Exchange Server 2007 access control lists posed real challenges to administrators. They had to keep track of ACL content, make changes to permissions and troubleshoot ACL problems. Fortunately, awkward and unreliable ACLs have been replaced in Exchange Server 2010 by a new permissions model called role based access control.
With role based access control (RBAC), Exchange administrators can exercise granular control over the rights and abilities assigned to end users and fellow administrators. Let’s take a closer look at Exchange 2010 RBAC and some basic considerations.
Understanding the RBAC basics
The principal benefit of RBAC is improved security. An ACL only provides limited access control and must be manually updated by an administrator who possesses detailed knowledge of its contents. By comparison, RBAC provides extremely granular permission control, letting admins assign general permissions quickly through the use of pre-established roles. They can also choose to modify existing roles or create specialized roles for users with unusual needs.
Ultimately, RBAC allows users and administrators to perform respective tasks using the least amount of privilege. This level of granularity also enables Exchange administrators to match the permissions given to users and other administrators with the actual roles of those employees.
“It expands the notion of who can do Exchange administration,” said Richard Luckett, president of SYSTMS of NY, Inc., a consulting and services firm. “Now, end users can be granted customized control over self-service options and non-traditional administrators such as HR and legal counsel can be granted administrative rights.”
Exchange 2010 RBAC permissions
RBAC permissions are based on the premise of roles, groups and scopes. A management role is an established set of management rights that allows an individual to view or modify the setup of Exchange 2010 mailboxes, transport rules, recipients and more. There are numerous built-in roles, but it’s also possible to create uniquely defined roles that suit the particular needs of an organization.
Roles can also be combined into larger management groups and associated policies that allow administrators and users to manage Exchange features and recipient setups. In addition, role scopes define the objects a role can manage.
“If an administrator only wants a group to be able to manage a specific organizational unit in Active Directory, they can scope the role to apply to that specific OU,” said Tom Phillips, owner and principal consultant at TG Phillips IT Consulting Inc. in Allen, Texas.
To simplify Exchange Server 2010 administration, RBAC provides more than 10 default role groups. Each group can be assigned to various administrators or users. Experts point out that roles like discovery management, help desk, organizational management and recipient management are the most commonly used default role groups in Exchange 2010.
There are also at least 70 pre-established roles that can be assigned to role groups or combined with assignment policies, depending on how you prefer to assign permissions. None of the pre-established roles are clearly more useful or beneficial than others; their use depends on the unique needs of the organization. But the variety of roles available out of the box means significant time-savings for Exchange managers.
Managing RBAC in Exchange Server 2010
There are three primary ways of managing role based access control in Exchange Server 2010. Admins can use Active Directory (users and computers), the Exchange Management Shell or the Exchange Control Panel. There is also an RBAC Editor GUI on Microsoft's open-source project site, Codeplex.
Exchange administrators also benefit from a variety of acquired skills when managing RBAC. In general, any experience with role-based permission schemes will come in handy, though simple practice with the pre-established roles and groups ease the learning curve.
And while complicated scripts aren’t necessary to customize roles and groups, some mastery over the Exchange Management Shell is necessary to effectively work with RBAC. Fortunately, administrators not comfortable with cmdlets can use the Exchange Control Panel’s easier-to-navigate GUI.
This was first published in December 2011