Installing Exchange Server 2010 : Understanding Role Based Access Control

Using RBAC allows you to easily control what your administrators and users can (and cannot) access. Rather than applying permissions directly to user accounts, the permissions are applied directly to the role. Members are added to a particular role when they need a particular level of permissions.

In addition, role assignments can be “scoped” to include only specific resources within the organization. The role (and the permissions associated with it) allows certain tasks to be accomplished, while the role scope determines what resources can be administered.

The RBAC model consists of:

• Management Role— A container for grouping management role entries.

• Management Role Entries— A cmdlet (including parameters) that is added to a management role. This process grants rights to manage or view the objects associated with that cmdlet.

• Management Role Assignment— The assignment of a management role to a particular user or a universal security group. This grants the user (or the members of the security group) the ability to perform the management role entries in the management role that they are assigned to.

• Management Role Scope— Used to target the specific object or objects that the management role assignment is allowed to control. A management role scope can include servers, organizational units, filters on server or recipient objects, and more.

As described by Microsoft, this process allows complete control of the who (management role assignment), the what (management role and management role entries), and the where (management role scope) in the security model.

Role Based Access Control is not used on Edge Transport servers, as these servers are designed to sit outside the domain.

Exchange Server 2010 provides several built-in management roles that cannot be modified, nor can the management role entries configured on them. However, the scope of the built-in management roles can be modified.

The following built-in management roles are included by default in Exchange Server 2010:

• Organization Management— Administrators assigned to this role have administrative access to the entire Exchange Server 2010 organization, and can perform almost any task against any Exchange Server 2010 object. Even if a task can only be completed by another role, members of the Organization Management role have the ability to add themselves to any other role.

  As this role is very powerful, it is recommended that it only be assigned to users who are responsible for organizational level administration. Changes made by this role can potentially impact the entire Exchange organization.

• View Only Organization Management— This role is the equivalent to the Exchange View-Only Administrator role in Exchange Server 2007. Members of this role can view the properties of any object in the Exchange organization, but cannot modify the properties of any object.

  Useful for personnel who need to be able to view the configuration of objects within the environment, but who do not need the ability to add new or modify existing objects.

• Recipient Management— Administrators assigned to this role have the ability to create, modify, or delete Exchange Server 2010 recipients within the organization.

• Records Management— Administrators assigned to this role have the ability to configure compliance features, including transport rules, message classifications, retention policy tags, and others.

  Often assigned to administrators or members of an organization’s legal department who need the ability to view and modify compliance features in an organization.

• GAL Synchronization Management— Administrators assigned to this role have the ability to configure global address list (GAL) synchronization between organizations.

Other built-in management roles include the Unified Messaging Management, Unified Messaging Recipient Management, Unified Messaging Prompt Management, and Discovery Management.