locked
RBAC question on unscoped role RRS feed

  • Question

  • Exchange 2010 SP2 RU4a environment.

    We have identified the precise permissions for a junior admin, and I'm looking for the best way to set this up. The permissions needed span 5 different parent roles (Mailbox import export, Mail Recipients, Retention Management, User options, and Security group creation and membership).

    If I create a management role, it gets based upon a parent role and you inherit/remove the role entries until you get what you want. So am I right that I create 5 management roles per the above and then make the assignment to junior admin group?  Does creating an unscoped role allow you to specify what cmdlets are allowable or is it just intended to give access to run specific script files? I was looking at creating one role that had all of the native Exchange cmdlets needed (spanning the 5 parent roles), but that's not how an unscoped role is meant to be used - correct?

    Friday, February 8, 2013 4:37 PM

Answers

  • You can do it how you have, the scopes are where changes are allowed to be made, like OU or Server -----http://technet.microsoft.com/en-us/library/dd335146(v=exchg.141).aspx

    Sukh

    Friday, February 8, 2013 8:57 PM