A question that has come up several times in recent months is: How do I create RBAC roles that present only very limited ActiveSync management functionality?
Before we dive into the answer let us do a quick review of what RBAC (Role Based Access Control) is.
Prior to Exchange 2010 permissions were defined through tools like DSACLS and ADSIEdit. This let you specify what objects a user or group could touch and what they could do to the object as a whole. If a user needed write access to one specific property of an object, but not the other properties, there was no easy way to handle this. RBAC does not define permissions on the object; instead it defines permissions on the PowerShell cmdlets that can modify the object. PowerShell cmdlets get added to a role and a user or group is assigned to the role. If the cmdlet and parameters you need are part of a role you participate in, then you will be able to run the cmdlet.
In the Exchange Management Shell you can run (get-excommand).count to see how many Exchange cmdlets you currently have access to. In the Exchange Control Panel (ECP) and the Exchange Management Console the cmdlets you have access to determine what options are displayed. Therefore if a window in either GUI requires you have specific PowerShell cmdlets in your role, but you do not have them one of two results is possible:
- The window will not be displayed (in fact options that lead to it are unlikely to be offered)
- The window will display, but all content will be disabled (this is typical if you have the relevant Get- cmdlets, but lack one or more of Set, New, Add, etc.)
For more detail around RBAC, please start with the following:
- RBAC and the Triangle of Power http://blogs.technet.com/b/exchange/archive/2009/11/16/3408825.aspx
- Understanding Role Based Access Control http://technet.microsoft.com/en-us/library/dd298183.aspx
Read more at source: http://blogs.technet.com/b/exchange/archive/2012/09/12/rbac-walkthrough-of-creating-a-role-that-can-wipe-activesync-devices.aspx