Role Based Access Control in Exchange 2013
Role Based Access Control model (RBAC) was introduced in Exchange server 2010 as a permission model where administrator doesn’t require modifying and managing the access control list (ACLs) with ADUC like in legacy versions.
In 2013, RBAC allows us to control both administrator and end users tasks. Using RBAC we can assign the roles to administrators and users, depending on the roles they hold in the organization.
RBAC has two primary and one advanced method to assign the permissions as below:
- Management Role groups
- Management Role Assignment Policies
- Direct User Role assignment
Management Role Groups:
Management Role Group is a Universal Security group used in RBAC permission model to assign the major administrative rights to Administrators and specialist users such as organization management, recipient management etc in exchange 2013.
Components of Role Groups which defines what Administrator/specialist users can do:
- Management Role Group: This is a Special USG where we can add/remove members. And we can assign the roles on it.
- Management Role: This is a container of the management Role entries which defines the task.
- Management Role Assignment: This is a link between management role and assignee.
- Management Role Scope: Defines the scope of impact of a management role in a role assignment.
Management Role Assignment Policies:
Management Role Assignment Policies are related to end user permissions. This includes what an end user can do with their mailbox, distribution list, setup voice mail, configure inbox rules etc. Every user in Exchange 2013 including Administrator assigned with a default Role assignment Policy. We can modify the default Role assignment policies and decide what it should include and whom to assign.
Direct User Role Assignment:
Direct User Role assignment is an advanced, where in we can assign the management roles directly to a user or USG without using Role groups or Role assignment policies. This is little complex as we need to assign this individually.
Exchange 2013 includes approximately 86 roles that you can use to grant permissions. Refer http://technet.microsoft.com/en-IN/library/dd638077(v=exchg.150).aspx to find the list of built in roles.
We will see how Create role groups in Exchange 2013:
Open EACàPermissionsàAdmin RolesàClick on + and select New
Provide the Name, Roles that group members can handle and members for the group and finish.
We will see how to create the Management Role Assignment Policies in Exchange 2013:
Open EACàPermissionsàUser RolesàClick on + and select New
Provide the Name, description and we can select what are the permission needs to be provided to the end users by selecting the available options as below and Save:
Microsoft MVP | Exchange Server