Exchange Server 2010 SP1 Hosting Deployment – RBAC simplified #2 – Hosters


A closer look at RBAC in Hosting Deployment

In the last post, I gave a quick overview of RBAC which I think s important. Those who has been working on Exchange Server 2010 for while and already know RBAC can skip the last blog posts. If you do not know what RBAC is, I encourage you to take a read. šŸ™‚

Typically, in a Hosted Exchange deployment, we look at permissions and control for 4 main groups,

  • The Hosters themselves
  • The Resellers
  • The Tenant Administrators
  • The Tenant

In HMC, we achieved this by setting the Active Directory Access Control List (ACL) and with clever use of permission inheritance blocking and inheritance. We created groups and assign the permissions accordingly. It is rather complex and hence most of the time, this sort of remain like a black box where not many people know what sort of permissions should we grant or should we not grant.

With the introduction of RBAC, it will give us a much clearer understanding which group will get what sort of permissions or roles. Let me start with the Hosters first.

Hosters

When you deploy the Exchange Server 2010 Hosting Deployment using the /Hosting switch, you will realize it isn't very different compared to an Enterprise environment. You will find a list of roles being created for you by default.

To get the management roles, run the following (I am not going to list them all),

[PS] C:\> Get-ManagementRole | Select Name

Name                                                                              
----                           
Active Directory Permissions   
Address Lists                  
ApplicationImpersonation       
Audit Logs                     
Cmdlet Extension Agents                                            
DataCenter Operations                                                 
Database Availability Groups                                    
Database Copies                                                             
Databases                                                                        
...

...

...                           

 Like I mentioned in the previous blog post, each of this role is associated with a list of actions this role can do. For example, DataCenter Operations, if you need to find out what this role can do, execute the following,

 

[PS] C:\>Get-ManagementRole "DataCenter Operations" | Get-ManagementRoleEntry | Select Name

Name                                                                                                                  
----                                                                                                                  
New-DistributionGroup                                                                                                 
New-MailContact                                                                                                       
Remove-StoreMailbox                                                                                                   
New-Mailbox                                                                                                           
Update-ServicePlan                                                                                                    
New-DynamicDistributionGroup                                                                                          
Write-AdminAuditLog                                                                                                   
Start-OrganizationUpgrade                                                                                             
Remove-Organization                                                                                                   
New-Organization                                                                                                      
Get-Organization                                                                                                      
Get-MsoFullSyncOrganization                                                                                           
Get-DomainController                                                                                                  
Export-AutoDiscoverConfig                                                                                             
Complete-OrganizationUpgrade                                                                                           

FYI. "DataCenter Operations" is the only role that allows you to create a New-Organization, Remove-Organization and Get-Organization. What does that mean? It means if you want to grant a user permission to create new organization, this role need to be assigned to that user. Or if you are thinking about creating a signup page, your app pool will need to run on a service account that has this role assigned. Again, there are tons of things here, my recommendation is that, spend some time, explore and take a look at each role to see what you can do or can't do. You will find that you have huge flexibilities as compared to the older ways. You will also find understanding this will be valuable in supporting the environment.

By default, the system will also create 13 role groups, they are,

[PS] C:\>Get-RoleGroup | Select Name

Name                                                                                                                  
----                                                                                                                  
Delegated Setup
Organization Management
Recipient Management
View-Only Organization Management
Help Desk
Records Management 
Discovery Management
Server Management
Hygiene Management 
Management Forest Operator
Management Forest Tier 1 Support
View-Only Mgmt Forest Operator
Management Forest Monitoring

I am not going to go through each of them as I think the final documentation in Exchange Help file will probably cover that. However, if you do have any question, do not hesitate to let me know. From the above, I do need to mention that by default, only Organization Management role group has a member in it. The member, as you might have already guessed is your beloved Administrator.  šŸ™‚ If you would like to add another user to manage the Exchange environment, simply add that to the Organization Management role group by issuing the following,

[PS] C:\>Add-RoleGroupMember "Organization Management" -Member Jane.Doe@Fabrikam.com

Next, let's look at Management Role Assignment, execute the following,

[PS] C:\>Get-ManagementRoleAssignment | Select Name, Role, RoleAssigneeName

You will get a list of management Role Assignment. You will find that most of them are assigned to Organization Management. What does that mean? It means because your Administrator is a member of this role group, you can probably do almost everything.

So, out of the box, there is really no big surprises. The roles are relatively standard. My recommendation is that, please look at what each role can do and don't take the short cut of assigning everyone in your support team as to Organization Management role group. The rule of thumb is that, don't give anything more than what the person needs to do.

Cheers.

Read More on this RBAC Series.

Read all other Exchange Server 2010 SP1 Hosting Deployment blog posts.

 

 

Comments (1)
  1. aw says:

    hai, I just want to tell you that I am just very new to blogs and seriously loved this website. More than likely Iā€™m planning to bookmark your blog post .
    You amazingly come with really good posts. Thanks a lot for sharing your blog Microsoft.

    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Bank%20Jatim
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Bank%20BJB
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Bank%20BNI%2046
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Bank%20BTPN%20Syariah
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Bank%20DKI
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Bank%20Panin
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20PT%20Mandiri%20Tunas%20Finance
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Bank%20BRI%20Agro
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Bank%20Muamalat
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20BItung
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20BursaKerja
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20CIKUPA
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20CPNS
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20D1
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20D2
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20D3
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20D4
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Depnaker
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Dokter
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Dosen
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Ekonomi
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Elektro
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Farmasi
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Garuda%20Indonesia
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Geologi
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Grafika
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Guru
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Hotel
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Hukum
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Indomart
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20IT
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Jobsdb
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Jobstreet
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20K3
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Kehutanan
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Kernet
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Kesehatan
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Komputer
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20BUMN
    http://www.lokerjobindo.com/search/label/Lowongan%20Kerja%20Terbaru
    http://www.lokerjobindo.com

Comments are closed.

Skip to main content