Exchange 2010 ships with a great new security feature – Role Based Access Control (RBAC). Having worked on the RBAC architecture of another product in what seems like a previous life, I’m excited about the RBAC implementation in Exchange! I wanted to write a detailed article/post on RBAC, but given current time constraints, the longish, in-depth technical posts are on the back-burner for now. Meanwhile, check out Understanding Role-Based Access Control and other topics in that node in Exchange 2010 docs, and Matt’s excellent post on the team blog— RBAC and the Triangle of Power.
In brief, RBAC allows you to assign granular role-based permissions to accomplish certain common administrative tasks, without having to assign broad-ranging permissions or adding administrators to privileged groups such as Organization Administrators or Domain Admins. It’s Security 101, applying the principle of least privilege.
To understand RBAC, you need to remember it’s about Who, What & Where.
- Who: Users (or security principals if you will) you assign permissions to
- What: Permissions, assigned by adding users to an RBAC role group or directly assigning a management role.
- Where: The scope for which permissions are assigned, for example a domain, an Organizational Unit, a Mailbox Database.
Lest I end up making this the in-depth RBAC article I planned for later, I’ll let you read up on RBAC if you still need to understand the concepts.
So, you want to remove a particular management role from a role group. Instead of modifying the built-in RBAC role groups that Exchange 2010 ships with, I would recommend creating custom role groups of your own. In this example, we want to create a custom role group which has all the roles that the Recipient Management group has, except Message Tracking.
To accomplish this, we will need to:
- Get the roles property (a multi-valued property) from the Recipient Management role group— let’s just call it a list of roles
- Remove the Message Tracking role from the list
- Create a custom role group and assign the list of roles to it
Here’s how you can easily do this using the Shell:
$roles = (Get-RoleGroup “RecipientManagement”).Roles
$roles.Remove((Get-ManagementRole “Message Tracking”).distinguishedName)
New-RoleGroup MyCustomRoleGroup -Roles $roles
Double-check the management roles assigned to the new MyCustomRoleGroup:
(Get-RoleGroup MyCustomRoleGroup).Roles | fl Name
Now you can add members to your newly-created custom role group.