Role-based Access Control

security officer RBACIt has been over 5 years (wait, what?) since I wrote an article on Role-based Access Control, or RBAC, in Exchange 2010. At that time, RBAC was a big architectural change in Exchange 2010 over Exchange 2007.

Present day, RBAC is still a much neglected topic in many Exchange organizations. It must be said that most organization can happily live with the default RBAC configuration. They have no need to dive in this versatile model to set up granular permissions in their organization. In bigger organizations, this configuration can also easily become quite complex.

For TechTarget I started writing few articles on the topic of RBAC, starting with the base components. There you can find Part 1, Part 2, and Part 3.

Disabling editing account information in OWA

In Exchange 2010, by default users have permission to edit their contact information from the Exchange Control Panel. In organizations where this is unwanted, like when account information is provisioned, you need to remove these permissions.

image

These permissions flow from the Default Role Assignment Policy.

Note: You could have changed the default role assignment. To view the default assignment policy, check the IsDefault attribute, e.g.

Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }

Now, each mailbox-enabled user is assigned the default policy when created. You can verify this by inspecting the RoleAssignmentPolicy using Get-Mailbox, e.g.

image

The assigned roles of this policy can be viewed using Get-ManagementRoleAssignment:

image

The ability to edit contact information lies in the MyContactInformation. You can view a description of this role using:

Get-ManagementRole MyContactInformation | select Description

The output reads, “This role enables individual users to modify their contact information, including address and phone numbers.”

To remove this ability you have the option of removing the assignment or you can simply disable the assignment using Set-ManagementRoleAssignment, e.g.

Set-ManagementRoleAssignment -Identity "MyContactInformation-Default Role Assignment Policy" -Enabled $false 

Now after logging into OWA the contact information is view-only (despite the Edit button) and the Save option is gone.

Note that after performing this step, if you want to enable contact information for some users, you need to create a new RoleAssignmentPolicy, similar to the default one but with the MyContactInformation and assign that policy to those users. For example:

New-RoleAssignmentPolicy "Default Role Assignment Policy with Info"
Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | New-ManagementRoleAssignment -Policy "Default Role Assignment Policy with Info"

You can use the same exercise to remove other unwanted functions, like the ability to create distribution groups (MyDistributionGroups) or to manage distribution group memberships (MyDistributionGroupMembership).

Geek Out with Perry: RBAC

A new video was posted on Perry Clark’s blog where the general manager Exchange talks about Role Based Access Control (RBAC).

RBAC Overview Sheet 1.2

I’ve updated the Role Based Access Control (RBAC) Overview sheet with information of Exchange 2010 SP1. You can download version 1.2 of the RBAC Overview sheet from here.

The sheet contains information on the default RBAC configuration of Exchange 2010 RTM and Exchange 2010 SP1 and a list of differences found between the two setups.

For information on how to use the sheet, consult the post on the initial release here.

For those interested, there were 39 changes introduced in Exchange SP1 Final compared to SP1 Beta. Below are the differences. A “-” means an RBAC entry is removed in SP1 Final, a “+” means it was added:

