Saturday, June 19, 2010

Exchange 2010 Role Based Access Control

In previous versions of Exchange such as 2000/2003 and 2007 the permissions were all done using ACLs (Access Control Lists). ACL's create many challenges when modifying permissions on mailboxes and active directory attributes especially when upgrading exchange versions, you need to ensure ACL modifications are maintained. Also troubleshooting problems that occurred due to ACLs being used in a nonstandard way can be very time consuming. Large enterprise companies needed to modify ACL's to keep their delegation of administrative structure in place.

In Exchange 2010 the Microsoft Exchange Team has completely changed the way the permission structure works. We now have whats called RBAC (Role Based Access Control). RBAC enables you to more closely align the roles you assign to users and administrators to the actual roles they hold within your organization without having to modify ACL's!

There are 7 core components you need to understand in RBAC:
- Management Role Groups
- Management Roles
- Management Role Entries
- Management Role Assignments
- Management Role Scopes
- Management Role Assignment Policies
- Direct User Role Assignment

Management Role Groups

Management role groups associate management roles with groups of administrators or specialist users. There are pre-defined Management role groups that come with Exchange 2010, and ones you can create yourselves. An example of a management role group is the Discovery Management RBAC role group, one that is used to grant users the ability to use the Multi-Mailbox Search feature.

Management role groups are actually "Special Universal Security Groups (USG)". They can contain many different types of nested objects such as:
- Users
- Mailboxes
- USGs
- Other Role Groups

Management Roles

Management roles are used to define a list of tasks that can be performed. Tasks can include things like powershell cmdlets, scripts, or special permissions that enable a specific task to be performed.

Management roles can be be used by multiple management role groups through the use of management role assignments.

Management Role Entries

Management Role Entries are individual entries on a management role that determine what cmdlets and parameters are available to the management role. Each role entry consists of only a single cmdlet (and associated parameters), script or special permission enabled to perform a specific task.

There are loads of pre-made management role entries with Exchange 2010 such as:
- MyBaseOptions
- MyContactInformation
- MyVoiceMail
- MyRetentionPolicies
- ResetPassword

The list goes on for ages... these are the default ones for the default Management Role Assignment Policy which you will read about below.

When creating a management role you select a whole bunch of management role entries.

Management Role Assignments

Management Role Assignments are the things that link the roles to the groups. By Assigning a role to a role group, this grants members of the role group the ability to use the cmdlets and parameters defined in the role.

Management Role Assignments are linked directly to the roles.

Assignments <--linked--> Roles

Role Assignments can also be linked directly to user accounts, they do not always have to be linked to a Management Role Group.

A role assignee is a role group, role assignment policy, a user, or a universal security group (USG). Management Role Assignment objects contain one or more of these role assignees.

By default only the Organization Management role group has the ability to assign roles and other role assignees. Only the user that installed Exchange 2010 is a member of the Organization Management role group by default. You can, however, add other users to this role group as needed, or create other role groups and assign delegate role assignment to those groups. I recommend adding in Domain Admins into the Organization Management role group for each domain in your forest. Delegating role assignments enables role assignees to delegate management roles to other role assignees.

Management Role Scopes

Management Role Scopes limit what parts of the of an exchange organisation can be managed by management role assignment. For example you may only want a role group to administer group memberships of a bunch of distribution groups in a particular organisational unit in a certain domain, instead of allowing them the ability to administer permissions on every distribution group in a forest. Also you may only want some users to be able to delete and create mailboxes on a particular server, or a particular DAG. Scopes can consist of things such as servers, organisational units, and filters on active directory objects.

Note: Management Role Scopes are linked to the Management Role Assignments!

Management Role Assignment Policies

Management Role Assignment Policies are collections of one or more end-user management roles that enables end users to manage their own mailbox and distribution group configuration. Role assignment policies enable you to control which specific mailbox and distribution group configuration settings your end users can modify. Different groups of users can have different role assignment policies specialized to them. The default role assignment policy that comes with Exchange 2010 allows users to configure their voice mail, setup retention policies, reset their password and change their address information. However you may want to extend this, for example you may want users by default to be able to send SMS text messages.

Role Assignment Policies need to be linked to Role Assignments.

