More on RBAC and customizing new roles for specific needs

RBAC roles are used by the new version of Exchange and some customers highly use them for achieving different tasks.

However, when coming to the implementation or defining different management roles and entries, management groups, things are not every time that clear.

By default, each user has the “Default Role Assignment Policy”, which grants the users permissions to set their Outlook Web App options and perform self-administrative tasks.

The policy above includes the MyDistributionGroups role assigned - this role enable individual users to create, modify and view distribution groups and modify, view, remove and add members to the distribution groups they own.

Let’s say we want individual users to be able to perform specific actions on distribution groups they own, even if the groups are hidden from the Global Address List. Therefore, we have to create a custom management role, based on the Distribution Groups management role, which enable administrators to create and manage groups and distribution group’s members in the organization. Moreover, we have to compare the actions available to the MyDistributionGroups role, remove the extra permissions, and make an adjustment to make sure it will comply with our needs.

To implement a solution based on an existing RBAC management role group, we can follow the steps below.

1.       First, we create a new custom management role, which basically is a collection of actions (commands) we can perform having the role assigned, based on built-in role Distribution Groups using the following command:

New-ManagementRole -Name "Distribution Groups ManagedBy" -Parent "Distribution Groups"

2.       We compare then the management role entries (cmdlets) provided by the new custom role and the MyDistributionGroups default role.

We need this information to remove cmdlets and cmdlet parameters we don’t want to make available via the custom management role.

First, we determine the cmdlets of the custom role using the command:

Get-ManagementRoleEntry "Distribution Groups ManagedBy\*" | Format-Table name

Name

----

Add-DistributionGroupMember

Disable-DistributionGroup

Enable-DistributionGroup

Get-ADServerSettings

Get-AcceptedDomain

Get-DistributionGroup

Get-DistributionGroupMember

Get-DomainController

Get-DynamicDistributionGroup

Get-Group

Get-MailUser

Get-Mailbox

Get-OrganizationalUnit

Get-Recipient

Get-ResourceConfig

Get-User

New-DistributionGroup

New-DynamicDistributionGroup

Remove-DistributionGroup

Remove-DistributionGroupMember

Remove-DynamicDistributionGroup

Set-ADServerSettings

Set-DistributionGroup

Set-DynamicDistributionGroup

Set-Group

Set-OrganizationConfig

Update-DistributionGroupMember

Write-AdminAuditLog

Now run the following command to list the cmdlets for the MyDistributionGroups role:

Get-ManagementRoleEntry "MyDistributionGroups\*" | Format-Table name

Name

----

Update-DistributionGroupMember

Set-Group

Set-DynamicDistributionGroup

Set-DistributionGroup

Remove-DistributionGroupMember

Remove-DistributionGroup

New-DistributionGroup

Get-Recipient

Get-Group

Get-DistributionGroupMember

Get-DistributionGroup

Add-DistributionGroupMember

By comparing the two lists, we can determine the cmdlets that are not provided by the MyDistributionGroups role. If we want a new RBAC group based on the default distribution group, we have to remove the additional role entries inherited from the Distribution Groups parent entries.

3.       Using the Remove-ManagementRoleEntry command, we remove the cmdlets that are not required from the custom role.

The example below removes the Disable-DistributionGroup cmdlet:

[PS] C:\>Remove-ManagementRoleEntry "Distribution Groups ManagedBy\Disable-DistributionGroup"

Confirm

Are you sure you want to perform this action?

Removing the "(Microsoft.Exchange.Management.PowerShell.E2010) Disable-DistributionGroup -Confirm -Debug

-DomainController -ErrorAction -ErrorVariable -Identity -IgnoreDefaultScope -OutBuffer -OutVariable -Verbose

-WarningAction -WarningVariable -WhatIf" management role entry on the "Distribution Groups ManagedBy" management role.

[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y

We repeat the command above until we to remove all the cmdlets we don't need. Additionally we also remove the New-DistributionGroup cmdlet, to remove the ability to create new distribution groups.

4.       We can also determine and remove cmdlet parameters not required on the remaining cmdlets.

As before, we can compare the parameters of each cmdlet for MyDistributionGroups with the ones not included in the cmdlets of the custom role.

Use the following command to display the list of parameters for each cmdlet. In the example bellow, the parameter for the Add-DistributionGroupMember are listed:

(Get-ManagementRoleEntry "MyDistributionGroups\Add-DistributionGroupMember").parameters

Confirm

ErrorAction

ErrorVariable

Identity

Member

OutBuffer

OutVariable

WarningAction

WarningVariable

WhatIf

Repeat this for the same cmdlet from the custom created Distribution Groups ManagedBy role:

[PS] C:\>(Get-ManagementRoleEntry "Distribution Groups ManagedBy\Add-DistributionGroupMember").parameters

Confirm

Debug

DomainController

ErrorAction

ErrorVariable

Identity

Member

OutBuffer

OutVariable

Verbose

WarningAction

WarningVariable

WhatIf

5.       Remove the parameters from the custom role entries. Once you have the list of the parameters to be removed, use the Set-ManagementRoleEntry command to remove them. In the example bellow, the Debug, DomainController and Verbose parameters are removed from the Add-DistributionGroupMember cmdlet:

Set-ManagementRoleEntry "Distribution Groups ManagedBy\Add-DistributionGroupMember" -Parameters Debug, DomainController, Verbose –RemoveParameter

Repeat these steps for all the cmdlets that have parameters that are not part of the entries used in default role.

6.       Once we have the desired cmdlets and parameters customized for our management role, we can assign it to an user or a role group. Rather than assigning a management role directly to a user, we can assign it to a role group, where we can add the user who need to perform specific actions.

The following command creates a new role group, called ManageBy Group and assigns the custom management role we have created and customized:

New-RoleGroup -Name "ManagedBy Group" -Roles "Distribution Groups ManagedBy"

This command results in the creation of the role group, and also of a role assignment called Distribution Groups ManagedBy-ManagedBy Group. This assignment uses the implicit scope of the custom management role for the recipient write scope, which is inherited from the parent default scope. We can see the scope by using the following command:

Get-ManagementRoleAssignment -Role "Distribution Groups ManagedBy" | Format-List Name, *RecipientWriteScope

Name : Distribution Groups ManagedBy-ManagedBy Group

CustomRecipientWriteScope :

RecipientWriteScope : Organization

Notice the RecipientWriteScope is set to Organization which is too broad for an assignment. The scope must be changed so that it allows a user to manage only the distribution groups they own. The following command sets the recipient relative write scope to MyDistributionGroups.

Set-ManagementRoleAssignment "Distribution Groups ManagedBy-Distribution Group ManagedBy" -RecipientRelativeWriteScope MyDistributionGroups

7.     We make a functionality test for the role assignment. Added an user to the role groups created in step 6 and opened the ECP.

The user has a broader read scope that allows him to see the hidden objects, when managing distribution groups owned.

Following the steps above we can create different RBAC roles, groups and assignments to suits our Exchange organization goals.

I hope you find the information useful,

        Gabriel MUNTEAN