Here we are going to see how to create a custom RBAC permission. Before that let’s see what is RBAC.

Role Based Access Control (RBAC) is the new permissions model in Microsoft Exchange Server 2010.

RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange 2010, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

Role groups consist of the following components that define what administrators and specialist users can do:

  • Management role group:  The management role group is a special universal security group (USG) that contains mailboxes, users, USGs, and other role groups that are members of the role group. This is where you add and remove members, and it’s also what management roles are assigned to. The combination of all the roles on a role group defines everything that users added to a role group can manage in the Exchange organization.
  • Management role:   A management role is a container for a grouping of management role entries. Roles are used to define the specific tasks that can be performed by the members of a role group that’s assigned the role. A management role entry is a cmdlet, script, or special permission that enables each specific task in a role to be performed.
  • Management role assignment:   A management role assignment links a role and a role group. Assigning a role to a role group grants members of the role group the ability to use the cmdlets and parameters defined in the role. Role assignments can use management scopes to control where the assignment can be used.
  • Management role scope:   A management role scope is the scope of influence or impact on a role assignment. When a role is assigned with a scope to a role group, the management scope targets specifically what objects that assignment is allowed to manage. The assignment, and its scope, are then given to the members of the role group, and restrict what those members can manage. A scope can consist of a list of servers or databases, organizational units (OUs), or filters on server, database or recipient objects.

Understanding RBAC better click here

Here is our scenario:

Our help desk user (HAdmin01) wants to have below permissions:

  • Deal with Public Folders except removing the PF
  • Move the mailboxes
  • Manage Distribution Group except removing the Distribution Group
  1. To achieve this we are going to create a three new Management Role Groups using below parent Management Role.
  • Public Folder
  • Move Mailboxes
  • Distribution Group

2. Create a new Role Group and merge above roles into it.
3. Add user (HAdmin01) into the Role Group

1. Creating Management Role (what):

For Public Folder:

New-ManagementRole –Name “Helpdesk PF” –Parent “Public Folders”

This would bring all the entries from the parent management role as we see in the below picture, but in our case user should not be having permission to remove a public folder.

Use below command to remove the Remove-Public Folder entry:

Remove-ManagementRoleEntry “Helpdesk PF\Remove-PublicFolder”

The remove public folder entry has been successfully removed from the “Helpdesk PF” management role which will not be able to perform by a user any more.

After removing the entry:

For Move Mailbox:

New-ManagementRole –Name “Helpdesk Move” –Parent “Move Mailboxes”

Move Mailbox Entries:

Since we want helpdesk user to have full control of move mailboxes, not removing anything from it.

For Distribution Group:

New-ManagementRole –Name “Helpdesk DG” –Parent “Distribution Groups”

Helpdesk DG Entries:

This would bring all the entries from the parent management role as we see in the below picture, but in our case user should not be having permission to remove distribution group.

Use below command to remove the Remove-DistributionGroup entry:

Remove-ManagemetnRoleEntry “Helpdesk DG\Remove-DistributionGroup”

The remove distribution group entry has been successfully removed from the “Helpdesk DG” management role which will not be able to perform by a user any more.

After removing the entry:

We have successfully created all the Management Roles based on our requirement. Now we have to create a new Role Group and merge these management roles into it.

2. Creating Role Group (who):

I’m going to call a new role group as Helpdesk.

New-RoleGroup –Name Helpdesk –Roles “Helpdesk PF”, “Helpdesk Move”, “Helpdesk DG” –RecipientOrganizationalUnitScope “Mylab01.com”

RecipientOrganizationalUnitScope : Limitations of users

3. Add Helpdesk user into Role Group:

Here we can add multiple users as well.

Role Assignments:

Get-RoleAssignments will list our newly created roles.

Here we can see the scope of the “Helpdesk PF-Helpdesk”

Successfully we have done this scenario. Let’s see the output.

Already I’ve logged into the server using HAdmin01 account.

EMC Differences between Administrator and HAdmin01:

Immediately opened the console I could see some major differences like Server configuration is missing, action items are missing and do not have permission to deal with databases.

You can see them below:

I hope you could have figured out which is belongs to HAdmin01. Yes that’s right the above one.

Move Mailbox Output:

There is no restriction with the move request.

We always used to give a try which we are not allowed to do right 😉
what will happen if he tries.

You can see the result above.

Public Folder output:

User can’t remove a public folder at any cost as you can see it will throw an error if he tries to do it.

Distribution Group Output:

User can’t remove a distribution group at any cost as you can see it will through an error if he tries to do it.

That’s all we have asked to do so. In case in future if someone joins in help desk we can add them into this role group which will provide the same permission level of HAdmin01.

I hope you would have enjoyed reading this!!!