“Role Based Access Control (RBAC) in Microsoft Exchange Server 2010: A Real-Life Implementation” Dustin JohnsonMicrosoft Practice LeadDell, Inc.

SESSION CODE: UNC302

Agenda

History About Role Based Access Control (RBAC) RBAC ModelReal-Life Scenario / DemoHow RBAC WorksTroubleshooting RBACKey Learning's/TakeawaysQ&A

HistoryExchange Permissions

Exchange 2003Exchange Full AdministratorExchange AdministratorExchange View Only Administrator

Exchange 2007 Exchange Organization AdministratorsExchange Recipient AdministratorsExchange View-Only AdministratorsExchange Public Folder AdministratorsExchange Server Administrators

HistoryExchange History – Split Permissions

Allowed for separate administrators for Active Directory and ExchangeAttribute Level Access Control

Discretionary access control lists (DACLs) – access permissionsSystem access control lists (SACLs) – auditing contexts

Property Sets – groups of attributes that enables access control to a subset of objects properties

Access Control Entry can be set on property set instead of each individual property

HistoryChallenges with previous versions

Current management role implementation is limited – organization, recipient and serverAccess control management is complexPermissions are focused on objects and not tasks

Objects don’t always map 1 to 1 with tasksExcessive privileges required for some Exchange operations (e.g., Move-Mailbox, Export-Mailbox)Object access auditing and delegated permission reporting is difficultPermissions troubleshooting is complex There is no support for Self-Service management

About Role Based Access Control (RBAC)Benefits

Role Based Access Control (RBAC) is a methodology of limiting tasks to objects based on a specific roleAdministration boundaries can be synonymous with job duties or functions and can be associated with individual users The goal in role definition is to determine all the access in advance that a user might require to perform a specific tasks or job Scalability and efficiency gains are two benefits of role-based administrationAligns with an organizations structure of roles and

• responsibilities

About Role Based Access Control (RBAC)Exchange 2010

It is intended as a replacement to the Active Directory centric ACL model in previous version of ExchangeRBAC is Exchange focused mechanism model for the organization alignment of role a user or administrator holdsImprove administrative experience for customers & partnersConsistent authorization model for Exchange management clients (e.g., EMC, ECP, EMS)Reporting to determine the level of access control that is in place

Real-Life ScenarioRequirements

Org Admin

Help Desk Tier 2

Help Desk ABU

Server Admin

Database Admin

Recipient Admin

RBAC Model

Role Assignment

“Glue”

Scope“Where”

User, USG,Policy“Who”

Role“What”

RBAC ModelWhat - Roles

What is your role going to be able to do?Users needs to manage attributes (what) of their mailbox Help Deck 1 ABU needs to manage the users (what) in Americas

Is a “What”Managing attributesManaging servers

Role“What”

RBAC ModelWhat – Management Roles

Management Roles provide access to management tasks for organization, recipient and server administrationExchange 2010 SP1 has 65+ built-in Management RolesManagementRoleManagementRoleEntry

Role“What”

RBAC ModelWhat – New Roles

Created as a “child” of a “parent” roleChild inherits default scope and role entries from parentYou can modify by removing role entries, but cannot add new role entriesBy default all roles have four implicit scopes:

RecipientReadScopesRecipientsWriteScopesConfigReadScopeConfigWriteScope

Role“What”

RBAC Model

Role Assignment

“Glue”

Scope“Where”

User, USG,Policy“Who”

Role“What”

RBAC ModelWhere

Where determines the scope:Group of usersActive Directory site or Organizational UnitExchange server or database

Where do you need to do a task?The Help Deck ABU needs to manage mailboxes in Americas (where)

Is a “Where”Is the department defined by an OU or a USG?

Scope“Where”

RBAC ModelWhere – Management Scope

RBAC Management Scope defines the “where” for the roleDefault scope is inherited

Roles are created by copyingThe child inherits scope from the parent

Can be defined during the role assignmentCan be Explicit or Implicit

Scope“Where”

RBAC Model

Role Assignment

“Glue”

Scope“Where”

User, USG,Policy“Who”

Role“What”

RBAC ModelWho

Determines which users (represented by mailboxes) or groups (USG) receives permissionsWho needs to do something?

The Administrator (who) needs to manage Exchange The Help Desk ABU (who) needs to administrator mailboxes

Is a “Who”The AdministratorThe Help Desk ABU

User, USG,Policy“Who”

RBAC ModelWho – The Role Group

If you need to assign a role to a group of people, you use the “Role Group”Users or groups can be added to the Role Group during creation or at a thereafterManage like existing groupsAn AD object and a USG

User, USG,Policy“Who”

RBAC Model

Role Assignment

“Glue”

Scope“Where”

User, USG,Policy“Who”

Role“What”

RBAC ModelGlue – Role Assignment

Glues all Task parts togetherWhat, Where, Who Combination

-ManagementRoleAssignment-RoleAssignmentPolicy

Role Assignment

“Glue”

RBAC Model

Role Assignment

“Glue”

Scope“Where”

User, USG,Policy“Who”

Role“What”

