Use Role Base Access Control to control the users to create moderation rules for only specific users in a NT group or OU via ECP RRS feed

  • Question

  • Dear all

    We would like to delagate the the ECP to some managers to add moderation for their subordinate, and I have create the below Role group and Role and put them together, then the manager can only add moderation rules via the ECP. But anyway to limit the manager to only add moderation rules for his subordinates? I have try to add a management scope with a AD group which all her subordinate were added and then assign it to the write scope of the management role group but seems not working, the manager can still add moderation rule for all users.

    Management Role Group - Finance Moderator Group with Finance manager AD account added

    Management Role - Moderation Rules Role with Moderation Rules cmdlet added

    Best regards

    Alex Tsang

    Monday, April 30, 2012 6:22 PM

All replies

  • Management Role - Moderation Rules Role with Moderation Rules cmdlet added

    Hi Alex,

    Could you please post the cmdlet which you used to create the Role here? And New-ManagementScope cmdlet.

    "moderation rules": Do you mean Moderation with transport rules? An example is better.


    Frank Wang

    TechNet Community Support

    Wednesday, May 2, 2012 6:08 AM
  • Hi Alex,

    Any updates?

    Frank Wang

    TechNet Community Support

    Friday, May 4, 2012 1:46 AM
  • Dear Frank

    Sorry for the late, and let me elaborate more what I want to do.  Yes I mean moderation with tranport rule and the below is what I want.

    When the users add new transport rules  in the rules action of the mail control of the ECP, I want to use RBAC to limit the user to create only moderation transport rule for  their subordinate.

    Firstly, I created a new role called Finance Moderation Roles by using the below command

    new-managementrole -name "Finance Moderation Roles" -Parent "transport rules"

    Then I remove the unused parameters of the new-transportrule role entries so that user can only add moderation transport rule by using the below commands

    remove-managementroleentry "Finance Moderation Roles\New-TransportRule"

    Add-ManagementRoleEntry "Finance Moderation Roles\New-TransportRule" -Parameters AdComparisonAttribute.......

    Then I created a Management Role called Finance Mailboxes by using the below command

    New-ManagementScope -Name "Finance Mailboxes" -RecipientRoot "demo.technergy.local/Users" -RecipientRestrictionFilter {memberOfGroup -eq "Finance"}

    Then I created a new Role Group and then assign the above Role and management scope to this role group

    new-rolegroup -name "Finance Moderation Role Group" -Roles "Finance Moderation Roles" -CustomReceipientWriteScope "Finance Mailboxes"

    At last, I add new members to this Role group in the ECP.

    After I did above command, the users in the Role Group can only see moderation transport rules such as "Forward the message for approval" in the ECP but when the users select the sender of this moderation transport rule, the full GAL will be shown and all users can be selectd.

    Saturday, May 5, 2012 10:30 AM