” | Where {$_.name -ne “Add-MailboxPermission”} | Remove-ManagementRoleEntry -Confirm:$False

clip_image005[4]

Task#5

Verify the Role entry , minimum cmdlet is assigned.

clip_image006[4]

Task#6

Add additional cmdlet

  • Add-ManagementRoleEntry "Assign Mailbox Access\get-mailbox"
  • Add-ManagementRoleEntry "Assign Mailbox Access\get-mailboxPermission"
  • Add-ManagementRoleEntry "Assign Mailbox Access\remove-mailboxPermission"
  • Add-ManagementRoleEntry "Assign Mailbox Access\set-mailbox"

clip_image007[4]

Task#7

Add remove any role entries if desired

Verify one more time to make sure we have all we wanted. If required continue to add by using same one liner cmdlet

Add-ManagementRoleEntry "Assign Mailbox Access\set-mailbox" ---------------> you can replace set-mailbox

If you need to remove use

Remove-ManagementRoleEntry "Assign Mailbox Access\set-mailbox"

clip_image008[4]

Task#8

Create new Role Group

New-RoleGroup “Audit Team”

clip_image009[4]

Task#9

Let's put them together

New-ManagementRoleAssignment -SecurityGroup "Audit Team" -Role "Assign Mailbox Access"

clip_image010[4]

Task#10

Add-RoleGroupMember “Audit Team” –Member C-Ron.Buzon

clip_image011[4]

We are done lets look at this from ECP

clip_image012[4]

clip_image013[4]

Now if c-ron.Buzon logs in, he will only get the cmdlets assigned to him via RBAC Role. As you can see RBAC permissions model is very efficient and effective. When creating Roles, group and Role entries, you may want to think about unifying name convention and plan this out before start implementing it into production environment.

TechNet:

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

1 comment:

Anonymous said...

Images are too small....