locked
Custom Search RBAC role without the ability to delete content? RRS feed

  • Question

  • Exchange 2010 Sp2

    I would like to give a group access to search mailbox for content but not delete anything.  If they stay in the ECP they are not able to delete anything, but if they go to powershell, they can add the -deletecontent.

    Is there a way to create a custom RBAC role based on the mailbox-search parent and then remove the -deletecontent parameter?

    Friday, August 23, 2013 5:07 AM

Answers

  • Yes , I found the  solution .....

    When we try to see all parameter in Search-mailbox  role  , I found  .......

    [PS] C:\>(Get-ManagementRoleEntry "mailbox search\search-mailbox").parameters
    Confirm
    Debug
    DomainController
    DoNotIncludeArchive
    ErrorAction
    ErrorVariable
    EstimateResultOnly
    Force
    Identity
    IncludeUnsearchableItems
    LogLevel
    LogOnly
    OutBuffer
    OutVariable
    SearchDumpster
    SearchDumpsterOnly
    SearchQuery
    TargetFolder
    TargetMailbox
    Verbose
    WarningAction
    WarningVariable
    WhatIf

    Then I try to see the all roles which contains  the search-mailbox cmdlet and deletecontent   parameter entry  , then I found :

    [PS] C:\>Get-ManagementRole -Cmdlet search-mailbox

    Name                                                                       RoleType
    ----                                                                       --------
    Mailbox Import Export                                                 MailboxImportExport
    Mailbox Search                                                             MailboxSearch


    [PS] C:\>Get-ManagementRole -CmdletParameters deletecontent

    Name                                                                       RoleType
    ----                                                                       --------
    Mailbox Import Export                                           MailboxImportExport

    So , it is clear that Search-Mailbox does not contains the -deleteContent parameter.

    Hence , you are safe to assign your custom "Search limited" role  to your admin. He will not able to delete the content .

    No need to perform Step 2 .

    • Marked as answer by rmr1r Saturday, August 24, 2013 10:16 PM
    Saturday, August 24, 2013 9:39 AM

All replies

  • Yes , It is possible . You need to create the role based on Mailbox search and then remove -deletecontent parameter from management role entry.

    Please follow the steps :

    Step 1  :create a custom role

    New-ManagementRole -Parent "Mailbox Search" -Name <name of new role>

    step 2 :  customize the  new role

    Set-ManagementRoleEntry <name of new role>\Search-Mailbox -Parameters deletecontent -RemoveParameter

    step 3 : create the role group and assign custom role to it

    New-RoleGroup -Name <new role group name> -Roles <name of new role> -members <name of user(s)>

    now , You are done . User who is member of Your new role group can not delete contents but only search mailbox.

    Please go through below for more details :

    Understanding RBAC

    Managing Permission

    Managing Advanced permission

    Hope it helps you.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, August 23, 2013 5:33 AM
  • Tarique, thanks for your quick reply.  I did run into a problem though.  For step 1 I created a new role called Search Limited and then on step 2 I got an error:

    Set-ManagementRoleEntry "Search Limited\Search-Mailbox" -Parameters deletecontent -RemoveParameter
    The following parameters on the "Search-Mailbox" management role entry of the "Search Limited" management role can't
     removed because they don't exist: deletecontent
        + CategoryInfo          : InvalidOperation: (Search Limited:ADObjectId) [Set-ManagementRoleEntry], InvalidOperati
       nException
        + FullyQualifiedErrorId : 79EED31B,Microsoft.Exchange.Management.RbacTasks.SetManagementRoleEntry

    Any ideas?

    Thanks

    Saturday, August 24, 2013 7:13 AM
  • Ok ,  let me check in Test lab........
    Saturday, August 24, 2013 9:09 AM
  • Yes , I found the  solution .....

    When we try to see all parameter in Search-mailbox  role  , I found  .......

    [PS] C:\>(Get-ManagementRoleEntry "mailbox search\search-mailbox").parameters
    Confirm
    Debug
    DomainController
    DoNotIncludeArchive
    ErrorAction
    ErrorVariable
    EstimateResultOnly
    Force
    Identity
    IncludeUnsearchableItems
    LogLevel
    LogOnly
    OutBuffer
    OutVariable
    SearchDumpster
    SearchDumpsterOnly
    SearchQuery
    TargetFolder
    TargetMailbox
    Verbose
    WarningAction
    WarningVariable
    WhatIf

    Then I try to see the all roles which contains  the search-mailbox cmdlet and deletecontent   parameter entry  , then I found :

    [PS] C:\>Get-ManagementRole -Cmdlet search-mailbox

    Name                                                                       RoleType
    ----                                                                       --------
    Mailbox Import Export                                                 MailboxImportExport
    Mailbox Search                                                             MailboxSearch


    [PS] C:\>Get-ManagementRole -CmdletParameters deletecontent

    Name                                                                       RoleType
    ----                                                                       --------
    Mailbox Import Export                                           MailboxImportExport

    So , it is clear that Search-Mailbox does not contains the -deleteContent parameter.

    Hence , you are safe to assign your custom "Search limited" role  to your admin. He will not able to delete the content .

    No need to perform Step 2 .

    • Marked as answer by rmr1r Saturday, August 24, 2013 10:16 PM
    Saturday, August 24, 2013 9:39 AM
  • Thanks Tarique!  Good explanation of the Search RBAC role.  I have always tested with my account which is a member of Organization Management which I assume must be inheriting the Mailbox Import Export role indirectly or something else to allow me to put use -deletecontent?

    I added another account to just a Mailbox Search role and -deletecontent is not available.  Yea!

    Thanks again.


    • Edited by rmr1r Saturday, August 24, 2013 10:21 PM
    Saturday, August 24, 2013 10:21 PM
  • You are Welcome !!

    Sunday, August 25, 2013 1:50 AM