What is the correct way to grant access to the RBAC?

Андрей Михалевский 3,331 Reputation points
2024-11-01T17:50:03.95+00:00

Hi. I need to give permissions to an account to execute commandlets:

Set-CASMailbox -Identity $username -ActiveSyncBlockedDeviceIDs  @{ add = $deviceId }

Get-MobileDeviceStatistics -Mailbox $username

Remove-MobileDevice -Identity $id -Confirm:$false

Set-CASMailbox -Identity $username -ActiveSyncAllowedDeviceIDs  @{ add = $deviceId }

Search for a role that has these commandlets:

PS C:\Windows\system32> Get-ManagementRole -Cmdlet Set-CASMailbox

Name                          RoleType                  
----                          --------                  
Organization Client Access    OrganizationClientAccess  
Mail Recipients               MailRecipients            
HelpDesk User Management Tool MailRecipients            
MobileDevice Management       MailRecipients            
MyBaseOptions                 MyBaseOptions             
User Options                  UserOptions               
Exchange Virtual Directories  ExchangeVirtualDirectories



PS C:\Windows\system32> Get-ManagementRole -Cmdlet Get-CASMailbox

Name                          RoleType                
----                          --------                
View-Only Recipients          ViewOnlyRecipients      
Mail Recipients               MailRecipients          
HelpDesk User Management Tool MailRecipients          
My Custom Mailbox Recipients  MailRecipients          
MobileDevice Management       MailRecipients          
MyBaseOptions                 MyBaseOptions           
User Options                  UserOptions             
Recipient Policies            RecipientPolicies       
Organization Client Access    OrganizationClientAccess



PS C:\Windows\system32> Get-ManagementRole -Cmdlet Get-MobileDeviceStatistics

Name                          RoleType          
----                          --------          
View-Only Recipients          ViewOnlyRecipients
Mail Recipients               MailRecipients    
HelpDesk User Management Tool MailRecipients    
My Custom Mailbox Recipients  MailRecipients    
MobileDevice Management       MailRecipients    
MyBaseOptions                 MyBaseOptions     
User Options                  UserOptions       



PS C:\Windows\system32> Get-ManagementRole -Cmdlet Remove-MobileDevice

Name                          RoleType      
----                          --------      
Mail Recipients               MailRecipients
User Options                  UserOptions   
HelpDesk User Management Tool MailRecipients
MobileDevice Management       MailRecipients
MyBaseOptions                 MyBaseOptions

I've chosen Mail Recipients

My user can't change the settings: ActiveSyncBlockedDeviceIDs and ActiveSyncAllowedDeviceIDs:

A parameter cannot be found that matches parameter name 'ActiveSyncBlockedDevic
eIDs'.
    + CategoryInfo          : InvalidArgument: (:) [Set-CASMailbox], Parameter
   BindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-CASMailbox
    + PSComputerName        : ms-ex05.domain.com

My script for RBAC:

$CustomGroupName = "MobileDevice Admninistrators"

$CustomRoleName  = "MobileDevice Management"

$ParentRoleName  = "Mail Recipients"

$userAccount     = "svc_MobileAdmin"

$AllowedCmdlets  = @(

"Set-CASMailbox",

"Get-CASMailbox",

"Get-MobileDeviceStatistics",

"Remove-MobileDevice"

)

New-ManagementRole -Name $CustomRoleName -Parent $ParentRoleName

Get-ManagementRoleEntry "$CustomRoleName\*"| Where-Object { $AllowedCmdlets -notcontains $_.Name } | Remove-ManagementRoleEntry -Confirm:$false

New-RoleGroup -Name $CustomGroupName -Roles $CustomRoleName -Members $userAccount

Debug:

PS C:\Windows\system32> Get-ManagementRole -Cmdlet Set-CASMailbox -CmdletParameters ActiveSyncBlockedDeviceIDs

Name                       RoleType                
----                       --------                
Organization Client Access OrganizationClientAccess



PS C:\Windows\system32> Get-ManagementRole -Cmdlet Set-CASMailbox -CmdletParameters ActiveSyncAllowedDeviceIDs

Name                       RoleType                
----                       --------                
Organization Client Access OrganizationClientAccess

I think I need a parent role: Organization Client Access

But there are no commandlets in this role:

Get-MobileDeviceStatistics

Remove-MobileDevice

How can I fix this so that I don't give out more rights ?

