Skip this Video
Download Presentation
Make Role Based Access Control (RBAC) work for you

Loading in 2 Seconds...

play fullscreen
1 / 37

Make Role Based Access Control (RBAC) work for you - PowerPoint PPT Presentation

  • Uploaded on

Make Role Based Access Control (RBAC) work for you. Bhargav Shukla Director – Product Research and Innovation KEMP Technologies. MNG303. Agenda. Understanding RBAC RBAC in Exchange 2013 RBAC in Lync 2013 Real world deployment planning for RBAC. Understanding RBAC. History of RBAC.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Make Role Based Access Control (RBAC) work for you' - marlis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
make role based access control rbac work for you
Make Role Based Access Control (RBAC) work for you

Bhargav Shukla

Director – Product Research and Innovation

KEMP Technologies



Understanding RBAC

RBAC in Exchange 2013

RBAC in Lync 2013

Real world deployment planning for RBAC

history of rbac
History of RBAC

Approach to restricting systems access to authorized users

Concept or RBAC at Microsoft goes back to 2003 or maybe even earlier

Anyone remember AzMan or Authorization Manager?

Separate location of security objects (Active Directory) and policy store (AzMan)

Provides granular permissions based on organizational requirements and not based on DACLs

history of rbac1
History of RBAC

RBAC as we know it

Introduced in Exchange and Lync 2010

Simplifies access control administration

Removes dependency on AD administrators for routine tasks

Roles are closely mapped to application e.g. Exchange or Lync

Provided ability to grant granular permissions

Ability to control cmdlet and parameter level access

Better permission assignments than canned permission groups

rbac in exchange 20131
RBAC in Exchange 2013

All Exchange 2013 tools are based on Remote PowerShell

Exchange Management Shell

Exchange Administration Center

All tools leverage

PowerShell v3.0

Windows Remote Management (WinRM)

Remote PowerShell through IIS

RBAC incorporated into the IIS Remote PowerShell implementation

This is why even local EMS goes through IIS!

rbac in exchange 20132
RBAC in Exchange 2013

No dependency on PowerShell listener

winrmenumaratewinrm/config/Listener doesn’t return any listener on Exchange 2013

Connect to Exchange remotely using PowerShell

$Session = New-PSSession -ConfigurationNameMicrosoft.Exchange -ConnectionUri http:///PowerShell/

Import-PSSession $Session

better than acls
Better than ACLs

RBAC provides much more granular model

Exchange 2003 had 3 management groups

Exchange Full Administrator

Exchange Administrator

Exchange View-Only Administrator

Exchange 2007 had 5 management groups

Exchange Organization Administrator

Exchange Recipient Administrator

Exchange View-Only Administrator

Exchange Public Folder Administrator

Exchange Server Administrator

rbac components
RBAC Components






Role Group







Role Entries

Cmdlet: Parameters

Cmdlet: Parameters

Cmdlet: Parameters


Reipient Read Scope

Configuration Read Scope

Recipient Write Scope

Configuration Write Scope

rbac components1
RBAC Components

“What” – Roles/Cmdlets/Parameters

Management Roles

Group of cmdlets and parameters

Defines a job role

~83 pre-defined roles in Exchange 2013

Management Role Entries

Represents individual cmdlet and it’s parameters

List Role Entries for a role

Get-ManagementRoleEntry “RoleName\*”

You can select cmdlets or parameters using appropriate switch

rbac components2
RBAC Components

“What” – Roles/Cmdlets/Parameters

Creating new management roles

Parent-Child hierarchy

Built-In roles serve as a parent

Existing custom roles can also be used to create new roles

New “child” roles can be modified

Can remove entries

Can’t add entries parent role doesn’t have

In general, every new role must be created from existing role

There are always exceptions…

rbac components3
RBAC Components

“What” – Roles/Cmdlets/Parameters

Creating new management roles

The exception - “Unscoped Top Level” role

As the name implies:

