programming4us
 
Applications Server
 

Microsoft Exchange Server 2013 : Role-based access control - Scopes

3/5/2014 3:27:36 AM

All RBAC roles have scopes to tell Exchange which objects can be accessed and updated by holders of the role. The implicit (preset) scopes Exchange supports are:

  • Recipient read scope. Determines the Active Directory recipient objects (users, groups, contacts) the holder can read. When Organization is shown in the recipient read or write scope, the holder has access to every object in the organization. The default role assignment policy for users has Self as its scope, meaning that the holder can update properties of his mailbox.

  • Recipient write scope. Determines the Active Directory recipient objects the holder can update, create, or delete.

  • Configuration read scope. Determines the Active Directory configuration objects (servers, databases, connectors, and so on) the holder can read. When OrganizationConfig is shown in the configuration read or write scope, the holder can access any object in the Exchange configuration data held in Active Directory.

  • Configuration write scope. Determines the Active Directory configuration objects the holder can create, update, or delete.

Logically, the implicit write scope assigned to a role is always equal to or less than the read scope to ensure that the holder of a role can never modify objects she cannot see.

In this example, you look at the scope of the Move Mailboxes role, which is required by anyone who wants to move a mailbox between databases:

Get-ManagementRole 'Move Mailboxes' | Format-List *Scope*
ImplicitRecipientReadScope   : Organization
ImplicitRecipientWriteScope : Organization
ImplicitConfigReadScope : OrganizationConfig
ImplicitConfigWriteScope : OrganizationConfig

The most important scopes are the implicit write scopes because these define the objects the cmdlets covered by the role can update. In this case, to move mailboxes, you need the ability to update the mailbox object afterward, so the recipient write scope is organization-wide. You also see that the role can read information from the organization’s configuration so that you can select any database in the organization as a target for the mailbox move. Note that you cannot change the implicit scopes for a management role because these scopes always apply and cannot be overridden.

If you create a new RBAC role, it has to be the child of an existing RBAC role and automatically inherits the scope of the parent role unless you define a new scope. To allow users to update distribution groups they own without allowing them to create new groups. You can create new scopes as you create new roles, but a better technique is to define a scope once so that it is available to multiple roles. Exchange provides the New-ManagementScope cmdlet for this purpose. These custom scopes are called explicit because part of their definition is a filter setting out exactly which objects fall under the scope.

Scopes can be created so that roles are restricted to operate against specific servers, an OU, or a recipient filter such as the members of a distribution group. For example, this command creates a new scope based on a distribution group called Company Officers. You can even use a dynamic distribution group for this purpose.

New-ManagementScope –Name 'Company Officers' –RecipientRestrictionFilter {MemberOfGroup –eq "Company Officers"}
Get-ManagementScope 'Company Officers'
RecipientFilter                       : MemberOfGroup -eq 'DC=Company Officers'
ServerFilter :
DatabaseFilter :
ScopeRestrictionType : RecipientScope
Exclusive : False
ExchangeVersion : 1.10 (14.1.90.0)
Name : Company Officers
DistinguishedName : CN=Company Officers,CN=Scopes,CN=RBAC,
CN=contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
Identity : Company Officers
Guid : 906b4ad8-2e7d-4590-bb01-973f32043207

After they are created, scopes can be assigned to role groups by using the –CustomConfigWriteScope (for server and database scopes) and –CustomRecipientWriteScope parameters (for recipient-based scopes).

 
Others
 
- Microsoft Exchange Server 2013 : Role-based access control - Role groups
- Microsoft Exchange Server 2013 : Role-based access control - Roles
- Microsoft Exchange Server 2013 : Role-based access control - RBAC basics
- Distributing Sharepoint 2013 Apps : Application Life Cycle - Using Seller Dashboard Metrics
- Distributing Sharepoint 2013 Apps : Publishing Apps in the SharePoint Store (part 3) - Submitting Apps
- Distributing Sharepoint 2013 Apps : Publishing Apps in the SharePoint Store (part 2) - Pricing and Licensing Apps
- Distributing Sharepoint 2013 Apps : Publishing Apps in the SharePoint Store (part 1) - Creating a Client ID and Secret
- Exchange Server 2013 administration overview : Using Exchange Management Shell
- Exchange Server 2013 administration overview : Using the graphical administration tools
- Exchange Server 2013 administration overview : Exchange Server and Active Directory, Exchange Online and Office 365
 
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
 
REVIEW
 
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox

- Sigma 24mm f/1.4 DG HSM Art

- Canon EF11-24mm f/4L USM

- Creative Sound Blaster Roar 2

- Alienware 17 - Dell's Alienware laptops

- Smartwatch : Wellograph

- Xiaomi Redmi 2
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
 
Top 10
 
- How To Unlock An Account From Active Directory (Windows Server 2008)
- How To Install A deviantArt Theme In Windows 7
- How To Install Windows Server 2012 On VirtualBox
- How To Fix Skype High CPU And Memory Usage In Windows 8
- Add 270 Additional Cleaning Options To CCleaner With CCEnhancer
- FPPT Provides More Than 2000 Free And Attractive PowerPoint Templates
- Setup Free Media Server To Stream Videos To DLNA Compatible TV, Xbox 360 & PS3 (Play Station 3)
- How To Install Android Market & Google Apps On Kindle Fire
- How To Make Ubuntu Look Like Windows 7
- How To Add A New Account in MS Outlook 2013