none
設定RBAC 管理其一DAG? RRS feed

  • 問題

  • 請問能否作到,設定RBAC 讓RoleGroup中的成員才能管理組織中某一個DAG(因組織中有多個DAG)?

    2013年10月3日 下午 05:54

所有回覆

  • Hi,

    可以 ! 先設定一個 Scope,這個 Scope 只包含你要的伺服器,再指定所需的權限即可 !!

    參考一下:
    http://sysadmin-talk.org/2010/04/5-steps-to-heaven-creating-a-custom-rbac-role-in-exchange-2010/


    ~以無法為法,以無限為限~不在線上就在羽球館

    2013年10月3日 下午 06:51
    版主
  • 你好,

    我有設定CustomConfigWriteScope指定Server,再設定給予Database Availability Groups權限,

    但還是能修改其他DAG的config...

    不知還需調整哪裏?

    2013年10月4日 上午 01:04
  • Hi,

    (如下圖所示)請確認一下寫入範圍,不可以是 Default


    ~以無法為法,以無限為限~不在線上就在羽球館

    2013年10月4日 上午 01:31
    版主
  • 寫入範圍不是"預設值"
    2013年10月4日 上午 08:00
  • Hi,

    可否看一下你的 Server scope 裡面的 Server Filter 是否正確

    先執行這個指令,然後把畫面貼上來看一下
    Get-ManagementScope -Identity "你所指定的寫入範圍"


    ~以無法為法,以無限為限~不在線上就在羽球館

    2013年10月4日 下午 03:51
    版主
  • Hi,

    可否看一下你的 Server scope 裡面的 Server Filter 是否正確

    先執行這個指令,然後把畫面貼上來看一下
    Get-ManagementScope -Identity "你所指定的寫入範圍"


    ~以無法為法,以無限為限~不在線上就在羽球館

    您好,

    我指的管理其一DAG,是指在"組織組態\信箱\資料庫可用性群組"內的DAG內容設定及調整

    我是用AD Site設定Server Scope,Server filter如下,

    ------------------------------------------------------------------------------------

    RecipientRoot            :
    RecipientFilter          :
    ServerFilter             : ServerSite -eq 'CN=XXX-SITE,CN=Sites,CN=Configuration,DC=abc,DC=com'
    DatabaseFilter           :
    TenantOrganizationFilter :
    ScopeRestrictionType     : ServerScope
    Exclusive                : False
    AdminDisplayName         :
    ExchangeVersion          : 1.10 (14.1.90.0)
    Name                     : XXXExchServer
    DistinguishedName        : CN=XXXServer,CN=Scopes,CN=RBAC,CN=ABCGroup,CN=Microsoft Exchange,CN=Services,CN=Conf
                               iguration,DC=abc,DC=com
    Identity                 : XXXServer
    Guid                     : 0b7b5bc2-27ba-7218-9eec-081323833e21
    ObjectCategory           : abc.com/Configuration/Schema/ms-Exch-Scope




    • 已編輯 BenTen27 2013年10月5日 下午 02:51
    2013年10月5日 上午 10:32
  • 幫google 到的

    Delegating DAG Management for a Specific DAG


    An Organization Administrator has defined two Database Availability Groups for his Organization and has decided to divide administration responsibilities for these two DAGs across two sets of Administrators. To accomplish this he needs to restrict each set of DAG Administrators to have full DAG Management rights over only a single DAG and all of its related resources including Databases and Database copies (with the exception of “protected” database copies which must be restricted to trusted administrators).

    Solution:

    The organization administrator takes the following steps:

    Two new management scopes of type ServerScope are created, one for each DAG, using a name that makes it clear to what DAG the scope belongs. The ServerFilter of each scope uses a filter that matches the DatabaseAvailabilityGroup property value for any mailbox server that is a member of the corresponding DAG.

    Two new management scopes of type DatabaseScope are created, one for each DAG, using a name that makes it clear to what DAG the scope belongs. The DatabaseFilter of each scope uses a filter that matches the MasterServerOrAvailabilityGroup property value for any database that is bound to the corresponding DAG.

    A new role group is created for each DAG, using a name that makes it clear to what DAG each role group belongs. For each role group, a role assignment is made for each management role required for managing servers and databases, using the appropriate scopes for restricting access as required. The administrators for each DAG are added as members to their corresponding role group, and no other role group that might give them inadvertent access to another DAG’s servers or databases.

