New Exchange 2010 Permissions: Role-Based Access Control

The latest release of Microsoft Exchange comes packed with a laundry list of new and updated features. These updates are aimed at simplifying the administrative headaches for those faced with the arduous task of managing corporate networks worldwide.

One of the most difficult exercises is managing permissions or access control — deciding who has access to what resources on the network.

Microsoft Exchange Server 2007 used the ACL model which was admittedly a bit limited. Exchange 2010 introduced the new Role Based Access Control (RBAC). This welcome change provides administrators with more flexibility — allowing you to define broad categories of permissions or narrow the scope as much as you want.

With Exchange 2000 and 2003, permissions were assigned via the Delegation Wizard that was found in the Exchange System Manager console. This wizard allowed the administrator to assign a user one of three roles: Exchange View-Only Administrator, Exchange Administrator and Exchange Full Administrator roles.

Exchange Server 2010The problem with this approach was that it provided a kind of blanket access to all servers designated by that role, and didn’t have the ability to assign rights to specific servers.

Things improved some with Exchange 2007, bringing the addition of three new administrator roles:

  • Exchange Organization Administrator
  • Exchange Recipient Administrator
  • Exchange Server Administrator

The Exchange View-Only Administrators role also remained from previous versions, giving administrators read-only access to the entire Exchange organization.

The biggest change in Exchange 2010 is that roles are defined for job responsibilities rather than individual users (for example, messaging administrator, help desk, compliance officer). Then an entry is created that outlines what each role can do. Finally, scopes are established that determine which objects each role can perform actions on. Members are then added to a role based on their access requirements.

Small or medium sized businesses may see less value in this change, as they may only have a few administrators to begin with. But as end users are given more responsibility, RBAC can still help with simplifying access controls.

Exchange 2010 RBAC: The New Permissions Model

Role Based Access Control will require a bit of up-front planning. Since rights are assigned based on the role, more thought will have to go into what the access requirements are for a particular job function.

There are three ways that permissions can be assigned with RBAC:

  • Management role groups
  • Management role assignment policies
  • Direct user role assignment
New Exchange 2010 Permissions: Role-Based Access Control

Exchange 2010 RBAC. Image courtesy of Microsoft TechNet.

Management role groups and management role assignment policies, are the primary assignment methods. Direct role assignment is an advanced method that lets you assign management roles directly to a user. Microsoft doesn’t recommend this method, but the option is provided for special cases where you need to provide a set of permissions to one user.

Both role group and assignment policies are assigned management roles. Management roles control access to the cmdlets (or programs) and parameters required to perform a task. So if a cmdlet exists for a management role, and that role is assigned to a role group, the members of that group can access and execute that cmdlet.

Management Role Groups in Depth

There are 11 default management role groups that are created during the Exchange 2010 setup process. These role groups are visible in the Microsoft Exchange Security Groups Organizational Unit (OU) that is created in the root domain during the Exchange setup process. The groups are included below:

Built-in role groups:

Role Group Description
Organization Management Administrators who are members of the Organization Management role group have administrative access to the entire Exchange 2010 organization and can perform almost any task against any Exchange 2010 object.
View-Only Organization Management Administrators who are members of the View Only Organization Management role group can view the properties of any object in the Exchange organization.
Recipient Management Administrators who are members of the Recipient Management role group have administrative access to create or modify Exchange 2010 recipients within the Exchange 2010 organization.
UM Management Administrators who are members of the UM Management role group can manage the Unified Messaging (UM) features in the Exchange organization such as Unified Messaging server configuration, UM properties on mailboxes, UM prompts, and UM auto attendant configuration.
Discovery Management Administrators or users who are members of the Discovery Management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.
Records Management Users who are members of the Records Management role group can configure compliance features, such as retention policy tags, message classifications, transport rules, and more.
Server Management Administrators who are members of the Server Management role group have administrative access to Exchange 2010 server configuration. They don’t have access to administer Exchange 2010 recipient configuration.
Help Desk Users who are members of the Help Desk role group can perform limited recipient management of Exchange 2010 recipients.
Hygiene Management Administrators who are members of the Hygiene Management role group can configure the antivirus and anti-spam features of Exchange 2010. Third-party programs that integrate with Exchange 2010 can add service accounts to this role group to grant those programs access to the cmdlets required to retrieve and configure the Exchange configuration.
Public Folder Management Administrators who are members of the Public Folder Management role group can manage public folders and databases on Exchange 2010 servers.
Delegated Setup Administrators who are members of the Delegated Setup role group can deploy previously provisioned Exchange 2010 servers.

Where to Go from Here

This overview should provided you with the basis for understanding the changes in permissions assignment introduced by MS Exchange Server 2010. But for more detailed information, visit Microsoft Technet’s page on Understanding Role Based Access Control.

Ready to test your skills in Exchange 2010? See how they stack up with this assessment from Smarterer, the newest addition to the Pluralsight family. Start this Exchange 2010 test now

Comments