dustin johnson microsoft practice lead dell, inc. session code: unc302
TRANSCRIPT
“Role Based Access Control (RBAC) in Microsoft Exchange Server 2010: A Real-Life Implementation” Dustin JohnsonMicrosoft Practice LeadDell, Inc.
SESSION CODE: UNC302
Agenda
History About Role Based Access Control (RBAC) RBAC ModelReal-Life Scenario / DemoHow RBAC WorksTroubleshooting RBACKey Learning's/TakeawaysQ&A
HistoryExchange Permissions
Exchange 2003Exchange Full AdministratorExchange AdministratorExchange View Only Administrator
Exchange 2007 Exchange Organization AdministratorsExchange Recipient AdministratorsExchange View-Only AdministratorsExchange Public Folder AdministratorsExchange Server Administrators
HistoryExchange History – Split Permissions
Allowed for separate administrators for Active Directory and ExchangeAttribute Level Access Control
Discretionary access control lists (DACLs) – access permissionsSystem access control lists (SACLs) – auditing contexts
Property Sets – groups of attributes that enables access control to a subset of objects properties
Access Control Entry can be set on property set instead of each individual property
HistoryChallenges with previous versions
Current management role implementation is limited – organization, recipient and serverAccess control management is complexPermissions are focused on objects and not tasks
Objects don’t always map 1 to 1 with tasksExcessive privileges required for some Exchange operations (e.g., Move-Mailbox, Export-Mailbox)Object access auditing and delegated permission reporting is difficultPermissions troubleshooting is complex There is no support for Self-Service management
About Role Based Access Control (RBAC)Benefits
Role Based Access Control (RBAC) is a methodology of limiting tasks to objects based on a specific roleAdministration boundaries can be synonymous with job duties or functions and can be associated with individual users The goal in role definition is to determine all the access in advance that a user might require to perform a specific tasks or job Scalability and efficiency gains are two benefits of role-based administrationAligns with an organizations structure of roles and
• responsibilities
About Role Based Access Control (RBAC)Exchange 2010
It is intended as a replacement to the Active Directory centric ACL model in previous version of ExchangeRBAC is Exchange focused mechanism model for the organization alignment of role a user or administrator holdsImprove administrative experience for customers & partnersConsistent authorization model for Exchange management clients (e.g., EMC, ECP, EMS)Reporting to determine the level of access control that is in place
Real-Life ScenarioRequirements
Org Admin
Help Desk Tier 2
Help Desk ABU
Server Admin
Database Admin
Recipient Admin
RBAC Model
Role Assignment
“Glue”
Scope“Where”
User, USG,Policy“Who”
Role“What”
RBAC ModelWhat - Roles
What is your role going to be able to do?Users needs to manage attributes (what) of their mailbox Help Deck 1 ABU needs to manage the users (what) in Americas
Is a “What”Managing attributesManaging servers
Role“What”
RBAC ModelWhat – Management Roles
Management Roles provide access to management tasks for organization, recipient and server administrationExchange 2010 SP1 has 65+ built-in Management RolesManagementRoleManagementRoleEntry
Role“What”
RBAC ModelWhat – New Roles
Created as a “child” of a “parent” roleChild inherits default scope and role entries from parentYou can modify by removing role entries, but cannot add new role entriesBy default all roles have four implicit scopes:
RecipientReadScopesRecipientsWriteScopesConfigReadScopeConfigWriteScope
Role“What”
RBAC Model
Role Assignment
“Glue”
Scope“Where”
User, USG,Policy“Who”
Role“What”
RBAC ModelWhere
Where determines the scope:Group of usersActive Directory site or Organizational UnitExchange server or database
Where do you need to do a task?The Help Deck ABU needs to manage mailboxes in Americas (where)
Is a “Where”Is the department defined by an OU or a USG?
Scope“Where”
RBAC ModelWhere – Management Scope
RBAC Management Scope defines the “where” for the roleDefault scope is inherited
Roles are created by copyingThe child inherits scope from the parent
Can be defined during the role assignmentCan be Explicit or Implicit
Scope“Where”
RBAC Model
Role Assignment
“Glue”
Scope“Where”
User, USG,Policy“Who”
Role“What”
RBAC ModelWho
Determines which users (represented by mailboxes) or groups (USG) receives permissionsWho needs to do something?
The Administrator (who) needs to manage Exchange The Help Desk ABU (who) needs to administrator mailboxes
Is a “Who”The AdministratorThe Help Desk ABU
User, USG,Policy“Who”
RBAC ModelWho – The Role Group
If you need to assign a role to a group of people, you use the “Role Group”Users or groups can be added to the Role Group during creation or at a thereafterManage like existing groupsAn AD object and a USG
User, USG,Policy“Who”
RBAC Model
Role Assignment
“Glue”
Scope“Where”
User, USG,Policy“Who”
Role“What”
RBAC ModelGlue – Role Assignment
Glues all Task parts togetherWhat, Where, Who Combination
-ManagementRoleAssignment-RoleAssignmentPolicy
Role Assignment
“Glue”
RBAC Model
Role Assignment
“Glue”
Scope“Where”
User, USG,Policy“Who”
Role“What”
-ManagementRole-ManagementRoleEntry
-ManagementRoleAssignment-RoleAssignmentPolicy
-RoleGroup-RoleGroupMember-ManagementScope
RBAC Real-Life Scenario
DEMO
Administrators / Specialists
Role assignment: Binds a role and scope to an role holder (assignee)
Role EntryCommand: ParametersCommand: ParametersCommand: Parameters
Role EntryCommand: ParametersCommand: ParametersCommand: Parameters
Role EntryCommand: ParametersCommand: ParametersCommand: Parameters
Role EntryCommand: ParametersCommand: ParametersCommand: Parameters
Role EntryCommand: ParametersCommand: ParametersCommand: Parameters
Role EntryCommand: ParametersCommand: ParametersCommand: Parameters
Role holder Higher-level job function
Binding layer Task-based permissions
Individual permissions
Role
Who?
