Exchange 2010 Role Based Access Control (Part 2)

If you would like to read the other parts in this article series please go to:

Introduction

This is the second part of an article series in which we will be taking a look at the overall Role Based Access Control (RBAC) model in Exchange 2010 and seeing how the two main methods of assigning permissions work. We started part one by looking at the management role group method of assigning permissions and so we will continue looking at this method here in part two.

Management Role Group Membership

Within this article series, we shall concentrate on just a single management role group, namely the Discovery Management role group. As its name implies, assigning a user to this group gives them the ability to be able to perform searches across all employees’ mailboxes for legal reasons. By concentrating on just a single management role group, we will be able to see how the various RBAC components work together to give members of this management role group the ability to perform mailbox searches. Once we’ve looked at this process, you should be in a position to understand how management role groups work and perhaps take the time to look at the remaining default management role groups to see how they can be used within your Exchange organization.

Let’s start by looking at the Exchange Management Shell cmdlets required to control membership of management role groups and specifically how we can control membership of the Discovery Management role group. By default, this management role group contains no members.

The Add-RoleGroupMember cmdlet is used to add members to any management role group. Therefore, to add the user ‘Neil’ to the Discovery Management role group, the following cmdlet would be used:

Add-RoleGroupMember ‘Discovery Management’ –Member Neil

Similarly, it’s easy to remove members from the management role group via the Remove-RoleGroupMember cmdlet. To remove the user we’ve just added, the following cmdlet would be used:

Remove-RoleGroupMember ‘Discovery Management’ –Member Neil

Note that using the Remove-RoleGroupMember cmdlet without the –Confirm parameter set to $false will result in the Exchange Management Shell prompting you for confirmation of the removal, so take this into account if you are using this cmdlet in a script.

If at any time you wish to retrieve the members of the Discovery Management role group, use the Get-RoleGroupMember cmdlet as you can see from Figure 2.


Figure 2: The Get-RoleGroupMember Cmdlet

Finally, there is also the useful Update-RoleGroupMember cmdlet that can be used to modify the management role group membership easily. For example, let’s assume that the user Neil is already a member of the Discovery Management role group as you can see previously from Figure 2. If we require two new members, Mark and Rob, to be added to the management role group whilst at the same time replacing all existing group members from the same management role group, the Update-RoleGroupMember cmdlet can be used in the following way:

Update-RoleGroupMember ‘Discovery Management’ –Members Mark,Rob –Confirm:$false

You can see the results of running this cmdlet in Figure 3, where the management role group membership is also shown before and after running the Update-RoleGroupMember cmdlet.


Figure 3: Updating Management Role Group Membership

Management Roles

Now that we’ve seen the Exchange Management Shell cmdlets responsible for maintaining the membership of the management role groups, let’s turn our attention now to examining the properties of the Discovery Management role group. It’s easy enough to add users to this management role group but it’s very important to understand how this management role group gives the users assigned to the group the necessary permissions to perform the required tasks.

The first thing to understand is that the management role group is a group to which one or more management roles are assigned. To view the properties of this management role group, which will include information such as which management roles are assigned to the group, use the Get-RoleGroup cmdlet against the relevant management group name and pipe the results to the format-list cmdlet (abbreviated as ‘fl’). For example:

Get-RoleGroup ‘Discovery Management’ | fl

The result of running this cmdlet is shown in Figure 4.


Figure 4: Results of the Get-RoleGroup Cmdlet

You can see from Figure 4 that there are several interesting parameters associated with the Discovery Management role group but for the moment we will focus on the Roles parameter which is the fourth parameter listed in Figure 4. The Roles parameter setting shows that the Discovery Management role group is assigned the Legal Hold and Mailbox Search management roles. These are two of the built-in management roles that come with Exchange 2010. At the time of writing this article, there are 64 different built-in management roles that come with Exchange 2010. By running the Get-ManagementRole cmdlet you can obtain a full list as you can see from Figure 5. Note that not all management roles are shown in Figure 5 as the output extends past the bottom of the window.


Figure 5: The Default Management Roles

Any user that is added to the Discovery Management role group therefore receives both the Legal Hold and Mailbox Search management roles. It should be fairly obvious from the names of the two management roles that are assigned to the Discovery Management role group that it is the Mailbox Search role that will give the user the ability to perform mailbox searches for legal discovery reasons. Management roles themselves hold a group of cmdlets that the user assigned to the management role group is allowed to run. These cmdlets are known as management role entries and we’ll look at those later in this article series. For now, we need to look at something called management role assignments which are shown in Figure 4 in the RoleAssignments parameter of the output.

Management Role Assignments

Management role assignments are the links between the management role group and the management role. If you look back at Figure 4, you can see that the Discovery Management role group has two management role assignments:

  • Legal Hold-Discovery Management
  • Mailbox Search-Discovery Management

As we are focusing on the mailbox search element of discovery management within this article at the moment, let’s bring up the properties of the Mailbox Search-Discovery Management role assignment. This can be achieved using the Get-ManagementRoleAssignment cmdlet:

Get-ManagementRoleAssignment ‘Mailbox Search-Discovery Management’ | fl

You can see the results of running this cmdlet in Figure 6.


Figure 6: Properties of a Management Role Assignment

One of the key things about the management role assignment is that it can use a management scope. Furthermore, the management scope can be configured differently for server and recipient objects. You can see in the middle of Figure 6 that the RecipientReadScope and RecipientWriteScope attributes are both set to a value of Organization. This means that the scope of this particular management role assignment for recipients is set across the entire Exchange organization rather than, say, a particular Organizational Unit. Of course, you would expect this because the users who are assigned the Mailbox Search role will require the ability to search mailboxes across the entire organization.

You can also see from Figure 6 that the RoleAssignmentDelegationType attribute is set to Regular, which means that the Mailbox Search-Discovery Management role assignment is a regular role assignment. A regular role assignment means that, in this case, it allows members of the Discovery Management role group, known as the role assignees, the ability to access the management role entries, the cmdlets, associated with the Mailbox Search management role. The other type of management role assignment is a delegating management role assignment which gives the role assignee the ability to assign the role to other role assignees. For these management role assignments the RoleAssignmentDelegationType attribute will be set to DelegatingOrgWide.

Summary

That completes part two of this article series where we have seen the links between management role groups, management roles and management role assignments. In part three, we’ll be completing the picture by examining management role entries and then seeing the end result whereby a user can perform a mailbox search via membership of the Discovery Management role group.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top