You have an Exchange Server 2010 organization.
You need to use Role Based Access Control (RBAC) to provide a user the ability to manage
recipients in a specific organizational unit (OU).
What should you do first?
A.
Create a new direct role assignment.
B.
Create a new management role assignment policy.
C.
Create a new management scope.
D.
Modify the default management scope.
RBAC depends on three sets of definitions: management role, management role group, and scope. These can be described as follows.
A management role specifies what can be done. For example, Exchange 2010 defines roles for unified messaging (UM) management, discovery management, and other administrative operations. Users who hold one of these roles can take specific actions that are allowed in the definition of that role. In Exchange, the role is made up of role entries, each of which defines an EMS cmdlet or set of parameters that users who hold that role can execute. Exchange 2010 SP1 includes definitions for about 70 roles: for moving mailboxes, working with mail recipients, managing legal holds, and so on. Some of these roles are intended for administrators, but others are intended directly for users. For example, the MyBaseOptions role is typically assigned to users so that they can edit some of their own contact details by using ECP. To get a list of Exchange roles, you can run the Get-ManagementRole cmdlet from an Exchange 2010 server.
A management role group specifies who can do something. This nomenclature is a little confusing. You might think that membership is defined in the role itself, but the role group defines membership. Role groups are actually Windows universal security groups that are stored in the Exchange security group’s organizational unit (OU) in AD. You can see the group membership by using a tool such as the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. However, you should not edit the group membership manually. Group memberships contain custom attributes that would likely be damaged if you were to edit them by using the Active Directory Users and Computers snap-in.
A scope defines a set of objects on which a role can take action. For example, you might define the scope of a given role to be an individual mailbox database, an Exchange server, or an OU. Scopes can grant read or write access to a set of objects.
The role assignment ties these definitions together. When you assign a user to a particular role, the user gains the ability to execute the commands that are defined in that role against a particular scope. For example, you might grant an administrator the organization management role to allow a user to execute a wide variety of commands on a wide variety of Exchange objects throughout the Exchange organization. You might, then, assign a different user a more limited role, such as the ability to conduct organization-wide mailbox searches.
It’s important to remember that RBAC assignments are applied by using their own mechanism, not by using the standard Windows ACL mechanism. Usually, if you’ve defined multiple sets of permissions on a resource, the most restrictive set of permissions is applied. But when you apply RBAC, a user gets the union of all the RBAC role entries to which the user has access. For example, if you assign Joe User two different RBAC roles, Joe User will be able to use the cmdlets that are specified in either of the defined roles, not only those that belong to the most restrictive set.
0
0