RBAC - RoleGroup and ManagementRoleAssigment
Hi All,
Im a bit confused with RoleGroup and ManagementRoleAssigment. Correct me if Im wrong:
With new-rolegroup I can create a new rolegroup, to which i can assign a management role and a managementscope. That creates a managementroleassigment (is the name created by some convection by default for the roleassigment)?new-managementroleassigment does the same thing, but here I can define the name of the roleassigment?
Is there a difference between these two methods. I know that with magementroleassigment I can assign a managementrole directly to a user, but is there some other reason why I should use one or the other method?
Thanks
Zarko
April 14th, 2012 4:48pm
There are three ways that permissions can be assigned:
Management role groups
Management role assignment policies
Direct user role assignment - New-managementroleassignment
The first two methods listed above, namely management role groups and management role assignment policies, are the main methods used to assign permissions using RBAC. The direct user role assignment method is considered an advanced method .
Direct role assignment is an advanced method for assigning management roles directly to a user or USG without using a role group
or role assignment policy. Direct role assignments can be useful when you need to provide a granular set of permissions to a specific user and no others. However, using direct role assignments can significantly increase the complexity of your permissions
model. If a user changes jobs or leaves the company, you need to manually remove the assignments and add them to the new employee. We recommend that you use role groups to assign permissions to administrators and specialist users, and role assignment
policies to assign permissions to users.
http://technet.microsoft.com/en-us/library/dd298183.aspxPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs:
http://messagingserversupport.com
Free Windows Admin Tool Kit Click here and download it now
April 14th, 2012 11:41pm
Hello Hasnain,
Thanks for the response, but that wasnt my question. : )
Zarko
April 15th, 2012 4:00am
see if the below helps you in understanding.. tried to cover with simple words..
http://www.exchangedictionary.com/index.php/Articles/role-based-access-control-exchange-2010.html
let me try to put in simple words here,
Role Assignment - is the link between a management role and a role assignment policy, the assignment policy then apply to the user or role group
Role Group - clubing more than one roles together using role assignments(policy). you can add members to ther role group to grant the combination permission.
http://www.exchangedictionary.com/index.php/Articles/rbac-management-role-assignment-policy.html
It is little logical, try doing it in labs you will easily understand.
As you asked, the reason is when you want to grant permissin to only one user you may use assignment policy. But if you wish to grant same level of permission to multiple users then use role groups for easy management in long run.
-Praveen
Praveen Balan |MCITP - Exchange Server 2010 | Exchange Dictionary(www.exchangedictionary.com)
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2012 9:55am
Hi Zarkoc,
Above gave some good suggestion, if you still have some question, please feel free let us know.
Regards!Gavin
TechNet Community Support
April 16th, 2012 5:13am
Hi,
So if I understand it correctly, for a RoleGroup a can define more managementroles at once. That then creates managementroleassigments for each managemetrole that i defined for the rolegroup?
If Im going to use the managementroleassigments cmdlet i have to define in each cmdlet one role that the rolegroup will be assigned, because the roleassigment connects the rolegroup with one managementrole and a management scope?
Tnx
Zarko
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2012 2:50am
Yes, each role assignment assigns one role with the scopes(iether explicit or Org Wide).
When you give multiple role names when creating role group, it in turn creates assignment for each role specified in the creation cmdlet.
Hope it is clear.
Praveen Balan |MCITP - Exchange Server 2010 | Exchange Dictionary(www.exchangedictionary.com)
April 17th, 2012 3:49am