No scope can be assigned

No parent can be assigned

Creates an empty role container

Must be member of “Unscoped Role Management” role to create one

Benefits of “Unscoped Top Level” role

Provide restricted access to business logic

Assign scripts to a role

Scripts reside on Exchange server

Users can run scripts as an exported cmdlet but can’t see or modify source

Users don’t need access to cmdlets that script runs

RBAC and Principle of Least Privilege -


Unscoped Top Level Role

rbac components4
RBAC Components

“Where” – Self/OU/Scope

Defined by RBAC management scope

Inherited from parent if none specified

Use ServerList to define server scopes

Use RecipientRoot to define OU scope

Use OPATH filters define recipient or server restrictions

Use Exclusive to block inheritance

Can’t assign a scope outside of implicit scope boundaries

rbac components5
RBAC Components

“Who” – Admins/Users

Role Assignees

Can be direct assignment to a user

Commonly assignments are created for a group

Role Assignments for administrators

Role Assignment Policies for end users

Role Group Members

Role groups located within “Microsoft Exchange Security Groups” OU in AD

New-RoleGroupcmdlet creates a new USG in the OU

*-RoleGroupMembercmdlets allow manipulation of Role Group memberships

Use BypassSecurityGroupManagerCheck parameter to override owner as admin or to manage Security Distribution Groups

rbac components6
RBAC Components

It is possible to move “Microsoft Exchange Security Groups” OU to a different domain in the forest

“otherWellKnownobjects” attribute of the org object is updated if OU is moved

Can also move groups to different OU

Only moving all groups is supported, moving only few groups is not

rbac components7
RBAC Components

Role assignment

Glue to connect Who/Where/What


Role and Group are required

Scope is optional

If no scope defined, assignment inherits scope from role


Creating custom RBAC roles in Exchange 2013

watch out for
Watch out for…

Don’t remove View-AdServerSettingscmdlets

Update RBAC scopes if moving an OU

rbac behind the scenes
RBAC behind the scenes

All tasks run under the security context of the Exchange server providing the PowerShell session

The Exchange servers are members of the Exchange Trusted Subsystems USG

Exchange Trusted Subsystems USG has the permissions to carry out all Exchange tasks

RBAC determines the level of access given to the user

rbac behind the scenes1
RBAC behind the scenes

What do you see in Active Directory audits when an object is created or changed?

Active Directory modifications are made by Exchange Trusted Subsystem, use Exchange Audit logs for actions performed by admins

rbac split permissions
RBAC split permissions

Permissions to create security principals controlled by RBAC

Only Exchange servers, services and members of appropriate groups can create security principals

Switching to RBAC Split Permissions is a manual process

To implement -

To Remove -

active directory split permissions
Active Directory split permissions to implement during or after install

Microsoft Exchange Protected Groups OU is created

Exchange Windows Permissions group is created or moved to that OU

ETS isn’t added to EWP group

ACEs aren't added to AD domain object for EWP group

Non-Delegating assignments are not created for Mail Recipient Creation and Security Group Creation and Membership

More details -

split permissions
Split permissions

Using RBAC

Separate who can create security principals from those who administer Exchange configuration

Simplified process while maintaining separation

Can use Exchange management tools

Allow Exchange Servers and services to create security principals

Using Active Directory

Separation of roles as well as tools

Several changes are made to permissions granted to ETS and Exchange Servers

Can’t use Exchange management tools to create security principals

Can’t manage DG membership from Exchange management tools

rbac in lync 20131
RBAC in Lync 2013

Access granted based on user’s Lync Server role

Allows administrators to delegate precisely the rights needed

Restrictions are effective only on remote connections

RBAC does not apply to local connection on server

Must use Lync Server Control Panel, Lync Server Management Shell or remote PowerShell session

rbac in lync 20132
RBAC in Lync 2013

Connect remotely using PowerShell

$cred = Get-Credential “Domain\Lync_Administrator”

$session = New-PSSession -ConnectionURI “https://LyncServer/OcsPowershell” -Credential $cred

Import-PsSession $session

how it differs from exchange 2013
How it differs from Exchange 2013

Scope is limited to

Configuration Scope “Site:SiteID”

User Scope “OU:OU Path”

Role group members

Member of Universal Security Groups

No cmdlet for managing role members

New role creation

Not as granular as Exchange, can’t control parameter level access

Role definitions are stored in CMS, Exchange stores it in AD


Creating custom RBAC roles in Lync 2013

deployment planning1
Deployment planning

Understanding of organizational structure

Understanding of Job roles

Mapping Job roles to Built-in Management roles

Documenting Permissions requirement

Creating repeatable process and supporting documentation


RBAC planning process

key takeaways
Key Takeaways

RBAC provides granular control over permissions

Separates policy storage from security object storage

Permissions map closely to application and user requirements

Plan requirements and create custom roles to provide least access based on job roles