RBAC in Lync: Who can do What on Which Objects?

 

I love Exchange, and I was pretty impressed when I was first introduced to Role Based Access Control in Exchange, since it finally made it possible for an administrator to delegate control as one would want to delegate control.

With the release of Lync, it’s time to see how Lync embraces Role Based Access Control :-)

RBAC = Who can do What on Which Objects

Who?

In Lync, you can only assign a role to a universal security group. the role you assign to that group will be assigned to every member of that universal security group. A user does not have to be Lync-enabled in order to be able to be assigned a Lync admin role.

When you have a universal security group, which is a member of another universal security group (the so-called nesting of groups), a user who’s a member of group 1, that belongs to group 2, will get the role assigned to both groups!

What?

In Lync there are 9 built-in role, the so-called standard roles:

Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity

IVC-0365

To know which cmdlets belong to any of these built-in roles, you can expand the cmdlets attribute:

Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity,cmdlets -wrap

IVC-0366

To bypass the …, you can run the following line

Get-CsAdminRole CsUserAdministrator | Select-Object –ExpandProperty cmdlets

IVC-0367

The Glue in Lync = Name of the Role and the SamAccountName of the Universal Security Group

Whereas in Exchange 2010 we use assignments, in Lync, the glue to connect the Who can do What, we use the name of the Role and the name of the Universal Security Group, meaning that in order to assign any of the existing roles to a user, you need to add the user to the built-in Universal security groups, which by default can be found in the Users container!

IVC-0368

Creating Custom Roles

In order to create a custom role, you first need to create a universal security, and then you need to create a new CsAdminRole using the Lync server Mangement Shell and define a template CsAdminRole.

In case the universal security group doesn’t exist, you will get the following error message:

IVC-0262

On Which Objects = Scopes (Config/User)?

With Lync you can scope to Site, and to Organizational Units! Here’s an example where we delegate the role CsUserAdministrator, to the universal security group ManagerEmployees, and we scope it to the Organizational Unit Employees.

IVC-0261

In this example we create a new role DublinAdmins, based on the role CsServerAdministrator, and scope it to Site:2.

IVC-0266

 

At this moment, it is not possible to remove cmdlets, and/or parameters when creating a custom role in Lync.

Utilities

There are utilities out there that will provide help creating custom roles in Lync, check out for example the free Lync RBAC Administrator tool available here:

http://lync-solutions.com/

Ilse