All RBAC roles have scopes to tell Exchange which objects
can be accessed and updated by holders of the role. The implicit
(preset) scopes Exchange supports are:
Recipient read scope. Determines
the Active Directory recipient objects (users, groups, contacts) the
holder can read. When Organization is shown in the recipient read or
write scope, the holder has access to every object in the organization.
The default role assignment policy for users has Self as its scope,
meaning that the holder can update properties of his mailbox.
Recipient write scope. Determines the Active Directory recipient objects the holder can update, create, or delete.
Configuration read scope. Determines
the Active Directory configuration objects (servers, databases,
connectors, and so on) the holder can read. When OrganizationConfig is
shown in the configuration read or write scope, the holder can access
any object in the Exchange configuration data held in Active Directory.
Configuration write scope. Determines the Active Directory configuration objects the holder can create, update, or delete.
Logically,
the implicit write scope assigned to a role is always equal to or less
than the read scope to ensure that the holder of a role can never
modify objects she cannot see.
In this example, you look at the
scope of the Move Mailboxes role, which is required by anyone who wants
to move a mailbox between databases:
Get-ManagementRole 'Move Mailboxes' | Format-List *Scope*
ImplicitRecipientReadScope : Organization
ImplicitRecipientWriteScope : Organization
ImplicitConfigReadScope : OrganizationConfig
ImplicitConfigWriteScope : OrganizationConfig
The
most important scopes are the implicit write scopes because these
define the objects the cmdlets covered by the role can update. In this
case, to move mailboxes, you need the ability to update the mailbox
object afterward, so the recipient write scope is organization-wide.
You also see that the role can read information from the organization’s
configuration so that you can select any database in the organization
as a target for the mailbox move. Note that you cannot change the
implicit scopes for a management role because these scopes always apply
and cannot be overridden.
If
you create a new RBAC role, it has to be the child of an existing RBAC
role and automatically inherits the scope of the parent role unless you
define a new scope. To allow users to update distribution
groups they own without allowing them to create new groups. You can
create new scopes as you create new roles, but a better technique is to
define a scope once so that it is available to multiple roles. Exchange
provides the New-ManagementScope cmdlet for this purpose. These custom
scopes are called explicit because part of their definition is a filter
setting out exactly which objects fall under the scope.
Scopes
can be created so that roles are restricted to operate against specific
servers, an OU, or a recipient filter such as the members of a
distribution group. For example, this command creates a new scope based
on a distribution group called Company Officers. You can even use a
dynamic distribution group for this purpose.
New-ManagementScope –Name 'Company Officers' –RecipientRestrictionFilter {MemberOfGroup –eq "Company Officers"}
Get-ManagementScope 'Company Officers'RecipientFilter : MemberOfGroup -eq 'DC=Company Officers'
ServerFilter :
DatabaseFilter :
ScopeRestrictionType : RecipientScope
Exclusive : False
ExchangeVersion : 1.10 (14.1.90.0)
Name : Company Officers
DistinguishedName : CN=Company Officers,CN=Scopes,CN=RBAC,
CN=contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
Identity : Company Officers
Guid : 906b4ad8-2e7d-4590-bb01-973f32043207
After
they are created, scopes can be assigned to role groups by using the
–CustomConfigWriteScope (for server and database scopes) and
–CustomRecipientWriteScope parameters (for recipient-based scopes).