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,334 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,662 questions
Microsoft Exchange
Microsoft Exchange
Microsoft messaging and collaboration software.
561 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Андрей Михалевский 3,331 Reputation points
    2024-11-02T08:22:58.02+00:00

    Fixed:

    
$CustomGroupName = "MobileDevice Administrators"
$CASMailboxRole = "Custom CAS Mailbox Management"
$MobileDeviceRole = "Custom Mobile Device Management"
$userAccount = "svc_MobileAdmin"


New-ManagementRole -Name $CASMailboxRole -Parent "Organization Client Access"


Get-ManagementRoleEntry "$CASMailboxRole\*" | Where-Object { $_.Name -notin @("Set-CASMailbox", "Get-CASMailbox") } | Remove-ManagementRoleEntry -Confirm:$false

Get-ManagementRoleEntry "$CASMailboxRole\Set-CASMailbox" | Where-Object { $_.Parameters -notcontains "ActiveSyncBlockedDeviceIDs" -and $_.Parameters -notcontains "ActiveSyncAllowedDeviceIDs" } | ForEach-Object { Remove-ManagementRoleEntry -Identity $_.Identity -Confirm:$false }

New-ManagementRole -Name $MobileDeviceRole -Parent "Mail Recipients"


Get-ManagementRoleEntry "$MobileDeviceRole\*" | Where-Object { $_.Name -notin @("Get-MobileDeviceStatistics", "Remove-MobileDevice") } | Remove-ManagementRoleEntry -Confirm:$false


New-RoleGroup -Name $CustomGroupName -Roles $CASMailboxRole, $MobileDeviceRole -Members $userAccount
    2 people found this answer helpful.
    0 comments
  2. Jake Zhang-MSFT 6,380 Reputation points Microsoft Vendor
    2024-11-04T08:12:00.5333333+00:00

    Hi @Андрей Михалевский,

    Great to know that the issue has already been resolved and thanks for sharing the solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer : )     

    --------------   

    Issue Symptom: 

    The correct way to grant access to the RBAC

     

    Resolution: 

    $CustomGroupName = "MobileDevice Administrators"
$CASMailboxRole = "Custom CAS Mailbox Management"
$MobileDeviceRole = "Custom Mobile Device Management"
$userAccount = "svc_MobileAdmin"


New-ManagementRole -Name $CASMailboxRole -Parent "Organization Client Access"


Get-ManagementRoleEntry "$CASMailboxRole\*" | Where-Object { $_.Name -notin @("Set-CASMailbox", "Get-CASMailbox") } | Remove-ManagementRoleEntry -Confirm:$false

Get-ManagementRoleEntry "$CASMailboxRole\Set-CASMailbox" | Where-Object { $_.Parameters -notcontains "ActiveSyncBlockedDeviceIDs" -and $_.Parameters -notcontains "ActiveSyncAllowedDeviceIDs" } | ForEach-Object { Remove-ManagementRoleEntry -Identity $_.Identity -Confirm:$false }

New-ManagementRole -Name $MobileDeviceRole -Parent "Mail Recipients"


Get-ManagementRoleEntry "$MobileDeviceRole\*" | Where-Object { $_.Name -notin @("Get-MobileDeviceStatistics", "Remove-MobileDevice") } | Remove-ManagementRoleEntry -Confirm:$false


New-RoleGroup -Name $CustomGroupName -Roles $CASMailboxRole, $MobileDeviceRole -Members $userAccount
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.