- Discovery Management,Legal Hold,Enable-Mailbox
+ Discovery Management,Mailbox Search,Get-MailboxExportRequest
+ Discovery Management,Mailbox Search,Get-MailboxExportRequestStatistics
+ Discovery Management,Mailbox Search,New-MailboxExportRequest
+ Discovery Management,Mailbox Search,Remove-MailboxExportRequest
+ Discovery Management,Mailbox Search,Set-MailboxExportRequest
+ Discovery Management,Mailbox Search,Suspend-MailboxExportRequest
- Organization Management,Exchange Virtual Directories,New-PowerShellVirtualDirectory
- Organization Management,Exchange Virtual Directories,Remove-PowerShellVirtualDirectory
- Organization Management,Exchange Virtual Directories,New-PowerShellVirtualDirectory
- Organization Management,Exchange Virtual Directories,Remove-PowerShellVirtualDirectory
- Organization Management,Legal Hold,Enable-Mailbox
- Organization Management,Legal Hold,Enable-Mailbox
- Organization Management,Mailbox Import Export,Export-Mailbox
- Organization Management,Mailbox Import Export,Import-Mailbox
+ Organization Management,Mailbox Search,Get-MailboxExportRequest
+ Organization Management,Mailbox Search,Get-MailboxExportRequestStatistics
+ Organization Management,Mailbox Search,New-MailboxExportRequest
+ Organization Management,Mailbox Search,Remove-MailboxExportRequest
+ Organization Management,Mailbox Search,Set-MailboxExportRequest
+ Organization Management,Mailbox Search,Suspend-MailboxExportRequest
+ Organization Management,Message Tracking,Resume-MailboxExportRequest
+ Organization Management,Message Tracking,Resume-MailboxExportRequest
+ Organization Management,Monitoring,Test-AssistantHealth
+ Organization Management,Monitoring,Test-SmtpConnectivity
+ Organization Management,Monitoring,Test-AssistantHealth
+ Organization Management,Monitoring,Test-SmtpConnectivity
+ Organization Management,View-Only Audit Logs,New-AdminAuditLogSearch
+ Organization Management,View-Only Audit Logs,New-MailboxAuditLogSearch
+ Organization Management,View-Only Audit Logs,New-AdminAuditLogSearch
+ Organization Management,View-Only Audit Logs,New-MailboxAuditLogSearch
+ Recipient Management,Message Tracking,Resume-MailboxExportRequest
+ Records Management,Message Tracking,Resume-MailboxExportRequest
- Server Management,Exchange Virtual Directories,New-PowerShellVirtualDirectory
- Server Management,Exchange Virtual Directories,Remove-PowerShellVirtualDirectory
+ Server Management,Monitoring,Test-AssistantHealth
+ Server Management,Monitoring,Test-SmtpConnectivity
+ View-Only Organization Management,Monitoring,Test-AssistantHealth
+ View-Only Organization Management,Monitoring,Test-SmtpConnectivity

Besides RBAC information, you may also find this list and the Overview Sheet useful for spotting new cmdlets and changes in functionality.

RBAC Overview (RTM,SP1 Beta)

NOTE: The sheet has been updated after the release of SP1, a post containing a link to the updated sheet can be found here.

In an attempt to get more grip on and understanding of Exchange 2010’s Role Based Access Control, I created an Excel workbook for RBAC reference. Besides the default RBAC configuration of Exchange 2010 RTM and Exchange 2010 SP1 Beta, it also contains a list of differences found between the two setups.

Now for a quick word on how to use this thing.

The Exchange sheets contains RoleGroup, ManagementRoleAssignment, ManagementRole, ManagementRoleEntry and RoleEntry (cmdlet)  information. The ManagementRoleAssignment and ManagementRoleEntry are hidden columns, because they only contain values linking the two pieces of information next to them together. You can unhide these if you you, by selecting the sheet, right-clicking on it and selecting Unhide .

Now each row is a complete set of permissions, meaning it states a unique RoleEntry + Role + RoleGroup combination, meaning that RBAC by default grants that RoleEntry to that Role to that RoleGroup. The nice thing is that you can use Excel’s data filter to filter results and see what cmdlets are available to a certain RoleGroup or which RoleGroup or Roles can use a certain cmdlet.

To use this function, select one of the Exchange sheets. On the top row containing the header you’ll notice a drop-down box. When clicking that drop-down box, it’ll show all entries in the table for that colum and various options like sorting. Notice that in front of the unique entries for in that colum is a checkbox. By checking or unchecking this you can apply or remove a filter on that colum. You can also combine filters. Use the “Select (All)” option lets you quickly (un)check all filtering options.

For example, by selecting only the RoleGroup “Help Desk”, you will see all entries for that RoleGroup:

Looking from the RoleEntry perspective, by filtering on a CmdLet, you can see what Roles and RoleGroups may perform a certain operation:

The 3rd sheet contains differences in RBAC configuration between Exchange 2010RTM and Exchange 2010 SP1 Beta. A green row with a “!>” indicates a new RBAC entry for SP1 Beta; a red one row with “<!” means the setting has been removed or became obsolete in 2010 SP1 Beta.

You can download the sheet RBAC_Overview_v11.xlsx from here. That isn’t the permanent location; I’m still looking for a location to host Excel files or ZIP files since WordPress won’t let me upload those. Also note that the file also contains information based on Exchange 2010 SP1 Beta which is subject to change in the final product.

