locked
RBAC - RoleGroup and ManagementRoleAssigment RRS feed

  • Question

  • Hi All,

    Im a bit confused with RoleGroup and ManagementRoleAssigment. Correct me if Im wrong:

    • With new-rolegroup I can create a new rolegroup, to which i can assign a management role and a managementscope. That creates a managementroleassigment (is the name created by some convection by default for the roleassigment)?
    • new-managementroleassigment does the same thing, but here I can define the name of the roleassigment?

    Is there a difference between these two methods. I know that with magementroleassigment I can assign a managementrole directly to a user, but is there some other reason why I should use one or the other method?

    Thanks

    Zarko

    Saturday, April 14, 2012 8:48 PM

Answers

  • see if the below helps you in understanding.. tried to cover with simple words..

    http://www.exchangedictionary.com/index.php/Articles/role-based-access-control-exchange-2010.html

    let me try to put in simple words here,

    Role Assignment - is the link between a management role and a role assignment policy, the assignment policy then apply to the user or role group

    Role Group - clubing more than one roles together using role assignments(policy). you can add members to ther role group to grant the combination permission.

    http://www.exchangedictionary.com/index.php/Articles/rbac-management-role-assignment-policy.html

    It is little logical, try doing it in labs you will easily understand.

    As you asked, the reason is when you want to grant permissin to only one user you may use assignment policy. But if you wish to grant same level of permission to multiple users then use role groups for easy management in long run.

    -Praveen


    Praveen Balan |MCITP - Exchange Server 2010 | Exchange Dictionary(www.exchangedictionary.com)


    • Edited by Praveen Balan Sunday, April 15, 2012 1:59 PM added points
    • Proposed as answer by Gavin-Zhang Monday, April 16, 2012 9:33 AM
    • Marked as answer by ZarkoC Tuesday, April 17, 2012 7:51 AM
    Sunday, April 15, 2012 1:55 PM
  • Yes, each role assignment assigns one role with the scopes(iether explicit or Org Wide).

    When you give multiple role names when creating role group, it in turn creates assignment for each role specified in the creation cmdlet.

    Hope it is clear.


    Praveen Balan |MCITP - Exchange Server 2010 | Exchange Dictionary(www.exchangedictionary.com)


    • Edited by Praveen Balan Tuesday, April 17, 2012 7:50 AM correction
    • Marked as answer by ZarkoC Tuesday, April 17, 2012 7:52 AM
    Tuesday, April 17, 2012 7:49 AM

All replies

  • There are three ways that permissions can be assigned:

    Management role groups
    Management role assignment policies
    Direct user role assignment - New-managementroleassignment

    The first two methods listed above, namely management role groups and management role assignment policies, are the main methods used to assign permissions using RBAC. The direct user role assignment method is considered an advanced method .

    Direct role assignment is an advanced method for assigning management roles directly to a user or USG without using a role group or role assignment policy. Direct role assignments can be useful when you need to provide a granular set of permissions to a specific user and no others. However, using direct role assignments can significantly increase the complexity of your permissions model. If a user changes jobs or leaves the company, you need to manually remove the assignments and add them to the new employee. We recommend that you use role groups to assign permissions to administrators and specialist users, and role assignment policies to assign permissions to users.

    http://technet.microsoft.com/en-us/library/dd298183.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com

    Sunday, April 15, 2012 3:41 AM
  • Hello Hasnain,

    Thanks for the response, but that wasnt my question. : )

    Zarko

    Sunday, April 15, 2012 8:00 AM
  • see if the below helps you in understanding.. tried to cover with simple words..

    http://www.exchangedictionary.com/index.php/Articles/role-based-access-control-exchange-2010.html

    let me try to put in simple words here,

    Role Assignment - is the link between a management role and a role assignment policy, the assignment policy then apply to the user or role group

    Role Group - clubing more than one roles together using role assignments(policy). you can add members to ther role group to grant the combination permission.

    http://www.exchangedictionary.com/index.php/Articles/rbac-management-role-assignment-policy.html

    It is little logical, try doing it in labs you will easily understand.

    As you asked, the reason is when you want to grant permissin to only one user you may use assignment policy. But if you wish to grant same level of permission to multiple users then use role groups for easy management in long run.

    -Praveen


    Praveen Balan |MCITP - Exchange Server 2010 | Exchange Dictionary(www.exchangedictionary.com)


    • Edited by Praveen Balan Sunday, April 15, 2012 1:59 PM added points
    • Proposed as answer by Gavin-Zhang Monday, April 16, 2012 9:33 AM
    • Marked as answer by ZarkoC Tuesday, April 17, 2012 7:51 AM
    Sunday, April 15, 2012 1:55 PM
  • Hi Zarkoc,

    Above gave some good suggestion, if you still have some question, please feel free let us know.

    Regards!

    Gavin

    TechNet Community Support

    Monday, April 16, 2012 9:13 AM
  • Hi,

    So if I understand it correctly, for a RoleGroup a can define more managementroles at once. That then creates managementroleassigments for each managemetrole that i defined for the rolegroup?

    If Im going to use the managementroleassigments cmdlet i have to define in each cmdlet one role that the rolegroup will be assigned, because the roleassigment connects the rolegroup with one managementrole and a management scope?

    Tnx

    Zarko

    Tuesday, April 17, 2012 6:50 AM
  • Yes, each role assignment assigns one role with the scopes(iether explicit or Org Wide).

    When you give multiple role names when creating role group, it in turn creates assignment for each role specified in the creation cmdlet.

    Hope it is clear.


    Praveen Balan |MCITP - Exchange Server 2010 | Exchange Dictionary(www.exchangedictionary.com)


    • Edited by Praveen Balan Tuesday, April 17, 2012 7:50 AM correction
    • Marked as answer by ZarkoC Tuesday, April 17, 2012 7:52 AM
    Tuesday, April 17, 2012 7:49 AM