RBAC

Role-Based Access Control

From EMS:

Get-RoleGroup | Sort-Object Name |FT Name

Name
----
Delegated Setup
Discovery Management
Help Desk
Hygiene Management
Organization Management
Public Folder Management
Recipient Management
Records Management
Server Management
UM Management
View-Only Organization Management

From Active Directory Users and Groups Console:

role group

What roles are assigned to a Role Group?

Get-RoleGroup "Help Desk" | FL Name,Roles,RoleAssignments

Name : Help Desk
Roles : {User Options, View-Only Recipients}
RoleAssignments : {User Options-Help Desk, View-Only Recipients-Help Desk}

What cmdlets does a Role hold?

Get-ManagementRoleEntry 'User Options\*' | Sort-Object | FT Name

Name
----
Get-MessageCategory
Get-MessageClassification
Get-MailboxStatistics
Get-MailboxMessageConfiguration
Get-MailboxSpellingConfiguration
Get-Recipient
Remove-ActiveSyncDevice
Set-CalendarProcessing
New-MailMessage
Get-TextMessagingAccount
Get-User
Get-CalendarNotification
Get-CalendarProcessing
Get-ActiveSyncDeviceStatistics
Clear-ActiveSyncDevice
Get-ActiveSyncDevice
Get-DomainController
Get-MailboxCalendarFolder
Get-MailboxJunkEmailConfiguration
Get-MailboxCalendarConfiguration
Get-InboxRule
Get-MailboxAutoReplyConfiguration
Get-CASMailbox
Set-MailboxRegionalConfiguration
Get-MailboxRegionalConfiguration
Set-Mailbox
Remove-InboxRule
Set-InboxRule
New-InboxRule
Set-ADServerSettings
Set-MailboxCalendarFolder
Get-Mailbox
Set-CASMailbox
Set-MailboxJunkEmailConfiguration
Set-MailboxMessageConfiguration
Set-MailboxCalendarConfiguration
Set-MailUser
Set-MailboxAutoReplyConfiguration
Set-MailboxSpellingConfiguration
Enable-InboxRule
Set-User
Disable-InboxRule
Set-UMMailboxPIN
Write-AdminAuditLog

Get-ManagementRoleEntry 'View-Only Recipients\*' | Sort-Object | FT Name

Name
----
Get-LogonStatistics
Get-MailContact
Get-MailPublicFolder
Get-Group
Get-InboxRule
Get-LinkedUser
Get-MailboxCalendarFolder
Get-MailboxComplianceConfiguration
Get-MailboxJunkEmailConfiguration
Get-MailUser
Get-MailboxAutoReplyConfiguration
Get-MailboxCalendarConfiguration
Get-DynamicDistributionGroup
Get-ActiveSyncMailboxPolicy
Get-AddressList
Get-CalendarDiagnosticLog
Get-ADServerSettings
Get-ActiveSyncDevice
Get-ActiveSyncDeviceStatistics
Get-DistributionGroup
Get-DistributionGroupMember
Get-DomainController
Get-CalendarNotification
Get-CalendarProcessing
Get-Contact
Get-MailboxMessageConfiguration
Get-MailboxRegionalConfiguration
Get-MailboxFolderPermission
Get-Mailbox
Set-ADServerSettings
Export-MailboxDiagnosticLogs
Search-MessageTrackingReport
Get-SecurityPrincipal
Get-CASMailbox
Get-MessageTrackingReport
Get-RemoteMailbox
Get-MailboxFolderStatistics
Get-UMCallDataRecord
Get-User
Get-MessageTrackingLog
Get-MoveRequest
Get-MoveRequestStatistics
Get-MailboxPermission
Get-MailboxSpellingConfiguration
Get-MailboxStatistics
Get-UMMailbox
Get-UMMailboxConfiguration
Get-UMMailboxPIN
Get-OrganizationalUnit
Get-Recipient
Get-ResourceConfig

Assign/remove a user to a role group:

Add-RoleGroupMember -Identity "Help Desk" -Member RKing

Remove-RoleGroupMember -Identity "Help Desk" -Member RKing

Test the meaning of RBAC with user RKing

Open EMS as Lab\RKing

Different

List all the Exchange cmdlets at user RKing's deposal

Get-Excommand | Sort-Object | FT Name

For example, User rKing cannot run the Get-ExchangeServer cmdlet.

When rKing runs Get-Command, RKing can see Start-Service and Stop-Service. However, when rKing runs Start-Service MSExchangePOP3, it reports error. It is because rKing does not have the permission.

RBAC is so far for Exchange 2010 only.

Logon as rKing from a domain member--Windows 7

Open Windows PowerShell

$Session=New-PSsession -ConfigurationName Microsoft.Exchange -ConnectionURI https://ex1.lab.com/powershell/?SerializationLevel=Full -Credential LAB\rKing
Import-PSSession $Session

For example, you cannot run the following:

Get-ExCommand

Get-ExchangeServer

etc.

But you can run the following:

Get-Mailbox

Get-Get-ADServerSettings

Set-Mailbox Joe -DisplayName "Joe Dunn"

Default Management Role

Get-ManagementRole | Sort-Object Name | FT Name

Name
----
Active Directory Permissions
Address Lists
ApplicationImpersonation
Audit Logs
Cmdlet Extension Agents
Custom Helpdesk-Mail Recipients
Database Availability Groups
Database Copies
Databases
Disaster Recovery
Distribution Groups
Edge Subscriptions
E-Mail Address Policies
Exchange Connectors
Exchange Server Certificates
Exchange Servers
Exchange Virtual Directories
Federated Sharing
Information Rights Management
Journaling
Legal Hold
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Mail Tips
Mailbox Import Export
Mailbox Search
Message Tracking
Migration
Monitoring
Move Mailboxes
MyAddressInformation
MyBaseOptions
MyContactInformation
MyDiagnostics
MyDisplayName
MyDistributionGroupMembership
MyDistributionGroups
MyMobileInformation
MyName
MyPersonalInformation
MyProfileInformation
MyRetentionPolicies
MyTextMessaging
MyVoiceMail
Organization Client Access
Organization Configuration
Organization Transport Settings
POP3 And IMAP4 Protocols
Public Folder Replication
Public Folders
Receive Connectors
Recipient Policies
Remote and Accepted Domains
Retention Management
Role Management
Security Group Creation and Membership
Send Connectors
Support Diagnostics
Transport Agents
Transport Hygiene
Transport Queues
Transport Rules
UM Mailboxes
UM Prompts
Unified Messaging
UnScoped Role Management
User Options
View-Only Audit Logs
View-Only Configuration
View-Only Recipients

order