RBAC-Exchange 2010 Sp1 Beta – Scopes = EMC, EMS, and ECP (!)

  • Article

As described in the TechNet forums (link http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/92925f7c-97ba-4a96-a4c4-33c193a7b201), I had the same problem when delegating permissions using RBAC, and setting a scope to a subset of users in my Exchange 2010 RTM organization.

For example, when delegating the “Mail Recipients” role to a user and adding the parameter RecipientOrganizationalUnitScope to make sure the user could only manage mail recipients located in one particular Organizational Unit, the user was able to manage only the intended recipients using both the Exchange Management Console, and using the Exchange Management Shell, but when using the Exchange Control Panel, all recipients would be marked as read-only.

Let’s see if this is different in an Exchange 2010 organization deployed with Sp1 Beta, available for download here.

Step 1. Creating the WHERE = Creating a Management SCOPE

I want my user “Admin1” to be able to manage all mailbox-enabled users that have customattribute6 set to a value of “Sunshine”.

In my environment, I have a total of 44 mailbox-enabled users, of which 11 have been given a value of “Sunshine” for customattribute6.

Pic0619

To create the scope, I’m using the EMS cmdlet New-ManagementScope, named “CA6 = Sunshine”, and define two criteria:

- only mailbox-enabled users

- that have a value set to “Sunshine” for CustomAttribute6.

Pic0621

Using the cmdlet Get-Recipient, it is easy to see which objects fall within the defined scope:

Pic0622

Step 2. Define the WHAT = Creating or customizing a Management ROLE

I want my Admin1 to be able to manage all mail recipients, EXCEPT for changing the value of CustomAttribute6.

Therefore I will create a new management role, by copying the existing Mail Recipients role, and remove the parameter CustomAttribute6 from the list of parameters that can be changed. In addition, I do not want my Admin1 to be able to change the phone number, since these numbers are linked to my CS14 environment!

First, copy the existing management role of Mail Recipients:

Pic0623

Second, remove the parameters of Phone and CustomAttribute6!

 Pic0624

 

Pic0625

Step 3. Define the WHO = Creating a ROLE GROUP

In Exchange 2010 Sp1 Beta, it is possible to create a new role group using the Exchange Control Panel.

Logging into OWA as Administrator, I go to Options, and there I select to manage My Organization.

Pic0626

In the left pane I select to manage Roles & Auditing

Pic0627 

And click New…and give the new role group a name, a description, select the just created scope and role, and add Admin1 to the new group!

Pic0628

 Pic0629

After clicking Save, it is time to test :-)

Step 4. Test using EMC

When launching EMC, logged on as Admin1, I can see the necessary information is retrieved..

Pic0630

 Pic0631

When trying to change a setting for user1, I get an access denied,

Pic0632

When a mailbox-enabled user falls into my management scope, I can change anything, except for the value of CustomAttribute6.

Pic0633

Step 5. Test using the EMS

Same results…

Pic0637

Step 6. Test using ECP

And yes…it works :-)

All settings for users out of management scope are greyed out, I can change any permitted setting for a user in my management scope

Pic0634

 Pic0635

 Pic0636

Lots of fun coming our way with Exchange 2010 Sp1 :-)

Ilse