Shulou(Shulou.com)06/03 Report--

One definition

Role Based Access Control (RBAC), which is the permission model for Microsoft Exchange Server 2013.

There are two types of roles:

Administrative roles: users or groups that can be managed by the Exchange organization.

End user role: users who can manage their own mailboxes and their own distribution groups.

Role groups, which allow you to grant permissions to administrative roles.

Role assignment policies that provide different levels of permissions for roles.

Scope is the scope that has an impact on role assignment.

Two-relation diagram

For a better understanding of the relationship between the components of Exchange, you can refer to the following figure.

2.1 relationships among users, role groups, and roles

Role groups include: Exchange roles (define permissions) and AD members (general groups within AD or users within AD)

The roles of application and members define the management scope of role groups, and administrators can only manage Exchange resources within this scope (including users, Exchange databases, Exchange servers, Exchange functions, etc.)

Three permissions rule 3.1 built-in role group

The built-in role groups have defined management functions and scope, and the basic rights management requirements can be achieved by adding AD objects to the groups.

Administrative roles describe Organization Management organizations administrators who are members of the administrative roles group have administrative access to the entire Exchange 2013 organization and can perform almost any task on any Exchange 2013 object, except in some cases, such as the Discovery Management role. Important: because the organizational administrative role group is a powerful role, only users or USG who perform organization-level administrative tasks that may affect the entire Exchange organization can be members of this role group. View-Only Organization Management administrators who only view members of the organization's administrative roles group can view the properties of any object in the Exchange organization. Administrators whose Recipient Management is a member of the recipient Management role group have administrative access to create or modify Exchange 2013 recipients in the Exchange 2013 organization. UM Management if the administrator is a member of the UM Management role group, he can manage features in the Exchange organization, such as Unified messaging (UM) service configuration, UM properties on mailboxes, UM prompts, and UM auto attendant configuration. Discovery Management by default, the help Center role group allows members to view and modify Microsoft Office Outlook Web App options for any user in the organization. These options may include modifying the user's display name, address, and phone number. They do not include options that are not available in the Outlook Web App options, such as modifying the mailbox size or configuring the mailbox database where the mailbox resides. Administrators of Records Management, who are members of the cleaning Management role group, can configure the antivirus and anti-spam features of Exchange 2013. Third-party programs integrated with Exchange 2013 can add service accounts to this role group so that they can access the cmdlet required to retrieve and configure Exchange configurations. Users whose Server Management is a member of the record management role group can be configured to comply with xxx (such as retention policy tags, message classification, and transport rules). Help Desk, as an administrator or user who discovers a member of an administrative role group, can search mailboxes in the Exchange organization for data that meets certain criteria, and can configure legal retention on mailboxes. Hygiene Management administrators who are members of the Public folder Management role group can manage public folders on servers running Exchange 2013. Administrators of Compliance Management who are members of the Server Management role group can configure server-specific configurations for transport, unified messaging, client access, and mailbox features such as database copies, certificates, transport queues and send connectors, virtual directories, and client access protocols. Public Folder Management, an administrator who is a member of the delegate installation role group, can deploy servers that are running Exchange 2013 and were previously set up by members of the organization's administrative role group. Delegated Setup users who belong to the compliance management role group can configure and manage Exchange compliance settings based on their organizational policies.

3.2 built-in administrative roles

The built-in administrative roles in Exchange have been associated with corresponding role management policies, and each administrative role contains certain management functions.

The built-in administrative role description organization / server Active Directory Permissions the role associated with this role type enables administrators to configure Active Directory permissions in the organization. Some of the features that use Active Directory permissions or access control lists (ACL) include transmit receive and send connectors as well as send by Agent and send on behalf of mailboxes.

