Remove From My Forums

Custom Search RBAC role without the ability to delete content?

Question
0

Sign in to vote

Exchange 2010 Sp2

I would like to give a group access to search mailbox for content but not delete anything. If they stay in the ECP they are not able to delete anything, but if they go to powershell, they can add the -deletecontent.

Is there a way to create a custom RBAC role based on the mailbox-search parent and then remove the -deletecontent parameter?

Friday, August 23, 2013 5:07 AM

Answers

0

Sign in to vote
Yes , I found the solution .....

When we try to see all parameter in Search-mailbox role , I found .......

[PS] C:\>(Get-ManagementRoleEntry "mailbox search\search-mailbox").parameters
Confirm
Debug
DomainController
DoNotIncludeArchive
ErrorAction
ErrorVariable
EstimateResultOnly
Force
Identity
IncludeUnsearchableItems
LogLevel
LogOnly
OutBuffer
OutVariable
SearchDumpster
SearchDumpsterOnly
SearchQuery
TargetFolder
TargetMailbox
Verbose
WarningAction
WarningVariable
WhatIf

Then I try to see the all roles which contains the search-mailbox cmdlet and deletecontent parameter entry , then I found :

[PS] C:\>Get-ManagementRole -Cmdlet search-mailbox

Name RoleType
---- --------
Mailbox Import Export MailboxImportExport
Mailbox Search MailboxSearch

[PS] C:\>Get-ManagementRole -CmdletParameters deletecontent

Name RoleType
---- --------
Mailbox Import Export MailboxImportExport

So , it is clear that Search-Mailbox does not contains the -deleteContent parameter.

Hence , you are safe to assign your custom "Search limited" role to your admin. He will not able to delete the content .

No need to perform Step 2 .
- Marked as answer by rmr1r Saturday, August 24, 2013 10:16 PM
Saturday, August 24, 2013 9:39 AM

All replies

Yes , It is possible . You need to create the role based on Mailbox search and then remove -deletecontent parameter from management role entry.

Please follow the steps :

Step 1 :create a custom role

New-ManagementRole -Parent "Mailbox Search" -Name <name of new role>

step 2 : customize the new role

Set-ManagementRoleEntry <name of new role>\Search-Mailbox -Parameters deletecontent -RemoveParameter

step 3 : create the role group and assign custom role to it

New-RoleGroup -Name <new role group name> -Roles <name of new role> -members <name of user(s)>

now , You are done . User who is member of Your new role group can not delete contents but only search mailbox.

Please go through below for more details :

Understanding RBAC

Managing Permission

Managing Advanced permission

Hope it helps you.

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Friday, August 23, 2013 5:33 AM

0

Sign in to vote

Tarique, thanks for your quick reply. I did run into a problem though. For step 1 I created a new role called Search Limited and then on step 2 I got an error:

Set-ManagementRoleEntry "Search Limited\Search-Mailbox" -Parameters deletecontent -RemoveParameter
The following parameters on the "Search-Mailbox" management role entry of the "Search Limited" management role can't
removed because they don't exist: deletecontent
    + CategoryInfo          : InvalidOperation: (Search Limited:ADObjectId) [Set-ManagementRoleEntry], InvalidOperati
   nException
    + FullyQualifiedErrorId : 79EED31B,Microsoft.Exchange.Management.RbacTasks.SetManagementRoleEntry

Any ideas?

Thanks

Saturday, August 24, 2013 7:13 AM
0

Sign in to vote

Ok , let me check in Test lab........

Saturday, August 24, 2013 9:09 AM
0

Sign in to vote
Yes , I found the solution .....

When we try to see all parameter in Search-mailbox role , I found .......

[PS] C:\>(Get-ManagementRoleEntry "mailbox search\search-mailbox").parameters
Confirm
Debug
DomainController
DoNotIncludeArchive
ErrorAction
ErrorVariable
EstimateResultOnly
Force
Identity
IncludeUnsearchableItems
LogLevel
LogOnly
OutBuffer
OutVariable
SearchDumpster
SearchDumpsterOnly
SearchQuery
TargetFolder
TargetMailbox
Verbose
WarningAction
WarningVariable
WhatIf

Then I try to see the all roles which contains the search-mailbox cmdlet and deletecontent parameter entry , then I found :

[PS] C:\>Get-ManagementRole -Cmdlet search-mailbox

Name RoleType
---- --------
Mailbox Import Export MailboxImportExport
Mailbox Search MailboxSearch

[PS] C:\>Get-ManagementRole -CmdletParameters deletecontent

Name RoleType
---- --------
Mailbox Import Export MailboxImportExport

So , it is clear that Search-Mailbox does not contains the -deleteContent parameter.

Hence , you are safe to assign your custom "Search limited" role to your admin. He will not able to delete the content .

No need to perform Step 2 .
- Marked as answer by rmr1r Saturday, August 24, 2013 10:16 PM
Saturday, August 24, 2013 9:39 AM
0

Sign in to vote
Thanks Tarique! Good explanation of the Search RBAC role. I have always tested with my account which is a member of Organization Management which I assume must be inheriting the Mailbox Import Export role indirectly or something else to allow me to put use -deletecontent?

I added another account to just a Mailbox Search role and -deletecontent is not available. Yea!

Thanks again.
- Edited by rmr1r Saturday, August 24, 2013 10:21 PM
Saturday, August 24, 2013 10:21 PM
0

Sign in to vote

You are Welcome !!

Sunday, August 25, 2013 1:50 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Custom Search RBAC role without the ability to delete content?

Question

Answers

All replies