-ManagementRole-ManagementRoleEntry

-ManagementRoleAssignment-RoleAssignmentPolicy

-RoleGroup-RoleGroupMember-ManagementScope

RBAC Real-Life Scenario

DEMO

Administrators / Specialists

Role assignment: Binds a role and scope to an role holder (assignee)

Role EntryCommand: ParametersCommand: ParametersCommand: Parameters

Role EntryCommand: ParametersCommand: ParametersCommand: Parameters

Role EntryCommand: ParametersCommand: ParametersCommand: Parameters

Role EntryCommand: ParametersCommand: ParametersCommand: Parameters

Role EntryCommand: ParametersCommand: ParametersCommand: Parameters

Role EntryCommand: ParametersCommand: ParametersCommand: Parameters

Role holder Higher-level job function

Binding layer Task-based permissions

Individual permissions

Role

Who?

Role

Role

Role Group

Recipient Scope

Configuration Scope

Role Assignment

Role Assignment

Role Assignment

Where? What?

Management Role AssignmentWho can do what…and where?

How RBAC WorksUnder the Covers

All tasks run under the security context of the Exchange server providing the PowerShell sessionThe Exchange servers are members of the Exchange Trusted Subsystems USGExchange Trusted Subsystems USG has the permissions to carry out all Exchange tasksExchange has the permissions and through RBAC determines the level of access given to the user through the Exchange management tools

How RBAC WorksIntegration with Active Directory

Everything you do to Active Directory related to Exchange has an ACL defined that allows the Exchange Trusted Subsystem to carry out the taskExchange will actually perform the tasks against Active Directory vs. the usersRBAC model controls who can perform actions and what actions can be performed

Troubleshooting RBACReporting cmdlts

Get-ManagementRoleAssignment Get-ManagementScopeGet-ManagementRole Get-ManagementRoleEntry Get-RoleGroupGet-RoleGroupMemberGet-RoleAssignmentPolicy

Note: Get-ManagementRoleAssignment is key cmdlet for troubleshooting.

Takeaways What I and my org can do

Demonstrate how RBAC enables your organization to distribute tasksDefine role requirements for Exchange 2010 management

What jobs are people doing todayTasks

(1) Roles - What(2) Scope – Where(3) Groups – Who

Define administrative tool requirements for each roleDefine training requirementsDetermine business partner ownership

Key Learning'sWhat I Learned

RBAC offers a simplified access control model that is based on well defined management roles vs. traditional permissionsRBAC authorization model is consistent across Exchange management toolsGranular control of tasks at the command/parameter level is possibleService Pack 1

Database level scope definitionEnhanced RBAC UI in Exchange Control Panel

Unified Communications Track Call to Action!Learn More!

View Related Unified Communications (UNC) Content at TechEd/after at TechEd Online

Visit microsoft.com/communicationsserver for more Communications Server “14” product information

Find additional Communications Server “14” content in the Technical Library, weekly technical articles at NextHop, and follow DrRez on Twitter

Check out Microsoft TechNet resources for Communications Server and Exchange Server

Visit additional Exchange 2010 IT Professional-focused content:Partner Link or Customer Link (Name: ExPro Pword: EHLO!world)

Try It Out!Exchange 2010 SP1 Beta download is now available from the download center!

Related Content

UNC301 - Microsoft Exchange Server 2010: Sizing and Performance - Get It Right the First TimeUNC304 - Microsoft Exchange Server 2010: High Availability Deep DiveUNC305 -Microsoft Exchange Server 2010 High: Availability Design ConsiderationsUNC306 - Going Big! Deploying Large Mailboxes with Microsoft Exchange Server 2010 without Breaking the BankUNC315 - Microsoft Communications Server “14”: Setup and DeploymentUNC316 - Microsoft Communications Server “14”: Monitoring and ReportingUNC317 - Microsoft Communications Server “14”: Management Experience

Questions?

Unified Communications Track Call to Action!Learn More!

View Related Unified Communications (UNC) Content at TechEd/after at TechEd OnlineVisit microsoft.com/communicationsserver for more Communications Server “14” product informationFind additional Communications Server “14” content in the Technical Library, weekly technical articles at NextHop, and follow DrRez on TwitterCheck out Microsoft TechNet resources for Communications Server and Exchange ServerVisit additional Exchange 2010 IT Professional-focused content

Partner Link or Customer Link (Name: ExPro Pword: EHLO!world)

Try It Out!Exchange 2010 SP1 Beta download is now available from the download center!

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Backup

Outlook Delegate permissions with Exchange 2010 RBACService Pack 1

Split Permissions: Split of Windows admin between admins and Domain admins. (DF6)Database Scoping: Support for scoping RBAC permissions to Databases.

PowerPoint GuidelinesFont, size, and color for text have been formatted for you in the Slide MasterThis template uses Calibri, a standard Windows Vista/7 and Office 2007/2010 fontUse the color palette shown below

SAMPLE FILLSAMPLE FILL SAMPLE FILL

Sample Fill

Sample Fill

Sample FillSample Fill

Sample Fill

Sample Fill Sample Fill

Sample FillSample Fill

Sample Fill

Primary Secondary

JUNE 7-10, 2010 | NEW ORLEANS, LA