Note: permissions that are set directly on Active Directory objects cannot be enforced through RBAC. The role type associated with this role type by the Organization Address Lists enables administrators to manage address lists, global address lists (GAL), and offline address lists in the organization. The role type associated with this role type by the Organization Application Impersonation enables the application to impersonate users in the organization to perform tasks on behalf of the user. The role that the organization Archive Application is associated with this role type enables partner applications to archive projects to the organization's user mailboxes. The role that the Organization Audit Logs is associated with this role type enables administrators to manage administrator audit logging configurations in the organization. The role that the Organization Cmdlet Extension Agents is associated with this role type enables administrators to manage cmdlet extension agents in the organization. Organizational DataLoss Prevention roles associated with this role type can create and manage data loss prevention (DLP) policies and rules within those policies in the organization. The roles associated with this role type by the Organization Database Availability Groups enable administrators to manage database availability groups (DAG) in the organization. The administrator who is directly or indirectly assigned this role is the highest-level administrator responsible for the high availability configuration in the organization. The roles associated with this role type by Organization Database Copies enable administrators to manage database replicas on a single server. Server Databases the roles associated with this role type enable administrators to create, manage, mount, and dismount mailbox databases on individual servers. Server Disaster Recovery the roles associated with this role type enable administrators to restore mailboxes and mailbox databases, create mailbox databases, and perform database availability group switching back and forth in the datacenter in the organization. Organization Distribution Groups the roles associated with this role type enable administrators to create and manage distribution groups and distribution group members in the organization. Organization Edge Subscriptions the roles associated with this role type enable administrators to manage edge synchronization and subscription configurations between Exchange 2010 Edge Transport servers and Exchange 2013 Mailbox servers in an organization. The roles associated with this role type by the Organization Email Address Policies enable administrators to manage e-mail address policies in the organization. Organization Exchange Connectors roles associated with this role type enable administrators to create, modify, view, and delete routing group connectors and delivery agent connectors. Organization Exchange Server Certificates roles associated with this role type enable administrators to create, import, export, and manage Exchange server certificates on a single server. Server Exchange Servers the roles associated with this role type enable administrators to manage Exchange server configurations on a single server. Server Exchange Virtual Directories the roles associated with this role type enable administrators to manage Outlook Web App, Microsoft ActiveSync, offline address Book (OAB), autodiscovery, Windows PowerShell, and Exchange Central Administration virtual directories on each server. Server Federated Sharing the roles associated with this role type enable administrators to manage cross-forest and cross-organizational shares in an organization. The roles associated with this role type by the Organization Information Rights Management enable administrators to manage the Information Rights Management (IRM) features of Exchange in the organization. The role that the Organization Journaling is associated with this role type enables administrators to manage journal configurations in the organization. The role that the Organization Legal Hold is associated with this role type enables administrators to configure whether the data in the mailbox should be retained for the organization's litigation purposes. "Organization Mailbox Import Export roles associated with this role type enable administrators to import and export mailbox content, as well as clear unwanted content from mailboxes." Organization Mailbox Search the roles associated with this role type enable administrators to search for the contents of one or more mailboxes in the organization. The roles associated with this role type by the Organization Mailbox Search Application enable partner applications to set and view the legal retention status of mailboxes in the organization. The role that the Organization Mail Enabled Public Folders is associated with this role type enables administrators to configure individual public folders in the organization to enable or disable mail.

Use this role type to manage only the e-mail properties of public folders. It does not allow you to manage public folder properties that are not e-mail properties. To manage public folder properties that are not e-mail properties, you need to assign roles associated with the Public Folders role type. The roles associated with this role type by the Organization Mail Recipient Creation enable administrators to create mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in the organization. Roles associated with this role type can be used in conjunction with the Mail Recipients type so that recipients can be created and managed.

This role type does not allow mail to be enabled for public folders. To enable mail for public folders, you must obtain the role associated with the Mail Enabled Public Folders role type.

If in the split permissions model maintained by your organization, the group that created the recipient is different from the group that manages the recipient, assign the Mail Recipient Creation role to the group that created the recipient and assign the Mail Recipients role to the group that manages the recipient. The roles associated with this role type by the Organization Mail Recipients enable administrators to manage existing mailboxes, mail users and mail contacts, distribution groups, and dynamic distribution groups in the organization. Roles associated with this role type cannot create these recipients, but you can use this role in conjunction with those associated with Mail Recipient Creation role types to create and manage recipients.

You cannot use such roles to manage public folders or distribution groups that are mail-enabled. To manage public folders with mail enabled, you must obtain the role associated with the Mail Enabled Public Folders role type. To manage distribution groups, you must obtain the roles associated with the Distribution Groups role type.