Hope you find the RBAC information in this form useful. Feedback is appreciated (comment or e-mail).

Note: Whilst I was busy creating this workbook I noticed a guy from MS has already developed an Exchange 2010 RBAC Manager. You can use this not only to interactively browse the current RBAC configuration but you can also make changes. This excellent tool can be download here.

Exchange 2010 Role Based Access Control

Those who are about to switch to Exchange 2010 from Exchange 2007 will encounter major changes (and challenges) in the Exchange permissions model.  For those still on Exchange 2003 (or earlier ..), changes are more or less the same.

Exchange 2007

Before we dive into Exchange 2010 we’ll have a quick look at how permissions and delegations are managed in Exchange 2007. In Exchange 2007 we get the following security groups out of the box:

  • Exchange Organization Administrators;
  • Exchange Recipient Administrators;
  • Exchange Server Administrators;
  • Exchange View Only Administrators;
  • Exchange Public Folder Administrators.

That seems limited and very task oriented. Memberships are managed using the Exchange Management Console or through the cmdlets Add-ExchangeAdministrator, Get-ExchangeAdministrator en Remove-ExchangeAdministrator. Also, by default, Recipient Administrators get permissions on all recipients within the Exchange organization. Domain or OU delegations are possible, but require a little additional configuration (see http://technet.microsoft.com/en-us/library/bb232100.aspx).

Exchange 2010

Here comes Exchange 2010. New in Exchange is management of delegation and permissions through the so called Role Based Access Control model, shortened to RBAC. RBAC is partially configurable through the RBAC User Editor (Exchange Management Console > Toolbox) or fully using cmdlets. The RBAC model is based on three pillars, Who, What and Where.

Who

The Who (not the band) determines which user (in RBAC users are represented by mailboxes) or group (Universal Security Group) receives permissions. This information is stored in Role Groups, which can be managed through the RoleGroup and RoleGroupMember cmdlets.

To create a new Role Group we use the New-RoleGroup, like:
New-RoleGroup “UM Pincode Resetter” –Roles “Reset UM Pin”

Users or groups can be added directly to the Role Group at creation time, or can be added by using the Add-RoleGroupMember, like:
Add-RoleGroupMember “UM Pincode Resetter” –Member Angelique

To manage a Role Group, one has to be a member of the Organization Management Role Group or be the manager of the Role Group as determined by the ManagedBy attribute. Pay attention, members of the Organization Management Role Group manage the Organization Management Role Group. You could create a situation where nobody is able to manage anything.

Take note that a Role Group is nothing else but a Universal Security Group with a special flag indicating the USG is a Role Group. In Active Directory, Role Groups are located in the Microsoft Exchange Security Groups OU.

What

The What decides what permissions are assigned by creating sets of cmdlets and parameters. This information is stored in RBAC’s Management Roles which can be managed through the ManagementRole and ManagementRoleEntry cmdlets.

Of itself, Exchange 2010 knows about 65 Management Roles, which can be queries using:
Get-ManagementRole

The permissions of a Management Role can be retrieved through the Get-ManagementRole (Roles attribute) or through the Get-ManagementRoleEntry cmdlet:
Get-ManagementRoleEntry “UM Mailboxes\*”

What we see are all cmdlets and parameters available to the Management Role “UM Mailboxes”.

When creating our own Management Role, we need to specify an existing Management Role, the so called parent:
New-ManagementRole –Name “Reset UM Pin” –Parent “UM Mailboxes”

Be advised only custom Management Roles can be removed and all permissions of a Management Role should be removed before the Management Role itself can be removed. By specifying the recurse parameter in the Remove-ManagementRole cmdlet you can perform cascaded deletes of custom Management Roles with a parent-child relationship.

