RBAC in Lync: Who can do What on Which Objects?
I love Exchange, and I was pretty impressed when I was first introduced to Role Based Access Control in Exchange, since it finally made it possible for an administrator to delegate control as one would want to delegate control.
With the release of Lync, it’s time to see how Lync embraces Role Based Access Control :-)
RBAC = Who can do What on Which Objects
Who?
In Lync, you can only assign a role to a universal security group. the role you assign to that group will be assigned to every member of that universal security group. A user does not have to be Lync-enabled in order to be able to be assigned a Lync admin role.
When you have a universal security group, which is a member of another universal security group (the so-called nesting of groups), a user who’s a member of group 1, that belongs to group 2, will get the role assigned to both groups!
What?
In Lync there are 9 built-in role, the so-called standard roles:
Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity
To know which cmdlets belong to any of these built-in roles, you can expand the cmdlets attribute:
Get-CsAdminRole | Where {$_.IsStandardRole –eq “true” } | ft Identity,cmdlets -wrap
To bypass the …, you can run the following line
Get-CsAdminRole CsUserAdministrator | Select-Object –ExpandProperty cmdlets
The Glue in Lync = Name of the Role and the SamAccountName of the Universal Security Group
Whereas in Exchange 2010 we use assignments, in Lync, the glue to connect the Who can do What, we use the name of the Role and the name of the Universal Security Group, meaning that in order to assign any of the existing roles to a user, you need to add the user to the built-in Universal security groups, which by default can be found in the Users container!
Creating Custom Roles
In order to create a custom role, you first need to create a universal security, and then you need to create a new CsAdminRole using the Lync server Mangement Shell and define a template CsAdminRole.
In case the universal security group doesn’t exist, you will get the following error message:
On Which Objects = Scopes (Config/User)?
With Lync you can scope to Site, and to Organizational Units! Here’s an example where we delegate the role CsUserAdministrator, to the universal security group ManagerEmployees, and we scope it to the Organizational Unit Employees.
In this example we create a new role DublinAdmins, based on the role CsServerAdministrator, and scope it to Site:2.
At this moment, it is not possible to remove cmdlets, and/or parameters when creating a custom role in Lync.
Utilities
There are utilities out there that will provide help creating custom roles in Lync, check out for example the free Lync RBAC Administrator tool available here:
Ilse