    =================================

      • 不過個人管理經驗,ORG 權限是全收,除安裝設定加成員外,local admin 完全用不到什麼DAG 權限

      • 若分派權限可依照child domain 來區分,就切server scope & recipient root scope 給child domain 管理者
      • recipient management 就給下權限
      Assigned Roles:
      Active Directory Permissions
      Distribution Groups
      Mail Enabled Public Folders
      Mail Recipient Creation
      Mail Recipients
      Mailbox Import Export
      Mailbox Search
      Message Tracking
      Migration
      Move Mailboxes
      Recipient Policies

      • Server Role 就給下列權限,也可檢視自己的DAG 的test-replicationstatus 等相關動作
        Assigned Roles:
      Database Copies
      Databases
      Exchange Connectors
      Exchange Server Certificates
      Exchange Servers
      Exchange Virtual Directories
      Monitoring
      POP3 And IMAP4 Protocols
      Receive Connectors
      Transport Queues

      以上的設定,不同的chiid domain admin 完全動不到另外一個DAG or domain 的物件,也不用給到他們ORG 權限,且又不影響他們日常管理維護。

      ==============================

      另有一個domain 是有額外設定DAG 權限,設定如下,不過年代悠久,已經忘了有什麼用途。

       E14 DAG Management

      Assigned Roles:
      Database Availability Groups

      Members:
      Child1 Exchange Administrator
      Child1.e14admin

      Write scope:
      E14 Servers

      =================================


      An Organization Administrator has defined two Database Availability Groups for his Organization and has decided to divide administration responsibilities for these two DAGs across two sets of Administrators. To accomplish this he needs to restrict each set of DAG Administrators to have full DAG Management rights over only a single DAG and all of its related resources including Databases and Database copies (with the exception of “protected” database copies which must be restricted to trusted administrators).

      Solution:

      The organization administrator takes the following steps:

      1. Two new management scopes of type ServerScope are created, one for each DAG, using a name that makes it clear to what DAG the scope belongs. The ServerFilter of each scope uses a filter that matches the DatabaseAvailabilityGroup property value for any mailbox server that is a member of the corresponding DAG.
      2. Two new management scopes of type DatabaseScope are created, one for each DAG, using a name that makes it clear to what DAG the scope belongs. The DatabaseFilter of each scope uses a filter that matches the MasterServerOrAvailabilityGroup property value for any database that is bound to the corresponding DAG.
      3. A new role group is created for each DAG, using a name that makes it clear to what DAG each role group belongs. For each role group, a role assignment is made for each management role required for managing servers and databases, using the appropriate scopes for restricting access as required. The administrators for each DAG are added as members to their corresponding role group, and no other role group that might give them inadvertent access to another DAG’s servers or databases.

      Delegating DAG Management for a Specific DAG

      An Organization Administrator has defined two Database Availability Groups for his Organization and has decided to divide administration responsibilities for these two DAGs across two sets of Administrators. To accomplish this he needs to restrict each set of DAG Administrators to have full DAG Management rights over only a single DAG and all of its related resources including Databases and Database copies (with the exception of “protected” database copies which must be restricted to trusted administrators).

      Solution:

      The organization administrator takes the following steps:

      1. Two new management scopes of type ServerScope are created, one for each DAG, using a name that makes it clear to what DAG the scope belongs. The ServerFilter of each scope uses a filter that matches the DatabaseAvailabilityGroup property value for any mailbox server that is a member of the corresponding DAG.
      2. Two new management scopes of type DatabaseScope are created, one for each DAG, using a name that makes it clear to what DAG the scope belongs. The DatabaseFilter of each scope uses a filter that matches the MasterServerOrAvailabilityGroup property value for any database that is bound to the corresponding DAG.
  • A new role group is created for each DAG, using a name that makes it clear to what DAG each role group belongs. For each role group, a role assignment is made for each management role required for managing servers and databases, using the appropriate scopes for restricting access as required. The administrators for each DAG are added as members to their corresponding role group, and no other role group that might give them inadvertent access to another DAG’s servers or databases.

  • Johnny_Yao

2013年10月14日 上午 09:07