Roles Based Access Control – Part 2

In Part 1, we looked at the basics of Roles Based Access Control to understand how Exchange admin permissions are applied to user accounts. In this post, we’ll look at creating custom role groups to apply permissions as we see fit.

The simplest case is to create a new role group and apply an existing management role to it:
[PS] C:\>New-RoleGroup "DLAdmin_TestGroup" -Roles "Distribution Groups"

Users can now be assigned to the newly created group and when those users log in to the EMC, they will only be able to see what they have been given permission to:

We can see that the user has been granted permission to completely manage distribution lists. Because the user may need to view mailbox data, they can view, but not edit, delete, or create new mailboxes. Lets look at options for limiting permissions even further.

To this point, we’ve assumed that all permissions included in the Distribution Groups management role were appropriate. However, there could be a situation where we want to limit permissions further. In this case, we would have to create a custom management role. In my opinion, the easiest way to accomplish this is to copy an existing management role and then remove the role entries that aren’t needed.

To create a new management role from the existing Distribution Groups role, we can run the following command:
[PS] C:\>New-ManagementRole -Parent "Distribution Groups" -Name "CUSTOM - Distribution Group" -Description "Custom rule to limit default distribution group permissions."
Using the  Get-ManagementRoleEntry cmdlet from part 1, we are able to see that it contains all the role entries of Distribution Groups. We can now remove any unwanted role entries from the custom role using the following command:
[PS] C:\>Get-ManagementRoleEntry "CUSTOM - Distribution Group\*" | where {$_.Name -like "Remove-*"} | Remove-ManagementRoleEntry

We can adjust the where statement to meet our desired needs. In our example, we are removing all the ‘remove-*’ role entries to prevent our users from being able to delete any DLs.

We can now add the management role to the role group. We can do this while creating the role group like above, but if the group has already been created, we’ll need to run a different command to assign the custom role to an existing group:
[PS] C:\>New-ManagementRoleAssignment -SecurityGroup "DLAdmin_TestGroup" -Role "CUSTOM - Distribution Group"

Additionally, we can limit permissions is by utilizing the write scope. Write scope allows us to lock down effective permissions to specific locations or objects. In the EAC, browse to Permissions and admin roles and then select the desired group and choose edit. We can see that Write Scope is an option and can either select a custom policy (more on that later) or provide an OU. In our example, we want to limit the admin abilities to our Distribution Lists OU. Enter the OU location and select Save.

To configure the write scope to an OU using PowerShell, we can run the following in the EMS:
[PS] C:\>Get-ManagementRoleAssignment -RoleAssignee "DLAdmin_TestGroup" | Set-ManagementRoleAssignment -RecipientOrganizationalUnitScope "ehloexchange.net/Distribution Lists"

A custom write scope will be necessary if we want to limit permissions based on something besides an individual OU. Custom write scopes, give us a really powerful method to configure effective permissions. The New-ManagementScope cmdlet, allows us to create a filter statements to specify almost any recipient property, database, or server object to ensure users can only manage what we want them to at a very granular level.

To continue with our example, we want to create a custom management scope to apply to several OUs. We can configure a custom write scope to do this using the following command:
[PS] C:/>New-ManagementScope -Name “Custom_WriteScope” -RecipientRestrictionFilter {(DistinguishedName -Like “*,ou=Distribution Lists,dc=ehloexchange,dc=net”) -or (Distinguishedname -Like “*,ou=PlanetExpressDL,dc=ehloexchange,dc=net”) -or (DistinguishedName -Like “*,ou=GlobalDynamicsDL,dc=ehloexchange,dc=net”)}

The newly created write scope will show up as an option in the dropdown menu under Write scope in the EAS.

To assign the custom write scope using PowerShell, use the following command from the EMS:
[PS] C:\>Get-ManagementRoleAssignment -RoleAssignee "DLAdmin_TestGroup" | Set-ManagementRoleAssignment -CustomRecipientWriteScope "Custom_WriteScope"