Role
Role
Role Group
Recipient Scope
Configuration Scope
Role Assignment
Role Assignment
Role Assignment
Where? What?
Management Role AssignmentWho can do what…and where?
How RBAC WorksUnder the Covers
All tasks run under the security context of the Exchange server providing the PowerShell sessionThe Exchange servers are members of the Exchange Trusted Subsystems USGExchange Trusted Subsystems USG has the permissions to carry out all Exchange tasksExchange has the permissions and through RBAC determines the level of access given to the user through the Exchange management tools
How RBAC WorksIntegration with Active Directory
Everything you do to Active Directory related to Exchange has an ACL defined that allows the Exchange Trusted Subsystem to carry out the taskExchange will actually perform the tasks against Active Directory vs. the usersRBAC model controls who can perform actions and what actions can be performed
Troubleshooting RBACReporting cmdlts
Get-ManagementRoleAssignment Get-ManagementScopeGet-ManagementRole Get-ManagementRoleEntry Get-RoleGroupGet-RoleGroupMemberGet-RoleAssignmentPolicy
Note: Get-ManagementRoleAssignment is key cmdlet for troubleshooting.
Takeaways What I and my org can do
Demonstrate how RBAC enables your organization to distribute tasksDefine role requirements for Exchange 2010 management
What jobs are people doing todayTasks
(1) Roles - What(2) Scope – Where(3) Groups – Who
Define administrative tool requirements for each roleDefine training requirementsDetermine business partner ownership
Key Learning'sWhat I Learned
RBAC offers a simplified access control model that is based on well defined management roles vs. traditional permissionsRBAC authorization model is consistent across Exchange management toolsGranular control of tasks at the command/parameter level is possibleService Pack 1
Database level scope definitionEnhanced RBAC UI in Exchange Control Panel
Unified Communications Track Call to Action!Learn More!
View Related Unified Communications (UNC) Content at TechEd/after at TechEd Online
Visit microsoft.com/communicationsserver for more Communications Server “14” product information
Find additional Communications Server “14” content in the Technical Library, weekly technical articles at NextHop, and follow DrRez on Twitter
Check out Microsoft TechNet resources for Communications Server and Exchange Server
Visit additional Exchange 2010 IT Professional-focused content:Partner Link or Customer Link (Name: ExPro Pword: EHLO!world)
Try It Out!Exchange 2010 SP1 Beta download is now available from the download center!
Related Content
UNC301 - Microsoft Exchange Server 2010: Sizing and Performance - Get It Right the First TimeUNC304 - Microsoft Exchange Server 2010: High Availability Deep DiveUNC305 -Microsoft Exchange Server 2010 High: Availability Design ConsiderationsUNC306 - Going Big! Deploying Large Mailboxes with Microsoft Exchange Server 2010 without Breaking the BankUNC315 - Microsoft Communications Server “14”: Setup and DeploymentUNC316 - Microsoft Communications Server “14”: Monitoring and ReportingUNC317 - Microsoft Communications Server “14”: Management Experience
Questions?
Unified Communications Track Call to Action!Learn More!
View Related Unified Communications (UNC) Content at TechEd/after at TechEd OnlineVisit microsoft.com/communicationsserver for more Communications Server “14” product informationFind additional Communications Server “14” content in the Technical Library, weekly technical articles at NextHop, and follow DrRez on TwitterCheck out Microsoft TechNet resources for Communications Server and Exchange ServerVisit additional Exchange 2010 IT Professional-focused content
Partner Link or Customer Link (Name: ExPro Pword: EHLO!world)
Try It Out!Exchange 2010 SP1 Beta download is now available from the download center!
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Backup
Outlook Delegate permissions with Exchange 2010 RBACService Pack 1
Split Permissions: Split of Windows admin between admins and Domain admins. (DF6)Database Scoping: Support for scoping RBAC permissions to Databases.
PowerPoint GuidelinesFont, size, and color for text have been formatted for you in the Slide MasterThis template uses Calibri, a standard Windows Vista/7 and Office 2007/2010 fontUse the color palette shown below
SAMPLE FILLSAMPLE FILL SAMPLE FILL
Sample Fill
Sample Fill
Sample FillSample Fill
Sample Fill
Sample Fill Sample Fill
Sample FillSample Fill
Sample Fill
Primary Secondary
JUNE 7-10, 2010 | NEW ORLEANS, LA