Management Role <--linked--> Management Role Assignment <--linked--> Management Role Assignment Policy

What a role assignment policy does is automatically assign role assignments (which are then linked to management roles) to users mailboxes upon creation. Think of "Email Address Policies", they automatically set the user up with a standard email address upon creation. If you want to change your users email address convention across the board, you can simply modify your email address policy. You can also have multiple email address policies linking to different user's with different needs by using filters. Same thing applies with management role assignment policies! You can also prevent any role assignment policies from being assigned whenever creating a mailbox - something I do not recommend as it will increase the amount of administration and leave room for error when setting up new users.

If you want to change what roles are assigned to role assignment policies, you need to change the role assignments that link the role assignment policy to the roles. Unless the assignments built into Exchange 2010 don't suit your needs, you won't have to change these assignments.

As mentioned earlier, with management role assignment policies they only provide configuration settings for users to be able to modify their own exchange specific attributes for example items on their mailbox. Because of this, you may have guessed when creating a role assignment between a role assignment policy and a management role, you cannot specify a scope! A predefined scope ACL is set, either "SELF" or "MYGAL" depending on the particular management role its applying to.

There are two types of role assignment policies in Exchange 2010:
- Default Role Assignment Policy
- Explicit Role Assignment Policy

Default Role Assignment Policy

A default role assignment policy is the one automatically assigned to a mailbox when it is created or moved to a server running Exchange 2010, and the role assignment policy awasnt provided using the RoleAssignmentPolicy parameter on the New-Mailbox or Enable-Mailbox cmdlets.

Exchange 2010 includes a default role assignment policy that provides end users with the permissions most commonly used. You can change the default permissions on the default role assignment policy by adding and removing management roles to or from it.

If you want to replace the built-in default role assignment policy with your own default role assignment policy, you can use the Set-RoleAssignmentPolicy cmdlet to select the new default. When you do this, any new mailboxes are assigned to the role assignment policy you specified by default if you don't explicitly specify a role assignment policy.

When you change the default role assignment policy, mailboxes assigned the default role assignment policy aren't automatically assigned the new default role assignment policy. If you want to update previously created mailboxes to use the role assignment policy you've set as default, you must use the Set-Mailbox cmdlet to do so. You can always pipe to do all of them, eg Get-Mailbox Set-Mailbox.

Explicit Role Assignment Policy

An explicit role assignment policy is a policy that you assign to a mailbox manually using the RoleAssignmentPolicy parameter on the New-Mailbox, Set-Mailbox or Enable-Mailbox cmdlets. When you assign an explicit role assignment policy, the new policy takes effect immediately and replaces any previously assigned explicit role assignment policies.

Direct User Role Assignment

Direct user role is an advanced method for assigning management roles directly to a user or universal security group (USG) without using a role group or role assignment policy. Direct role assignments can be useful when you need to provide a granular set of permissions to a specific user and no other.

Using direct role assignments will significantly increase the complexity of your security model. If a user changes jobs or leaves the company, you will need to manually remove the assignments and add them to the new employee. I strongly recommend you never use Direct User Role Assignment and you always go down the path of management role groups and management role assignments. I really don't know why the Microsoft Exchange Team included this feature - maybe for Small Business, but I can see it causing complications in the enterprise organisations!

Role Based Access Control Diagram

I put together a diagram illustrating how it the components fit together. Please not that this diagram does not depict direct user role assignment.

Role Based Access Control Summary

Some key points I want you to take away with you from this:

- One or more administrators/users can be a member of a role group.

- One administrator/user can be a member of more then one role group.

- The role group is assigned one or more role assignments. These link the role group with one or more administrative roles that define what tasks can be performed.

- The role assignments can contain management scopes that define where the users of the role groups can perform actions. The scope determines where the users of the role group can modify configuration.

- One or more users can be associated with a role assignment policy.

- A role assignment policy is assigned to one or more role assignments. These link the role assignment policies with one or more end-user roles. The end-user roles define what the user can configure on his or her mailbox.

- The role assignments between role assignment policies and roles have built-in scopes that restrict the scope of assignments to the user's own mailbox or distribution groups.

- A role assignment can be created directly between a user or USG and one or more roles. The role defines what tasks the user or USG can perform. The role assignment can contain management scopes that define where the user or USG can perform actions. The scopes determine where the user or USG can modify configuration.

- Role assignment policies can't be assigned delegated role assignments.

No comments:

Post a Comment