Last Update: Sep 04, 2024 | Published: Apr 29, 2011
Microsoft Exchange Server 2010 now comes with the new RBAC (Role Based Access Control) permissions model. This new permissions model allows you to define both a broad, as well as a more granular assignment of permissions to administrators. The roles you assign to administrators can reflect more accurately the actual roles they perform in your organization.
Previous to Exchange Server 2010, Microsoft Exchange administrators who needed to create new administrators, or assign new permissions to existing ones, used to get stumped when deciding which administration group to assign administrators to. Each administration group contains different sets of permissions, and older versions of Exchange had only a few administration groups to choose from. As a result, administrators often ended up being assigned to admin groups that enabled them with more permissions than were appropriate for their role.
Note: If you’re familiar with the concept of role groups and roles, you can go straight to the section “Predefined Role Groups and Roles”.
An important concept you need to understand in order to appreciate RBAC is the relationship between role groups, roles, cmdlets (commandlets) and parameters.
First of all, a role defines a set of tasks a particular administrator can perform. For instance, the ‘Mail Recipients’ role enables admins to perform the tasks of managing mailboxes, mail users, and mail contacts. When an admin is assigned a role, he is, in effect, granted the permissions that come with that role. The act of ‘granting permissions to perform certain tasks’ simply translates to giving access to the cmdlets or parameters associated with those tasks.
In some cases, a single admin will need to be assigned multiple roles. It is possible to collect a set of roles, put them together in what is known as a role group, and then assign that role group to an admin.
Conversely, it is also possible to assign multiple members (admins) to a role group. This means, all those admins assigned to that role group will be able to perform similar roles and, as a consequence, will have access to the same cmdlets and parameters included in those roles.
It is worth noting that while you can perform granular assignments in Exchange 2010, there are also Predefined Role Groups that you can use if you’re still learning your way around RBAC and temporarily want an easier way of assigning permissions.
If we include all predefined role groups (specifically called Predefined Universal Security Groups), there are 16 in all. However, only 11 are really used for RBAC. The rest are used internally by Exchange. In this article, we’re more concerned with the role groups used for RBAC and have listed them below, along with a brief description for each one.
I’ll now proceed to show you how to delegate these predefined roles to your administrators.
First, open up your Exchange Management Console. In the leftmost panel, select Toolbox. Next, go to the center panel, scroll down, and click Role Based Access Control (RBAC) as shown below.
That action will take you to the Exchange Control Panel, where you will be asked to login. After doing so, navigate to the Administrator Roles panel.
Under Role Groups, you’ll find a list containing all eleven Predefined Role Groups mentioned earlier. Each time you select a role, its corresponding Description, the roles assigned to it (known as Assigned Roles), and the administrators given those roles (known as Members) will be shown in the panel on the right (see screenshot above).
To assign a Member to a Predefined Role Group, just double-click on a Predefined Role Group on the list. This should take you to that particular Role Group’s own window. For example, double-clicking Discovery Management brings up the window you see below.
There you’ll see the role group’s name (in our example, it’s “Discovery Management”), a brief description of the role group, Assigned Roles and write scopes, as well as a list of members at the bottom (initially empty). To add a member, just click on the “+ Add” button as shown in the screenshot above.
In the next window, find and select the name of the admin you want to add as a member, then click OK.
You’ll then see the newly added member in the previously empty Members box.
If you have more admins to add to this role group, you may continue doing so here. When you’re done, click the Save button.
Remember that, not only are you allowed to add multiple admins as members of a role group, you can also assign multiple role groups to a single admin. Again, you do that in the Administrator Roles panel.
Before we end this article, let’s have a look at a graphical representation that summarizes how RBAC works.
Members of the Exchange team like to depict the workings of the RBAC with what they call the “Triangle of Power”.
The Triangle of Power is made up of four main components: the Where, the What, the Who, and the Glue.
The Where or Scope represents the range over which a particular role assignment is supposed to apply, i.e., a single organizational unit, a single user, a group of users, or the entire organization.
The What or Role represents what your role can actually do. Exchange Server 2010 has 65 built-in roles that you can either use straightaway or build from.
The Who or Role Group, as we mentioned way back, is simply a collection of roles (which in turn are made up of cmdlets and parameters). You combine this with the Scope to come up with a complete Role Assignment.
As you’ve seen earlier, using the RBAC’s predefined role groups can significantly simplify your job of granting permissions to other administrators. However, what we took up was just the broad way of assigning permissions using RBAC.
What if you want someone to make transport rules but don’t want him to have anything to do with retention rules and message classifications? Obviously, assigning him to the Records Management role group would not suffice because it would grant him more permissions than you want him to have.
For this task, we would need to take on the granular way of assigning permissions in RBAC, which is found in Part II of this article.