none
RBAC for users in Specific Database

    Question

  • Hello guys

    Exchange 2010 SP1/ 

    Here is my requirement. 

    We have 3 Databases. VIP, Normal Users, accounts. I have created User Group Call "Help Desk" . They Should be able to modify the User Attributes ( such as Display Name ) only  user inside the Normal Users. 

    They should not be able to do any changes for users inside VIP . 

    how can we do this ?

    regards 

    Wednesday, August 21, 2013 5:48 PM

Answers

  • Yes Dear, You can use database list.

    A database list scope enables you to create a scope that applies only to the databases you specify in a list.

    Here is syntax :

    New-ManagementScope -Name <scope name> -DatabaseList <database 1>, <database 2...>

    One thing is for note that is :

    You can't change the list of databases on a scope. If you need to change the database list, you need to do the following:

    1. If needed, retrieve the current database list in the scope to be replaced by
    2. Create a scope with the new database list
    3. Change all the management role assignments that use the old scope to use the new scope
    4. Remove the old scope

    Hope it is clear now .


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, August 22, 2013 2:52 AM

All replies

  • Hi ,

    First I will recommend you ,   Upgrade to SP2 or SP3.

    Now ,   if you have SP1 ,no problem still you can implement  RBAC for users in specific Database.

    Step 1 :  Create a Database scope  

    New-ManagementScope -Name "NormalUserScope" -DatabaseRestrictionFilter { Name -Like 'Normal Users' }


    Step 2:  Create a role group , assign it to "Mail recipients" role and add Help Desk member to it

    
    
    New-RoleGroup -Name "NormalUserGroup" -Roles "mail recipients" -Members HelpDesk -CustomConfigWriteScope "NormalUserScope"

    Now , HelpDesk member can only edit mailbox under the Normal users Database.

    Please look below link for more info ( see configuration scope especially ) 

    http://technet.microsoft.com/en-us/library/dd335146(v=exchg.141).aspx

    Hope it helps .



    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Tarique Noorain Wednesday, August 21, 2013 6:43 PM some changes
    Wednesday, August 21, 2013 6:41 PM
  • HI 

    Thanks for the Update. 

    Can we use Database List instead DatabaseRestrictionFilter  ?

    regards

    Thursday, August 22, 2013 12:32 AM
  • Yes Dear, You can use database list.

    A database list scope enables you to create a scope that applies only to the databases you specify in a list.

    Here is syntax :

    New-ManagementScope -Name <scope name> -DatabaseList <database 1>, <database 2...>

    One thing is for note that is :

    You can't change the list of databases on a scope. If you need to change the database list, you need to do the following:

    1. If needed, retrieve the current database list in the scope to be replaced by
    2. Create a scope with the new database list
    3. Change all the management role assignments that use the old scope to use the new scope
    4. Remove the old scope

    Hope it is clear now .


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, August 22, 2013 2:52 AM
  • Hi,

    The user groups are in the separate databases, so we can use the “DatabaseList” parameter to achieve your requirement.

    Thanks

    Mavis

    Thursday, August 22, 2013 8:10 AM
  • Hello,

    For recipient restrictions you should use Recipient filter scopes, Not the Database List.

    Regards

    Chinthaka


    Chinthaka Shameera | MCITP: EA | MCSE: M | http://howtoexchange.wordpress.com/

    Monday, August 26, 2013 6:33 AM