NOTE: The sheet has been updated after the release of SP1, a post containing a link to the updated sheet can be found here.
In an attempt to get more grip on and understanding of Exchange 2010’s Role Based Access Control, I created an Excel workbook for RBAC reference. Besides the default RBAC configuration of Exchange 2010 RTM and Exchange 2010 SP1 Beta, it also contains a list of differences found between the two setups.
Now for a quick word on how to use this thing.
The Exchange sheets contains RoleGroup, ManagementRoleAssignment, ManagementRole, ManagementRoleEntry and RoleEntry (cmdlet) information. The ManagementRoleAssignment and ManagementRoleEntry are hidden columns, because they only contain values linking the two pieces of information next to them together. You can unhide these if you you, by selecting the sheet, right-clicking on it and selecting Unhide .
Now each row is a complete set of permissions, meaning it states a unique RoleEntry + Role + RoleGroup combination, meaning that RBAC by default grants that RoleEntry to that Role to that RoleGroup. The nice thing is that you can use Excel’s data filter to filter results and see what cmdlets are available to a certain RoleGroup or which RoleGroup or Roles can use a certain cmdlet.
To use this function, select one of the Exchange sheets. On the top row containing the header you’ll notice a drop-down box. When clicking that drop-down box, it’ll show all entries in the table for that colum and various options like sorting. Notice that in front of the unique entries for in that colum is a checkbox. By checking or unchecking this you can apply or remove a filter on that colum. You can also combine filters. Use the “Select (All)” option lets you quickly (un)check all filtering options.
For example, by selecting only the RoleGroup “Help Desk”, you will see all entries for that RoleGroup:
Looking from the RoleEntry perspective, by filtering on a CmdLet, you can see what Roles and RoleGroups may perform a certain operation:
The 3rd sheet contains differences in RBAC configuration between Exchange 2010RTM and Exchange 2010 SP1 Beta. A green row with a “!>” indicates a new RBAC entry for SP1 Beta; a red one row with “<!” means the setting has been removed or became obsolete in 2010 SP1 Beta.
You can download the sheet RBAC_Overview_v11.xlsx from here. That isn’t the permanent location; I’m still looking for a location to host Excel files or ZIP files since WordPress won’t let me upload those. Also note that the file also contains information based on Exchange 2010 SP1 Beta which is subject to change in the final product.
Hope you find the RBAC information in this form useful. Feedback is appreciated (comment or e-mail).
Note: Whilst I was busy creating this workbook I noticed a guy from MS has already developed an Exchange 2010 RBAC Manager. You can use this not only to interactively browse the current RBAC configuration but you can also make changes. This excellent tool can be download here.