none
RBAC questions

    Question

  • There is so much stuff about RBAC out there that it is difficult to find exactly what I am looking for.  Most of what I find is a repeat of what is out there.  I am trying to find two things specifically:

    1.  what management role groups have a specific role?  wouldn't think that would be so hard to find, but what I find seems to go into a big circle around all of that instead of getting to the point.

    2.  is there something that will tell me what mangement role a specific cmdlet belongs to?  for instance, if you do get-managementrole "name of role" | get-managementroleentry you end up with three columns, the far left column being a list of cmdlets.  but what if I want a specific cmdlet, and want to know what role it is in so I can determine what role to assign to a group?  for instance, we have a group that needs to be able to do something but can't run a particular cmdlet due to role restrictions.  i'd like to be able to find what role can perform that particular task.

    thanks for any help on this.

    Monday, June 11, 2012 10:54 PM

Answers

  • This is a good and simple presentation:

    http://www.opsvault.com/securing-ms-exchange-2010-role-based-access-control-rbac-simplified/

    If you use the ECP, you can see exactly, in a simple easy-to-see format, what roles are associated with each man. role group:


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Proposed as answer by David M (LePivert) Thursday, June 14, 2012 11:08 AM
    • Marked as answer by emma.yoyo Friday, June 15, 2012 2:14 AM
    Tuesday, June 12, 2012 10:58 PM
  • For #2 try this...

    Get-ManagementRole | Where {$_.RoleEntries -match "Get-Mailbox"}


    Program Manager, Exchange Customer Advisory Team
    MCSA 2000/2003
    MCTS: Win Server 2008 AD, Configuration MCTS: Win Server 2008 Network Infrastructure, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server

    NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Wednesday, June 13, 2012 4:42 AM
  • You can also run the following cmdlets:

    For #1: Get-ManagementRoleAssignment -RoleAssignee "Recipient Management"

          #2: Get-ManagementRoleEntry "*\Get-Mailbox"


    Frank Wang

    TechNet Community Support

    • Proposed as answer by David M (LePivert) Thursday, June 14, 2012 11:08 AM
    • Marked as answer by emma.yoyo Friday, June 15, 2012 2:14 AM
    Wednesday, June 13, 2012 6:07 AM

All replies