A closer look at RBAC in Hosting Deployment
In the last post, I gave a quick overview of RBAC which I think s important. Those who has been working on Exchange Server 2010 for while and already know RBAC can skip the last blog posts. If you do not know what RBAC is, I encourage you to take a read. 🙂
Typically, in a Hosted Exchange deployment, we look at permissions and control for 4 main groups,
- The Hosters themselves
- The Resellers
- The Tenant Administrators
- The Tenant
In HMC, we achieved this by setting the Active Directory Access Control List (ACL) and with clever use of permission inheritance blocking and inheritance. We created groups and assign the permissions accordingly. It is rather complex and hence most of the time, this sort of remain like a black box where not many people know what sort of permissions should we grant or should we not grant.
With the introduction of RBAC, it will give us a much clearer understanding which group will get what sort of permissions or roles. Let me start with the Hosters first.
When you deploy the Exchange Server 2010 Hosting Deployment using the /Hosting switch, you will realize it isn't very different compared to an Enterprise environment. You will find a list of roles being created for you by default.
To get the management roles, run the following (I am not going to list them all),
[PS] C:\> Get-ManagementRole | Select Name
Active Directory Permissions
Cmdlet Extension Agents
Database Availability Groups
Like I mentioned in the previous blog post, each of this role is associated with a list of actions this role can do. For example, DataCenter Operations, if you need to find out what this role can do, execute the following,
[PS] C:\>Get-ManagementRole "DataCenter Operations" | Get-ManagementRoleEntry | Select Name
FYI. "DataCenter Operations" is the only role that allows you to create a New-Organization, Remove-Organization and Get-Organization. What does that mean? It means if you want to grant a user permission to create new organization, this role need to be assigned to that user. Or if you are thinking about creating a signup page, your app pool will need to run on a service account that has this role assigned. Again, there are tons of things here, my recommendation is that, spend some time, explore and take a look at each role to see what you can do or can't do. You will find that you have huge flexibilities as compared to the older ways. You will also find understanding this will be valuable in supporting the environment.
By default, the system will also create 13 role groups, they are,
[PS] C:\>Get-RoleGroup | Select Name
View-Only Organization Management
Management Forest Operator
Management Forest Tier 1 Support
View-Only Mgmt Forest Operator
Management Forest Monitoring
I am not going to go through each of them as I think the final documentation in Exchange Help file will probably cover that. However, if you do have any question, do not hesitate to let me know. From the above, I do need to mention that by default, only Organization Management role group has a member in it. The member, as you might have already guessed is your beloved Administrator. 🙂 If you would like to add another user to manage the Exchange environment, simply add that to the Organization Management role group by issuing the following,
[PS] C:\>Add-RoleGroupMember "Organization Management" -Member Jane.Doe@Fabrikam.com
Next, let's look at Management Role Assignment, execute the following,
[PS] C:\>Get-ManagementRoleAssignment | Select Name, Role, RoleAssigneeName
You will get a list of management Role Assignment. You will find that most of them are assigned to Organization Management. What does that mean? It means because your Administrator is a member of this role group, you can probably do almost everything.
So, out of the box, there is really no big surprises. The roles are relatively standard. My recommendation is that, please look at what each role can do and don't take the short cut of assigning everyone in your support team as to Organization Management role group. The rule of thumb is that, don't give anything more than what the person needs to do.