In Exchange 2010, Microsoft has introduced Role Based Access Control feature. This feature is used to assign a accurate permission to the specialist user or Administrator Unlike Exchange 2007 permissions.

Note: Please Check Reference section for more information’s about the Exchange Server 2010 Permissions.

Terms Used

• Management Role Group: Role group is an Universal Security Group which is used to holds the specialist users or administrators. We can assign the appropriate rights (Management Roles) to manage the scope users or groups. There are number of Build-in role groups are available Example: Organization Management, Recipient Management, etc…
  • Role Holders – Normal Mailboxes that are members of Management role group
  • Role Group Delegation – We can delegate rights to users to manage this Role Group. This includes Add or Remove members, Configuration Change, etc. This can be achieved through ManagedBy property.
  • Linked Role Groups – This type of Groups is used to store the Trusted Foreign forest
• Management Roles: Management Roles are group of cmdlets (it will provide access to view or modify the configuration of Exchange 2010 components), there are Custom Management Roles as well as build-in Management roles are available in Exchange Server 2010 (Built-in management roles Ex: Active Directory Permissions Role, Databases Role, Audit Logs Role, etc …)
  Example: Active Directory Permissions Role, Address Lists Role, ApplicationImpersonation Role, Audit Logs Role, cmdlet Extension Agents Role, Database Availability Groups Role, Database Copies Role, Databases Role
• Management Role Scopes: Influence of a management role where the Management Roles are applied. Role Holder can manage the objects within the scope. There are two types of Management Scopes are available Regular and Exclusive.
• Role assignment policies: This is also an Management Roles, which enable the users to manage their own mailbox.(Example: Phone Number Update rights, Address details Update Rights, etc)

RBAC Overview

The below diagram show you the RBAC overview

Advantages

• We can provide a accurate permission to the target user ID
• Easy to provide appropriate rights to user to manage their own mailbox
• Possible to provide a specific set of permissions to the single user with the help of Direct User Role Assignment
• Easy Role assignment management by creating multiple Role group
• Easy to provide the permission to manage the Distribution list and mailbox management

Possible ways to assign RBAC

They are three ways of assigning permissions to users, Administrators or an Management Role Groups. The types are mentioned below

• Management role groups
• Management role assignment policies
• Direct user role assignment

Implementation

Scenario – Assigning RBAC through Management role groups

We are going to implement Role Based Access Control Feature in an Exchange Server 2010 Environment, Here is the test Scenario

• Need to create New Role Group – Helpdesk India
• Need to add the members - Supportuser1, Supportuser2
• Need to Add the Role Group Management user – Manager, Administrator
• Target scope Organizational Unit – India Users and the(Indiauser1 and Indiauser2 are members of this India Users OU)
• Roles we are going to assign is – Move Mailboxes

Constraints

Before start the implementation we need to analyze the requirements and constraints as well.

• Since RBAC cannot be implement through Exchange Management Console. We need to use Poweshell commands.
• We can create multiple Role group, and also it is possible that a single user can be part of multiple Role Group.
• If it is an existing group then it should be an Universal Security Group, In our scenario it is an new group so we need to create new Universal security group

Step :1 – Scope Creation

First we need to create a Scope, as per our scenario we need to create a scope for OU: India Users

To create the Scope Go to Start | All Programs | Microsoft Exchange Server 2010 | Microsoft Management Shell | Run New-ManagementScope -Name "India Users Mailboxes" -RecipientRestrictionFilter { RecipientType -eq 'usermailbox' } -RecipientRoot "veera.com/India Users"

Note: The following are Variables, this will vary according to your environment

• veera.com - Domain name
• India Users - OU name
• India Users Mailboxes – Just a name for the new scope

Verify Scope create successfully

Step :2 – Role Group Creation

In this step we are going to create new Role Group with set of roles and we are going to assign the scope also.

Go to Start | All Programs | Microsoft Exchange Server 2010 | Microsoft Management Shell | Run New-RoleGroup -Name "Helpdesk India" -Roles "Move Mailboxes" -ManagedBy "Manager" -Members "Supportuser1", "Supportuser2" -RecipientScope "India Users Mailboxes"

Note: The following are Variables, this will vary according to your environment

• India Users Mailboxes – Scope name we have created in previous section
• Supportuser1 and Supportuser2 are target members for this Role group
• Manager and Administrators are going to manage the Role Groups (Ex: add or remove users in role group)
• Move Mailboxes is a built-in role

• Verify command completed successfully

Step: 3 - Testing

We have created a Role Group with an Move Mailboxes rights, Now we need to test the solution. We can test the Role group member properties - Open Active Directory Users and Computers | Search Management Role Group member - Supportuser1 or Supportuser2 | Right Click Supportuser1 | Properties | We can see our Management Role Group name Helpdesk India

Note: In my test environment I have given Remote Desktop User permission to Supporuser1 and Supportuser2 . And the Ex2010 server has two Mailbox database

• Logon to Exchange Server 2010 Ex2010 Server (through MSTSC) with an Management Role Group member ID - Supportuser1 or Supportuser2
• Open Exchange Management Console - Start | All Programs | Microsoft Exchange Server 2010 | Microsoft Management Console

Note: I have clicked the Organization Configuration in EMC, I got the below error because this Supportuser1 has only Move Mailboxes permission

• Expand Recipient Configuration | Select Mailbox | Right click an user which is part of Scope group (As per our scenario India user1, India User2 are members of India Users OU). Right click India User1 | Select New Local Move request

• Click Browse

• Select MailboxDB01 | Click OK

Note: In my Lab environment I have two mailbox database so I am testing the solution by moving the mailbox from one database to other.

• Click Next to proceed ..

• Click Next

• Click New

• Click Finish | Congratulation !!, we have successfully implemented “Role Based Access Control” and tested the functionality.

Conclusion

Surely this new feature should help us to manage the Exchange 2010 infrastructure in a better way, We have reason to migrate our existing Messaging environment to Microsoft Exchange Server 2010 environment.

References

Permissions in Exchange Server 2010