RBAC in Lync: Who can do What on Which Objects?


 

I love Exchange, and I was pretty impressed when I was first introduced to Role Based Access Control in Exchange, since it finally made it possible for an administrator to delegate control as one would want to delegate control.

With the release of Lync, it’s time to see how Lync embraces Role Based Access Control 🙂

RBAC = Who can do What on Which Objects

Who?

In Lync, you can only assign a role to a universal security group. the role you assign to that group will be assigned to every member of that universal security group. A user does not have to be Lync-enabled in order to be able to be assigned a Lync admin role.

When you have a universal security group, which is a member of another universal security group (the so-called nesting of groups), a user who’s a member of group 1, that belongs to group 2, will get the role assigned to both groups!

What?

In Lync there are 9 built-in role, the so-called standard roles:

Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity

IVC-0365

To know which cmdlets belong to any of these built-in roles, you can expand the cmdlets attribute:

Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity,cmdlets -wrap

IVC-0366

To bypass the …, you can run the following line

Get-CsAdminRole CsUserAdministrator | Select-Object –ExpandProperty cmdlets

IVC-0367

The Glue in Lync = Name of the Role and the SamAccountName of the Universal Security Group

Whereas in Exchange 2010 we use assignments, in Lync, the glue to connect the Who can do What, we use the name of the Role and the name of the Universal Security Group, meaning that in order to assign any of the existing roles to a user, you need to add the user to the built-in Universal security groups, which by default can be found in the Users container!

IVC-0368

Creating Custom Roles

In order to create a custom role, you first need to create a universal security, and then you need to create a new CsAdminRole using the Lync server Mangement Shell and define a template CsAdminRole.

In case the universal security group doesn’t exist, you will get the following error message:

IVC-0262

On Which Objects = Scopes (Config/User)?

With Lync you can scope to Site, and to Organizational Units! Here’s an example where we delegate the role CsUserAdministrator, to the universal security group ManagerEmployees, and we scope it to the Organizational Unit Employees.

IVC-0261

In this example we create a new role DublinAdmins, based on the role CsServerAdministrator, and scope it to Site:2.

IVC-0266

 

At this moment, it is not possible to remove cmdlets, and/or parameters when creating a custom role in Lync.

Utilities

There are utilities out there that will provide help creating custom roles in Lync, check out for example the free Lync RBAC Administrator tool available here:

http://lync-solutions.com/

Ilse


Comments (6)

  1. As much I love RBAC, I think RBAC for Lync is still in its infancy. Delegating CSAdministrator for a site is just not possible. You delegate and Lync will glad accept the command. But the administrator will not be able to do anything. I.e create user based policies. I have a lync deployment spanning different countries and I found that bulk of what I need each country to do for themselves is not possible. Only server admins allows this.

  2. Anonymous says:

    Ilse

    Further question on RBAC scoping.  As we cannot delegate with the CSAdminstator role, we will need to look to performing delegations at a site and domain level.  

    For user administration – how does this work for delegation for management for child domains?   Can I simply use the -UserScopes and use the DN of the domain and not specify an OU?   Or should we still restrict this at site level – and if so how will it know the users to manage?

    Basically we need to delegate management of users to child domains and server administration at a site level for sure.  Or can all be done to site level?

    thanks

    Paul

  3. Anonymous says:

    Ilse

    Is there any way to delegate permissions at a site level to one Role Group who then have permissions as a whole over everything within a site?  Or do we need to look to creating custom groups for all areas within a site (Server Admin, Voice Admin, User Admin, etc.) and obviously the associated USGs?

    Thanks

    Paul

  4. Paul, you could create a new Universal Security Group, then create a new role, and use the CsAdministrator role as a template, and scope it to a site. Thereby members of that group will have csAdministrator rights on all objects in that site! A CsAdministrator can perform all administrative tasks and modify all settings, including creating roles and assigning users to roles. They can also expand a deployment by adding new sites, pools, and services.

    For a detailed description of the built-in roles, here's a link to the TechNet article on it:

    technet.microsoft.com/…/gg425917.aspx

    Ilse

  5. Andre says:

    Hello Ilse,

    How can I remove cmdlets ? There is nothing written in Your artcile, just the last sentence : "At this moment, it is not possible to remove cmdlets, and/or parameters when creating a custom role in Lync.". Ok WHEN its then possible to remove / add cmdlets ?

    Thanks and bye,

    André

  6. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    http://www.showboxforipad.org/
    http://movieboxappdownloads.com/moviebox-apk-android/
    http://movieboxappdownloads.com/download-moviebox-pc/
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    http://showboxforiphone.org/
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    http://ymaillogintips.com/
    Sign Up & Do registration for latest movies on Showbox application