If in the split permissions model maintained by your organization, the group that created the recipient is different from the group that manages the recipient, assign the Mail Recipient Creation role to the group that created the recipient and assign the Mail Recipients role to the group that manages the recipient. The role that the Organization MailTips is associated with this role type enables administrators to manage mail prompts in the organization. The role that the Organization Message Tracking is associated with this role type enables administrators to track messages in the organization. Organization Migration the roles associated with this role type enable administrators to move mailboxes and mailbox content to and from the server. Server Monitoring the roles associated with this role type enable administrators to monitor the availability of Microsoft Exchange services and components in the organization. In addition to administrators, roles associated with this role type can also be used in conjunction with the service account used by the monitoring application to collect information about the status of the Exchange server. The role that the Organization Move Mailboxes is associated with this role type enables administrators to move mailboxes between servers in the organization and between servers in the local organization and other organizations. The role that the organization Office Extension Application is associated with this role type enables Microsoft Office extension applications to access user mailboxes in the organization. The roles associated with this role type by the Organization Org Custom Apps enable administrators to view and modify custom applications for their organizations in the organization. The role that the Organization Org Marketplace Apps is associated with this role type enables administrators to view and modify their organization's mall applications in the organization. The role that the Organization Organization Client Access is associated with this role type enables administrators to manage client access server settings in the organization. Organization Organization Configuration the roles associated with this role type enable administrators to manage organization-wide settings in the organization. Organizational configurations that can be controlled through this role type include, but are not limited to, the following configurations:

Whether mail prompts are enabled or disabled for the organization.

The URL of the managed folder home page.

Microsoft Exchange recipient SMTP address and alternate email address.

Resource mailbox properties schema configuration.

Exchange Management Center and Outlook Web App help URL.

This role type does not include permissions contained in the Organization Client Access or Organization Transport Settings role types. The roles associated with this role type by the Organization Organization Transport Settings enable administrators to manage organization-wide transport settings, such as system messages in the organization, Active Directory site configuration, and other organization-wide transport settings.

You cannot use this role to create or manage transport receive or send connectors, queues, security mechanisms, agents, remote and accepted domains or rules. To create or manage each transport feature, you must obtain roles associated with the following role types:

Receive Connector: Receive Connectors

Send connector: Send Connectors

Transmission queue: Transport Queues

Transport security mechanism: Transport Hygiene

Transport agent: Transport Agents

Remote domain and accepted domain: Remote And Accepted Domains

Transport rules: Transport Rules Organization POP3AndIMAP4Protocols roles associated with this role type enable administrators to manage POP3 and IMAP4 configurations, such as authentication and connection settings, on a single server. Server Public Folders the roles associated with this role type enable administrators to manage public folders in the organization.

This role type does not allow you to manage whether public folders have mail enabled. To enable or disable mail for public folders, you must obtain the role associated with the Mail Enabled Public Folders role type. The roles associated with this role type by the Organization Receive Connectors enable administrators to manage transmit and receive connector configurations, such as size restrictions on individual servers. Server Recipient Policies the roles associated with this role type enable administrators to manage recipient policies in the organization, such as settings and mobile device policies. The role that the Organization Remote And Accepted Domains is associated with this role type enables administrators to manage remote and accepted domains in the organization. The role that the Organization Reset Password is associated with this role type enables users in the organization to reset their passwords, enabling administrators to reset users' passwords. The role that the Organization Retention Management is associated with this role type enables administrators to manage retention policies in the organization. The roles associated with this role type by the Organization Role Management enable administrators to manage administrative role groups, role assignment policies, administrative roles, role entries, role assignments, and scopes in the organization.

Users who get roles associated with this role type can override role group managed by, configure any role group, and add or remove members from any role group. Organization Security Group Creation And Membership the roles associated with this role type enable administrators to create and manage USG and its membership in the organization.

If the group that creates and manages the USG is different from the group that manages the Exchange server in the split permissions model maintained by your organization, assign the role associated with this role type to that group. The role that the Organization Send Connectors is associated with this role type enables administrators to manage transport send connectors in the organization. The role that the organization Support Diagnostics is associated with this role type enables administrators to perform advanced diagnostics in the organization under the guidance of Microsoft support service personnel. Warning: roles associated with this role type grant permissions to cmdlet and scripts, and these cmdlet and scripts should only be used under the guidance of Microsoft customer service and support personnel. The roles associated with this role type by the Organization Team Mailboxes enable administrators to define one or more site mailbox settings policies and manage site mailboxes in the organization. Administrators who are assigned roles associated with this role type can manage site mailboxes that do not belong to them. The role that the organization Team Mailbox Lifecycle Application is associated with this role type enables partner applications to update the site mailbox lifecycle status in the organization. The role that the Organization Transport Agents is associated with this role type enables administrators to manage transport agents in the organization. The role that the Organization Transport Hygiene is associated with this role type enables administrators to manage anti-spam and anti-malware features in the organization. Organizing Transport Queues roles associated with this role type enables administrators to manage transport queues on a single server. Server Transport Rules the roles associated with this role type enable administrators to manage transport rules in the organization. The roles associated with this role type by the Organization UM Mailboxes enable administrators to manage Unified messaging (UM) configurations for mailboxes and other recipients in the organization. Organization UM Prompts roles associated with this role type enable administrators to create and manage custom UM voice prompts in the organization. The role that the Organization Unified Messaging is associated with this role type enables administrators to manage Unified messaging services in the organization.

