Exchange Server 2010 SP1 Hosting Deployment - RBAC simplified #4 - Tenants

  • [アーティクル]

Tenant Administrators and Tenants

By now you probably know that when you create a new tenant organization, there are a few RBAC roles being created and there are also a few role groups created out of the box. You may also see some assignments being created by default.

So, by default, it creates the following,

Role Groups

[PS] C:\> Get-RoleGroup -Organization AlpineSkiHouse | select Name

Name

----

Discovery Management

Help Desk

Organization Management

Recipient Management

Records Management

View-Only Organization Management

If you supply the administrator password by supplying -AdministratorPassword when creating a new organization (Exchange Server 2010 SP1 Beta Hosting Deployment - First Look), it will automatically create an administrator account and it will automatically make this account a role group member of all the role groups above except for Discovery Management.

Now, it is important to note that each tenant Organization can actually have their own management roles, their own management role assignment and role groups. This is possible because in Hosting Deployment, every tenant have their own configuration unit in Active Directory. Also, because they are in their own segregated organization, the scope stays in that too.

Roles

Here are all the canned management roles created when you create a new organization,

[PS] C:\> Get-ManagementRole -Organization AlpineSkiHouse

Name RoleType

---- --------

ApplicationImpersonation ApplicationImpersonation

Audit Logs AuditLogs

Distribution Groups DistributionGroups

Journaling Journaling

Legal Hold LegalHold

Mail Recipient Creation MailRecipientCreation

Mail Recipients MailRecipients

Mail Tips MailTips

Mailbox Import Export MailboxImportExport

Mailbox Search MailboxSearch

Message Tracking MessageTracking

Move Mailboxes MoveMailboxes

MyBaseOptions MyBaseOptions

MyContactInformation MyContactInformation

MyAddressInformation MyContactInformation

MyMobileInformation MyContactInformation

MyPersonalInformation MyContactInformation

MyDistributionGroupMembership MyDistributionGroupMembership

MyDistributionGroups MyDistributionGroups

MyProfileInformation MyProfileInformation

MyDisplayName MyProfileInformation

MyName MyProfileInformation

MyRetentionPolicies MyRetentionPolicies

MyTextMessaging MyTextMessaging

MyVoiceMail MyVoiceMail

Organization Client Access OrganizationClientAccess

Organization Configuration OrganizationConfiguration

Organization Transport Settings OrganizationTransportSettings

Recipient Policies RecipientPolicies

Remote and Accepted Domains RemoteAndAcceptedDomains

Reset Password ResetPassword

Retention Management RetentionManagement

Role Management RoleManagement

Security Group Creation and Membership SecurityGroupCreationAndMembership

Transport Rules TransportRules

User Options UserOptions

View-Only Audit Logs ViewOnlyAuditLogs

View-Only Configuration ViewOnlyConfiguration

View-Only Recipients ViewOnlyRecipients

There isn't any big surprise here.  Most of them are pretty standard. There are a few roles I would like to highlight though. They are all those that starts with My* such as MyBaseOptions, MyContactInformation, MyAddressInformation, MyMobileInformation, MyPersonalInformation, MyDistributionGroupMembership, MyDistributionGroups, MyDisplayName and etc. These roles has the recipient read and write scope of SELF and they are primarily being used to assign permissions to the mailbox as in your Service Plan. I will talk a little bit more about this in my next post and will go in a little bit more to talk about the inter dependencies of the service plans, mail plans and also the Role Assignment Policy.

Management Roles Assignment

There are a list of assignments, depending on how you configure your Service Plans. If you look at your service plan, you will find that in the Organization section, you define what kind of roles will the tenant administrator have. It will then assign the Organization Management role group to those roles. As for those permissions set in the mailbox plan, it will depend on the Role Assignment Policy as it will be applicable according to mailbox plan.

To take a look at the assignment, just execute [PS] C:\> Get-ManagementRoleAssignment -Organization AlpineSkiHouse

Cheers.

Read More on this RBAC Series.

Read all other Exchange Server 2010 SP1 Hosting Deployment blog posts.

Comments

  • Anonymous
    January 01, 2003
    Hmm.. where is the user that you are trying to add? Is that user from the same Org? You can't add another user from a different Org.

  • Anonymous
    January 01, 2003
    Well, you can definitely programatically create the administrator by supplying the password using secure string. Or if you want to, you can create the mailbox and then assign the Organization Management role. Try this, Get-RoleGroup -Organization AlpineSkiHouse "Organization Management" | Add-RoleGroupMember -member "username"

  • Anonymous
    January 01, 2003
    Hmm.. where is the user that you are trying to add? Is that user from the same Org? You can't add another user from a different Org.

  • Anonymous
    September 29, 2010

  • When I use new-organization using the following syntax "New-Organization -Name "Contoso.com" -DomainName "Contoso.com" -Location "en-us" -ProgramId "Business" -OfferId "2"  " it creates the new tenant client without an administrative user.
  • When I add the "–AdministratorPassword (get-credential).password" it prompts for the username/password. My challenge is that we're wanting to programmically create these organizations so we need to be able to script it. It would also be handy from our tool to be able to add new tenant administrators easily. One thought is to create a user and assign the roles (shown above) but I can't find how to do it. Technet documentation eludes to maybe a easy way to do it with the article "Grant a Tenant User Administrative Permission" which no one has started writing yet. What would you recommend as a solution?