Understanding Role Based Access Control
Exchange Server 2010 uses the new Role Based Access Control (RBAC) permissions model on the Mailbox, Hub Transport, Unified Messaging, and Client Access server roles. At first glance, this RBAC may seem very similar to the Exchange Server 2007 server permissions model, but it actually allows for much greater flexibility.
Using RBAC allows you to easily control what your administrators and users can (and cannot) access. Rather than applying permissions directly to user accounts, the permissions are applied directly to the role. Members are added to a particular role when they need a particular level of permissions.
In addition, role assignments can be "scoped" to include only specific resources within the organization. The role (and the permissions associated with it) allows certain tasks to be accomplished, while the role scope determines what resources can be administered.
The RBAC model consists of:
- Management Role -- A container for grouping management role entries.
- Management Role Entries -- A cmdlet (including parameters) that is added to a management role. This process grants rights to manage or view the objects associated with that cmdlet.
- Management Role Assignment -- The assignment of a management role to a particular user or a universal security group. This grants the user (or the members of the security group) the ability to perform the management role entries in the management role that they are assigned to.
- Management Role Scope -- Used to target the specific object or objects that the management role assignment is allowed to control. A management role scope can include servers, organizational units, filters on server or recipient objects, and more.
As described by Microsoft, this process allows complete control of the who (management role assignment), the what (management role and management role entries), and the where (management role scope) in the security model.
Role Based Access Control is not used on Edge Transport servers, as these servers are designed to sit outside the domain.
Exchange Server 2010 provides several built-in management roles that cannot be modified, nor can the management role entries configured on them. However, the scope of the built-in management roles can be modified.
The following built-in management roles are included by default in Exchange Server 2010:
- Organization Management -- Administrators assigned to this role have administrative access to the entire Exchange Server 2010 organization, and can perform almost any task against any Exchange Server 2010 object. Even if a task can only be completed by another role, members of the Organization Management role have the ability to add themselves to any other role.
About the authors: Rand Morimoto has been in the IT industry for more than 25 years and is the president of Convergent Computing, an IT consulting firm. Morimoto has also co-authored Windows Server 2008 R2 Unleashed.
Michael Noel is an IT expert and a partner at Convergent Computing. Noel has also written Microsoft SharePoint 2007 Unleashed.
Chris Amaris cofounded Convergent Computing and also serves as the chief technology officer. Amaris is the co-author of Microsoft Exchange Server 2007 Unleashed.
Andrew Abbate has been in the IT industry for more than 10 years and specializes in Active Directory and Microsoft Exchange Server migration planning and implementations.
Mark Weinhardt has worked in the IT world for more than 20 years and has also authored Network Security for Government and Corporate Executives.
As this role is very powerful, it is recommended that it only be assigned to users who are responsible for organizational level administration. Changes made by this role can potentially impact the entire Exchange organization.
- View Only Organization Management -- This role is the equivalent to the Exchange View-Only Administrator role in Exchange Server 2007. Members of this role can view the properties of any object in the Exchange organization, but cannot modify the properties of any object.
Useful for personnel who need to be able to view the configuration of objects within the environment, but who do not need the ability to add new or modify existing objects.
- Recipient Management -- Administrators assigned to this role have the ability to create, modify, or delete Exchange Server 2010 recipients within the organization.
- Records Management -- Administrators assigned to this role have the ability to configure compliance features, including transport rules, message classifications, retention policy tags, and others.
Often assigned to administrators or members of an organization's legal department who need the ability to view and modify compliance features in an organization.
- GAL Synchronization Management -- Administrators assigned to this role have the ability to configure global address list (GAL) synchronization between organizations.
Other built-in management roles include the Unified Messaging Management, Unified Messaging Recipient Management, Unified Messaging Prompt Management, and Discovery Management.
Membership in the Organization Management Role should be limited to personnel who have advanced knowledge of the Exchange Server operating system and your particular network environment.
Installing Exchange Server 2010
Exchange Server 2010 server roles, prerequisites, high availability
Exchange Server 2010 requirements: Hardware, Active Directory
Exchange Server 2010 role-based access control
Printed with permission from Sams Publishing. Copyright 2009. Exchange Server 2010 Unleashed by Rand Morimoto, Michael Noel, Chris Amaris, Andrew Abbate and Mark Weinhardt. For more information about this title and other similar books, please visit Sams Publishing.
This was first published in May 2010