Answered by:
Custom Search RBAC role without the ability to delete content?

Question
-
Exchange 2010 Sp2
I would like to give a group access to search mailbox for content but not delete anything. If they stay in the ECP they are not able to delete anything, but if they go to powershell, they can add the -deletecontent.
Is there a way to create a custom RBAC role based on the mailbox-search parent and then remove the -deletecontent parameter?
Friday, August 23, 2013 5:07 AM
Answers
-
Yes , I found the solution .....
When we try to see all parameter in Search-mailbox role , I found .......
[PS] C:\>(Get-ManagementRoleEntry "mailbox search\search-mailbox").parameters
Confirm
Debug
DomainController
DoNotIncludeArchive
ErrorAction
ErrorVariable
EstimateResultOnly
Force
Identity
IncludeUnsearchableItems
LogLevel
LogOnly
OutBuffer
OutVariable
SearchDumpster
SearchDumpsterOnly
SearchQuery
TargetFolder
TargetMailbox
Verbose
WarningAction
WarningVariable
WhatIfThen I try to see the all roles which contains the search-mailbox cmdlet and deletecontent parameter entry , then I found :
[PS] C:\>Get-ManagementRole -Cmdlet search-mailbox
Name RoleType
---- --------
Mailbox Import Export MailboxImportExport
Mailbox Search MailboxSearch
[PS] C:\>Get-ManagementRole -CmdletParameters deletecontent
Name RoleType
---- --------
Mailbox Import Export MailboxImportExport
So , it is clear that Search-Mailbox does not contains the -deleteContent parameter.
Hence , you are safe to assign your custom "Search limited" role to your admin. He will not able to delete the content .
No need to perform Step 2 .
- Marked as answer by rmr1r Saturday, August 24, 2013 10:16 PM
Saturday, August 24, 2013 9:39 AM
All replies
-
Yes , It is possible . You need to create the role based on Mailbox search and then remove -deletecontent parameter from management role entry.
Please follow the steps :
Step 1 :create a custom role
New-ManagementRole -Parent "Mailbox Search" -Name <name of new role>
step 2 : customize the new role
Set-ManagementRoleEntry <name of new role>\Search-Mailbox -Parameters deletecontent -RemoveParameter
step 3 : create the role group and assign custom role to it
New-RoleGroup -Name <new role group name> -Roles <name of new role> -members <name of user(s)>
now , You are done . User who is member of Your new role group can not delete contents but only search mailbox.
Please go through below for more details :
Hope it helps you.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Friday, August 23, 2013 5:33 AM -
Tarique, thanks for your quick reply. I did run into a problem though. For step 1 I created a new role called Search Limited and then on step 2 I got an error:
Set-ManagementRoleEntry "Search Limited\Search-Mailbox" -Parameters deletecontent -RemoveParameter
The following parameters on the "Search-Mailbox" management role entry of the "Search Limited" management role can't
removed because they don't exist: deletecontent
+ CategoryInfo : InvalidOperation: (Search Limited:ADObjectId) [Set-ManagementRoleEntry], InvalidOperati
nException
+ FullyQualifiedErrorId : 79EED31B,Microsoft.Exchange.Management.RbacTasks.SetManagementRoleEntryAny ideas?
Thanks
Saturday, August 24, 2013 7:13 AM -
Ok , let me check in Test lab........Saturday, August 24, 2013 9:09 AM
-
Yes , I found the solution .....
When we try to see all parameter in Search-mailbox role , I found .......
[PS] C:\>(Get-ManagementRoleEntry "mailbox search\search-mailbox").parameters
Confirm
Debug
DomainController
DoNotIncludeArchive
ErrorAction
ErrorVariable
EstimateResultOnly
Force
Identity
IncludeUnsearchableItems
LogLevel
LogOnly
OutBuffer
OutVariable
SearchDumpster
SearchDumpsterOnly
SearchQuery
TargetFolder
TargetMailbox
Verbose
WarningAction
WarningVariable
WhatIfThen I try to see the all roles which contains the search-mailbox cmdlet and deletecontent parameter entry , then I found :
[PS] C:\>Get-ManagementRole -Cmdlet search-mailbox
Name RoleType
---- --------
Mailbox Import Export MailboxImportExport
Mailbox Search MailboxSearch
[PS] C:\>Get-ManagementRole -CmdletParameters deletecontent
Name RoleType
---- --------
Mailbox Import Export MailboxImportExport
So , it is clear that Search-Mailbox does not contains the -deleteContent parameter.
Hence , you are safe to assign your custom "Search limited" role to your admin. He will not able to delete the content .
No need to perform Step 2 .
- Marked as answer by rmr1r Saturday, August 24, 2013 10:16 PM
Saturday, August 24, 2013 9:39 AM -
Thanks Tarique! Good explanation of the Search RBAC role. I have always tested with my account which is a member of Organization Management which I assume must be inheriting the Mailbox Import Export role indirectly or something else to allow me to put use -deletecontent?
I added another account to just a Mailbox Search role and -deletecontent is not available. Yea!
Thanks again.
- Edited by rmr1r Saturday, August 24, 2013 10:21 PM
Saturday, August 24, 2013 10:21 PM -
You are Welcome !!
Sunday, August 25, 2013 1:50 AM