Custom RBAC question

Status
Not open for further replies.
C

Chad Solarz [MVP]



I have a student who took my 10135 class and asked a great question on custom RBAC permissions. I understand RBAC and how it works, but i don't know fully the built-in limitations on some of the out of box groups and assignments. They can't easily change their admin structure so that apparently is not an option for supporting RBAC. Please see below..

Here is what they have.

OU structure
Root
Companies (Static name)
Country (Name of the country the company is located in)
City (Name of the city the company is located in)
Company (Actual Company name or abbreviation of it)
Computers
Contacts
Groups
Servers
Users

Within thrir current configuration they have the security broken down into 5 types of administrators listed below.

1. Account

a. Can create Users and manage Users in Users OU

b. Can create and manage Groups in Groups OU

c. Can create and Manage Contacts in Contacts OU

2. ServerAdmins

a. Can create and manage computer objects in Servers OU

b. Add via VBscript and GPO to local administrators group of the machine.

3. SystemAdmins

a. Can create and manage computer objects in Computers OU

b. Add via VBscript and GPO to local administrators group of the machine.

4. GPOAdmins – Being phased out

5. ExchAdmins – Being phased out

Because they have the administration split up so much there is multiple levels of each of these groups. They have CityCompany, City, Country, Company, Division and Region group.

So for one location they would have

Standard local Administrator

NapervilleFarmTechnologiesAccountAdmins

NapervilleFarmTechnologiesServerAdmins

NapervilleFarmTechnologiesSystemAdmins

NapervilleFarmTechnologiesGPOAdmins

NapervilleFarmTechnologiesExchAdmins

Give admin rights to any company within the city

NapervilleAccountAdmins

NapervilleServerAdmins

NapervilleSystemAdmins

NapervilleGPOAdmins

NapervilleExchAdmins

Give admin rights to any company within the country

USAAccountAdmins

USAServerAdmins

USASystemAdmins

USAGPOAdmins

USAExchAdmins

Give admin rights to any FarmTechnologies (Company name)

FarmTechnologiesAccountAdmins

FarmTechnologiesServerAdmins

FarmTechnologiesSystemAdmins

FarmTechnologiesGPOAdmins

FarmTechnologiesExchAdmins

Grant permission to any company within the division (5 divisions possible)

FT-AccountAdmins

FT-ServerAdmins

FT-SystemAdmins

FT-GPOAdmins

FT-ExchAdmins

What they were originally planning was using the RecipientOrganizationalUnitScope option within the managementroleassignment the problem that they ran into this is that it appears to only allow one root OU within the scope and they would need several when it comes to some of the country admins. they have considered using the managementscope option as well and filter by some of the attributes but of course MS decided that some of the attributes that we need like division is not available. If they used this on a city level they would not be able to lock the admin into putting the groups in the groups OU but instead they could put them anywhere.

Now for the question that you have all the background material. Are we mistaken or does the OU scope allow multiple root OU to be defined? Do you know of another way to accomplish the security that they need?
Chad Solarz Sr. Tech Instructor Directions Training MCSA / MCSE / MCDST / MCT MCTS: Vista / exch 2k7 & 2010 / server 2k8 / forefront / MDOP / Win 7 MCITP: Vista / server 2k8 / Exchange 2k7 & 2010 Twitter - @csolarz FB - Http://www.facebook.com/csolarz linkedin - http://www.linkedin.com/in/chadsolarz
 
M

Michel de Rooij



Using the ManagementScope cmdlets you can set 1 root per scope using the RecipientRoot parameter. Scopes are attached to ManagementRoles (ManagementRoleAssignment cmdlets) using the Scope parameters on a 1:1 basis. ManagementRoles can be grouped into RoleGroups an are having a 1:N relationship. So - if I read your question correctly - you need to create multiple ManagementRoles for each scope (root).

Regarding the filtering, as you probably found out you can only use a selected number of attributes to filter on:
http://technet.microsoft.com/en-us/library/bb738155%28EXCHG.80%29.aspx

Isn't it an option to use (filter on) groups, phone (prefixes), postal code. Another option perhaps is to sync the required attribute into on of the ExtensionAttribute values and filter on that.

RBAC info and shameless self-plug:
http://eightwone.wordpress.com/2009/12/08/exchange-2010-delegation-model/

Regards,

Michel

Michel de Rooij,
MCITP Ent.Msg 2007+2010| MCTS W2008, Ex2007+2010 Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
 
F

Frank.Wang



Hi Chad,

"they have considered using the managementscope option as well and filter by some of the attributes but of course MS decided that some of the attributes that we need like division is not available. "

How about Custom Attibutes which is also can be filtered?