You cannot manage UM dedicated mailbox configuration or UM prompts using this role. To manage UM-specific mailbox configurations, use the roles associated with the UM Mailboxes role type. To manage UM prompts, use the roles associated with the UM Prompts role type. The roles associated with this role type by the Organization Un Scoped Role Management enable administrators to create and manage unscoped top-level administrative roles in the organization. The role that the Organization User Options is associated with this role type enables administrators to view Outlook Web App options for users in the organization. You can use the roles associated with this role type to help users diagnose their configuration problems. The role that the organization User Application is associated with this role type enables partner applications to act on behalf of end users in the organization. The role that the organization View Only Audit Logs is associated with this role type enables administrators to search for administrator audit logs in the organization. The role that the Organization View Only Configuration is associated with this role type enables administrators to view all non-recipient Exchange configuration settings in the organization. Examples of configurations that can be viewed are server configuration, transport configuration, database configuration, and organization-wide configuration.

You can use roles associated with this role type with those associated with View Only Recipients role types to create roles that can view each object in your organization. Organization View Only Recipients roles associated with this role type enable administrators to view the configuration of recipients, such as mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups.

You can use roles associated with this role type with those associated with View Only Configuration role types to create roles that can view each object in your organization. The roles associated with this role type by the Organization Workload Management enable administrators to manage workload management policies in the organization. Administrators can configure resource health definitions, workload classification, and enable or disable workload management. organization

3.3 Custom scope

OU scope

The OU scope is the simplest custom scope, which is created using the RecipientOrganizationalUnitScope parameter of New-ManagementRoleAssignment cmdlet. By specifying the OU scope when assigning a role, role recipients who are assigned that role can only modify recipient objects within this OU.

Recipient filtering scope

The recipient filtering scope uses filters to target specific recipients by recipient type or other recipient properties (such as department, administrator, location, and so on).

Configure scope

Configure a scope to target a specific server by a list of servers or filterable properties that can be defined on the server, such as an Active Directory site or server role. Configuring a scope can also target a specific database by database list or filterable database properties.

For more details, please refer to the Microsoft official help documentation:

Http://technet.microsoft.com/en-us / library/dd335146 (v=exchg.150). Aspx

Fourth, how to define and manage permissions

The privilege management of Exchange 2013 is the process of associating "AD users" > "Exchange Administrative groups" > "Exchange Administrative roles" > "Exchange Administrative scope".

The basic ideas are as follows:

Example: hopefully, user A can manage the "Exchange mailbox" of all users under "MY" OU.

Create a group: first create an Exchange custom management group "MY Manager"

Assign permissions: assign mailbox administrative permissions to administrative groups

Associative scope: define the scope of the administrative group as "MY" OU

Add user: add user A to the administrative group

The allocation of administrative rights can be achieved through the Exchange Management Control Interface (EAC) or the Exchange Powershell command line tool.

You can assign multiple Exchange administrative roles to each Exchange custom administration group to achieve the division of permissions for enterprise mail administrators.

4.1 how to configure Custom permissions for users 4.1.1 create role groups, assign scopes, and select users using EAC

In Exchange Central Administration (EAC), navigate to permissions > Administrator roles, and then click add.

In the New role Group window, provide a name for the new role group.

You can now select the roles you want to assign to the role group and the members you want to add to the role group, or you can do so at another time.

Select the write scope to apply to the new role group.

Click Save to create a role group.

4.1.2 use the command line manager to create role groups, assign scope, and select users

Role groups can be created through the New-RoleGroup command.

Example:

New-RoleGroup-Name "Limited Recipient Management"-Roles "Mail Recipients", "Mail Enabled Public Folders"-Members Kim, Martin-RecipientOrganizationalUnitScope contoso.com/Engineering/User

This example creates a custom role group Limited Recipient Management (create group). The role group is assigned the Mail Recipients and Mail Enabled Public Folders roles (assign permissions), the users Kim and Martin are added as members (assigned users), and the configuration scope is limited to contoso.com/Engineering/Users OU (associative scope), and Kim and Martin can manage any recipient and reset password for any user in Users OU.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.