Exchange Server 2010 SP1 Hosting Deployment - RBAC simplified #2 - Hosters

  • Article

A closer look at RBAC in Hosting Deployment

In the last post, I gave a quick overview of RBAC which I think s important. Those who has been working on Exchange Server 2010 for while and already know RBAC can skip the last blog posts. If you do not know what RBAC is, I encourage you to take a read. :)

Typically, in a Hosted Exchange deployment, we look at permissions and control for 4 main groups,

  • The Hosters themselves
  • The Resellers
  • The Tenant Administrators
  • The Tenant

In HMC, we achieved this by setting the Active Directory Access Control List (ACL) and with clever use of permission inheritance blocking and inheritance. We created groups and assign the permissions accordingly. It is rather complex and hence most of the time, this sort of remain like a black box where not many people know what sort of permissions should we grant or should we not grant.

With the introduction of RBAC, it will give us a much clearer understanding which group will get what sort of permissions or roles. Let me start with the Hosters first.

Hosters

When you deploy the Exchange Server 2010 Hosting Deployment using the /Hosting switch, you will realize it isn't very different compared to an Enterprise environment. You will find a list of roles being created for you by default.

To get the management roles, run the following (I am not going to list them all),

[PS] C:\> Get-ManagementRole | Select Name

Name
----
Active Directory Permissions
Address Lists
ApplicationImpersonation
Audit Logs
Cmdlet Extension Agents
DataCenter Operations
Database Availability Groups
Database Copies
Databases
...

...

...                           

 Like I mentioned in the previous blog post, each of this role is associated with a list of actions this role can do. For example, DataCenter Operations, if you need to find out what this role can do, execute the following,

 

[PS] C:\>Get-ManagementRole "DataCenter Operations" | Get-ManagementRoleEntry | Select Name

Name                                                                                                                  
----                                                                                                                  
New-DistributionGroup                                                                                                 
New-MailContact                                                                                                       
Remove-StoreMailbox                                                                                                   
New-Mailbox                                                                                                           
Update-ServicePlan                                                                                                    
New-DynamicDistributionGroup                                                                                          
Write-AdminAuditLog                                                                                                   
Start-OrganizationUpgrade                                                                                             
Remove-Organization                                                                                                   
New-Organization                                                                                                      
Get-Organization                                                                                                      
Get-MsoFullSyncOrganization                                                                                           
Get-DomainController                                                                                                  
Export-AutoDiscoverConfig                                                                                             
Complete-OrganizationUpgrade                                                                                           

FYI. "DataCenter Operations" is the only role that allows you to create a New-Organization, Remove-Organization and Get-Organization. What does that mean? It means if you want to grant a user permission to create new organization, this role need to be assigned to that user. Or if you are thinking about creating a signup page, your app pool will need to run on a service account that has this role assigned. Again, there are tons of things here, my recommendation is that, spend some time, explore and take a look at each role to see what you can do or can't do. You will find that you have huge flexibilities as compared to the older ways. You will also find understanding this will be valuable in supporting the environment.

By default, the system will also create 13 role groups, they are,

[PS] C:\>Get-RoleGroup | Select Name

Name
----
Delegated Setup
Organization Management
Recipient Management
View-Only Organization Management
Help Desk
Records Management
Discovery Management
Server Management
Hygiene Management
Management Forest Operator
Management Forest Tier 1 Support
View-Only Mgmt Forest Operator
Management Forest Monitoring

I am not going to go through each of them as I think the final documentation in Exchange Help file will probably cover that. However, if you do have any question, do not hesitate to let me know. From the above, I do need to mention that by default, only Organization Management role group has a member in it. The member, as you might have already guessed is your beloved Administrator.  :) If you would like to add another user to manage the Exchange environment, simply add that to the Organization Management role group by issuing the following,

[PS] C:\>Add-RoleGroupMember "Organization Management" -Member Jane.Doe@Fabrikam.com

Next, let's look at Management Role Assignment, execute the following,

[PS] C:\>Get-ManagementRoleAssignment | Select Name, Role, RoleAssigneeName

You will get a list of management Role Assignment. You will find that most of them are assigned to Organization Management. What does that mean? It means because your Administrator is a member of this role group, you can probably do almost everything.

So, out of the box, there is really no big surprises. The roles are relatively standard. My recommendation is that, please look at what each role can do and don't take the short cut of assigning everyone in your support team as to Organization Management role group. The rule of thumb is that, don't give anything more than what the person needs to do.

Cheers.

Read More on this RBAC Series.

Read all other Exchange Server 2010 SP1 Hosting Deployment blog posts.

Comments