Frank Wang
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
K UDF with formula not showing on Calendar custom view. Outlook VBA and Custom Forms 0
S Create a clickable custom column field Outlook VBA and Custom Forms 0
I Error saving screenshots in a custom form in outlook 2016, outlook 365 - ok in outlook 2013, outlook 2010 Outlook VBA and Custom Forms 5
M VbScript for Command Button on Contacts Custom Form Using Outlook 1
G Other users can't see P.2 with custom fields in Form Outlook VBA and Custom Forms 0
O Create a custom contact form - questions before messing things up... Outlook VBA and Custom Forms 4
S Reference Custom Fields with VBA Outlook VBA and Custom Forms 2
L Custom Form Tutoral? Outlook VBA and Custom Forms 6
D Lost Access to Custom Form Outlook VBA and Custom Forms 4
M vCard does not have user-defined fields from my custom contact form (365) Using Outlook 1
S Outlook Custom Form Scripting only working when clicking on "Run this form" Outlook VBA and Custom Forms 2
A Custom VBA to sort emails into folders Outlook VBA and Custom Forms 0
Victor_50 Outlook 2013 Custom Contact Form starts with "E-mail 2" Outlook VBA and Custom Forms 2
C Custom Form (seperate layout pages and message reading pane) Outlook VBA and Custom Forms 0
C Reading Pane for Custom Form Outlook VBA and Custom Forms 2
M Custom Calendar Print Suggestions? Using Outlook 0
K Custom Category Colors Using Outlook 2
N Custom Form Controls Not Visible To Recipient Outlook VBA and Custom Forms 3
E To convert imported data to custom fields in Task list Outlook VBA and Custom Forms 1
Randy Redekopp How To Merge Contact Info to Email Custom Form Template Using Outlook 2
D Problem with custom form including _DocSiteControl1 Outlook VBA and Custom Forms 0
C Custom Outlook Form - Populate Information from Radio Button / Check Box Using Outlook 0
H Custom Signature Not Displayed When Account Selected Outlook VBA and Custom Forms 10
E Custom formula for columns Using Outlook 3
W Message class changes of a custom form changes to the default form Using Outlook 2
A Possible to hide ribbon with custom appointment form? Outlook VBA and Custom Forms 3
S Custom Form, copy user field data to message body Outlook VBA and Custom Forms 12
Andrew Quirl Custom form to route requests based on input criteria Outlook VBA and Custom Forms 1
D Using a VBA Custom Form to Send Reoccurring Email Upon Task Completion Outlook VBA and Custom Forms 4
W Setting up a custom form Outlook VBA and Custom Forms 2
A Greyed out checkbox in custom form Outlook VBA and Custom Forms 4
Z Outlook Custom Form: Adding Dropdown(Project Code) at the end of subject Outlook VBA and Custom Forms 0
Z Adding dropdown list using custom form Outlook VBA and Custom Forms 7
G Entered data in custom field goes in card and does not stay in list view Outlook VBA and Custom Forms 1
witzker Correct Format of custom Yes/No Checkboxes Outlook VBA and Custom Forms 0
O Searching for Custom Flags Using Outlook 3
J autocomplete function in custom form Using Outlook 1
S Custom user fields in received messages Outlook VBA and Custom Forms 1
J Backup .OST - Custom Contact Forms, Defined Fields, Notes Using Outlook 1
D Custom form with html hyperlink Outlook VBA and Custom Forms 7
P Outlook custom fields "events" Using Outlook 0
D populating listbox on custom form from Access Outlook VBA and Custom Forms 7
D Custom Form Accept and Reject Command buttons Outlook VBA and Custom Forms 2
D create an html table in outlook custom form 2010 using vba in MsAccess Outlook VBA and Custom Forms 7
Potty Ash MS Outlook 2010 custom form - validation or formula to request user to check a checkbox Outlook VBA and Custom Forms 16
H Custom autoforwarding, sending mail through outlook office 365 Using Outlook 1
J Custom form code doesn't run Outlook VBA and Custom Forms 2
R Custom Contact Form how to update when loaded. Outlook VBA and Custom Forms 6
G Copy Contact field to Appointment Custom Form Field Outlook VBA and Custom Forms 2
S Custom form with dropdown Using Outlook 0
Similar threads


















































Top