After creating the custom Management Role with initial settings taken from the parent, we can start adding or removing permissions. Be advised that Management Roles require at least one Management Role Entry. Also, in order for Set cmdlets to work, you should allow the Get counterparts, so we will start by removing all ManagementRoleEntry items but one:
Get-ManagementRoleEntry “Reset UM Pin\*” | where { $_.name –ne “Get-UMMailboxPIN”} | Remove-ManagementRoleEntry

Next, we can add custom permissions using Add-ManagementRoleEntry:
Add-ManagementRoleEntry “Reset UM Pin\Set-UMMailboxPIN” –Parameters “Identity,Pin,PinExpired,LockedOut”

What might be helpful is that Get-ManagementRoleEntry can be used to retrieve all Management Roles which are allowed to execute certain cmdlets with what parameters, e.g.:
Get-ManagementRoleEntry “*\*” | where { $_.Name –eq “Set-User” }

Where
Where determines the scope, which can be anything from a certain group of users, a server or an Active Directory site to an Organizational Unit or complete organization. RBAC has two types of scopes. First are Implicit scopes, which are scopes defined by the default Management Roles, e.g. Organization, MyGAL, Self, MyDistributionGroups, OrganizationConfig and None. Second type are Explicit scopes, which are predefined or custom scopes.

To view the scopes of a Management Role use the Get-ManagementRole, e.g.:
Get-ManagementRole “UM Mailboxes” | fl *scope*

As we can see, a Management Role has four scopes:

  • Recipient Read Scope: Which AD recipient objects one can read from;
  • Recipient Write Scope: Which AD recipient objects one can write to;
  • Configuration Read Scope: Which AD configuration objects one can read from;
  • Configuration Write Scope: Which AD configuration objects one can write to.

As said earlier, new Management Role entries must be based on an existing Management Role. At creation time the new Management Role will inherit (i.e. copy settings) the original scopes from the parent, after which they can be changed. Also, remember that the Write scope must be equal or smaller than the Read scope; you need to be able to Get things before you can Set things.

To create a custom scope use the New-ManagementScope cmdlet with one of the following, mutually exclusive, filters:

  • RecipientRestrictionFilter to filter Recipients. You can optionally specify the root using the RecipientRoot, otherwise it will apply to the whole organization;
  • ServerRestrictionFilter to filter Server objects;
  • ServerList to filter server names.

Examples:
New-ManagementScope –Name “NL Site” –ServerRestrictionFilter {ServerSite –eq “NL”}
New-ManagementScope –Name “Staff Secretaresses” –RecipientRoot “domain.local/Staff” –RecipientRestrictionFilter {
memberofgroup -eq “cn=Secretaries,ou=Users,dc=domain,dc=local” }

Regarding the possibilities of filtering Exchange 2010 refers to Exchange 2007 documentation, see http://technet.microsoft.com/en-us/library/bb738155.aspx. For more background information on scopes, see http://technet.microsoft.com/en-us/library/dd335146%28EXCHG.140%29.aspx.

1+1+1=3

After defining the Who, What and Where we can start combining these elements by using Role Assignments. A Role Assignment is the link between a Role Group and a Management Role, with additional attributes like Recipient and Configuration Scopes.

Existing Role Assignments of a Role Group can be retrieved using Get-RoleGroup, e.g.:
Get-RoleGroup “UM management” | fl

The attribute RoleAssignment contains the current Role Assignments. All Role Assignments can be queried using Get-ManagementRoleAssignment, e.g.:
Get-ManagementRoleAssignment “UM Mailboxes-UM Management” | fl

As we can see, Microsoft used a combination of the ManagementRole and RoleGroup names to label Role Assignments. This is good practice and makes it easier to understand – and remember – which Role Assignment affects which Management Role and Role Group.

Using New-ManagementRoleAssignment we can assign a ManagementRole to a Role Group or other USG, a policy (more on this perhaps in another article) or user (mailbox), e.g.
New-ManagementRoleAssignment –Name “Reset UM Pin-UM Pincode Resetter” –Role “Reset UM Pin” -SecurityGroup “UM Pincode Resetter” –CustomRecipientWriteScope “Staff Secretaresses”

Conclusion

The Exchange 2010 and RBAC model create new opportunities for customers. Large companies, who probably already have complex delegation models in-place, will like the more fine grained controls to support business requirements. Their challenge lies in converting their existing model to the new designed RBAC model. For smaller customers the default set of roles, groups, scopes and assignments might appear overwhelming at first, but eventually be found an asset as it supports least privilege security model and get rid of the (Exchange) Adminsistrators surplus.