In order for both administrators and users to use
features and functionality in Exchange, they need to have the right
access. The permission model in Exchange Server 2010 has changed
dramatically. This section will help you understand this new permission
model and guide you in using it.
1. Understand the Exchange Server 2010 Administrative Model
The administrative model
changes in Exchange Server 2010 rank high in the list of significant
changes from earlier versions of Exchange. The implementation of
Role-Based Access Controls (RBAC) is more flexible and more granular,
and provides some useful capabilities in specifying what administrators
can do and where they can do it. In this section, you'll learn what RBAC
is and how it works.
1.1. Understand Role-Based Access Control
RBAC is a
completely different permission model than what was used in previous
versions of Exchange. With RBAC, you are no longer assigning permissions
to Exchange objects using access control lists. Instead, you use the
built-in mechanisms of RBAC to delegate access.
Under RBAC, administrators
have access to perform certain tasks in Exchange by being assigned a
management role that has permissions to perform the task. For example,
people assigned the Legal Hold role can put mailboxes on legal hold or
take mailboxes off of legal hold. Administrators can be assigned these
roles directly, or multiple roles can be grouped together into
management role groups. One example of a management role group is the
Discovery Management group. The Discovery Management group has the roles
Legal Hold and Mailbox Search assigned to it. Therefore, anyone who is a
member of the Discovery Management group has the ability to perform the
tasks associated with the Legal Hold and Mailbox Search roles.
NOTE
Management role
groups are represented by universal security groups in the domain. Do
not add users to these groups directly. Instead, use the supported
methods described in this section.
Each management role
consists of management role entries. A management role entry is an EMS
cmdlet or a script that users in a management role can execute. For
example, the Mailbox Import Export management role has three management
role entries defined, as shown in Figure 1.
You will notice that each
management role entry corresponds to an EMS cmdlet. The cmdlet
parameters that the role-holder can use are also specified. If the
parameter is not listed in the management role entry, the role-holder
cannot use that parameter with the cmdlet. You can assign granular
permissions with this type of access model.
Management roles are
assigned to management role groups using a management role assignment.
The assignment not only specifies which roles are in which groups, but
can also define the scope of the role. For example, a management role
assignment can specify that administrators in the Baltimore Recipient
Managers role group can only mail-enable recipients in the Baltimore OU.
Understanding the
interaction between management role groups, management roles, management
role entries, and management role assignments is the key to effectively
using RBAC in your Exchange implement. Figure 2 summarizes the relationship between these components.
1.2. Review the Built-In Roles and Role Groups
Exchange Server 2010 comes
with several roles and role groups already defined. If you want to view
the list of role groups, you can run the Get-RoleGroup cmdlet in the
EMS. This cmdlet can be run without any parameters to return a list of
all of the role groups. If you specify the identity of an existing role
group, the details of that role group are returned. For example, you can
view the properties of the Help Desk role group using the following
command:
Get-RoleGroup "Help Desk" | fl
Table 1 lists the default role groups that are created by Exchange.
Table 1. The Default Role Groups
Role Group | Group Member Abilities |
---|
Delegated Setup | Install Exchange servers into the organization. |
Discovery Management | Perform discovery functionality, such as placing users on legal hold and performing discovery searches. |
Help Desk | Perform basic Help Desk functionality, such as changing user display names or other general information. |
Hygiene Management | Perform message hygiene functions, such as configuring antivirus and antispam functionality. |
Organization Management | Manage almost every aspect of Exchange. These are high-level administrators who are highly trusted. |
Public Folder Management | Perform management of public folders and their databases. |
Recipient Management | Add and remove recipients, as well as perform other tasks related to recipient management. |
Records Management | Administer
compliance and policy settings. These administrators have the ability
to manage retention settings, journaling, and so forth. |
Server Management | Administer
all Exchange servers in the organization. This includes the management
of databases, connectors, and virtual directories on each server. |
UM Management | Administer the Unified Messaging functionality. |
View-Only Organization Management | View Exchange configuration information and recipient data in a read-only fashion. |
You can also view the various roles that Exchange creates by default. To view the entire list, run the Get-ManagementRole
cmdlet with no parameters. If you want to see the details of a
particular role, such as a list of the cmdlets that it allows
role-holders to execute, you can provide the identity of the role as a
parameter to the cmdlet. For example, the following command will display
the cmdlets that can be executed by people who are in the Move
Mailboxes role:
Get-ManagementRole "Move Mailboxes" |
Get-ManagementRoleEntry
In the previous example, we're pipelining the Get-ManagementRole cmdlet into the Get-ManagementRoleEntry cmdlet. You can use the Get-ManagementRoleEntry
cmdlet to get information about the specific role entry. If you recall
from earlier, a role entry is a cmdlet or script that a people in a role
can execute. You will also notice that the output from the previous
command displays not only the cmdlets that can be executed, but also the
parameters that can be used in the cmdlet.