Database & Server Scoping Scenarios – RBAC Exchange 2010

Controlling access to management tasks and resources in a large organization can be a complex process. Scenarios are often a useful way to describe common problems and possible solutions. The following scenarios explain how Exchange 2010 SP1 Management Scopes can be used to solve these common problems…. 🙂

Restricting Mailbox Provisioning to a set of Mailbox Databases

An Exchange organization services several state agencies. Each agency has their own recipient administrator who must only be allowed to create mailboxes in a single mailbox database that has been allocated for exclusive use by the agency they manage. This is an essential requirement in order to isolate each agency from all other agencies for various operational and legal reasons.

Solution:

The organization administrator takes the following steps:

  1. One mailbox database is provisioned for each agency using a naming convention that makes it clear to which agency each database belongs.
  2. A management scope of type DatabaseScope is created for each agency, using a name that makes it clear to which agency the scope belongs.  The DatabaseFilter of each scope refers to the corresponding agency’s database, and does not apply to any other agencies’ databases.
  3. A new role group is created for the recipient administrator(s) of each agency, using a name that makes it clear to which agency the role group belongs. The required management role assignments for recipient management are made to each agency’s role group using the management scope that corresponds to that agency’s database. The recipient administrators for each agency are added as members of their agency’s role group, and no other role group that might give them access to create mailboxes in any other database but their own.

Delegating Server and Database Management to a Datacenter Operations Team

An Exchange organization services a large multinational corporation. Due to the complexity of their wide-spread IT Infrastructure as well as concerns around security and continuity, lower level administrators are restricted to managing regional resources only.

These Administrators require the ability to fully manage all local Exchange resources including Servers, Databases, and other related resources, but must not be allowed to manage any resources outside of their region.

Solution:

The organization administrator takes the following steps:

  1. The AD infrastructure includes several AD sites, each one corresponding to a region. For each region a management scope of type ServerScope is created, using a name that makes it clear to which region the scope belongs. The ServerFilter of each scope uses a filter that matches the AD site name for the corresponding region.
  2. Each region has control of a provisioned set of databases that use a naming convention that makes it clear to what region the database belongs. A new management scope of type DatabaseScope is created for each region, using a name that makes it clear to which region the scope applies. Each scope uses a DatabaseFilter that applies to only the databases in the corresponding region.
  3. A new role group is created for each region, using a name that makes it clear to what region each role group belongs. For each role group, a role assignment is made for each management role required for managing servers and databases, using the appropriate scopes for restricting access as required. The lower level administrators for each region are added as members to their corresponding role group, and no other role group that might give them inadvertent access to another regions servers or databases.

Delegating DAG Management for a Specific DAG

An Organization Administrator has defined two Database Availability Groups for his Organization and has decided to divide administration responsibilities for these two DAGs across two sets of Administrators. To accomplish this he needs to restrict each set of DAG Administrators to have full DAG Management rights over only a single DAG and all of its related resources including Databases and Database copies (with the exception of “protected” database copies which must be restricted to trusted administrators).

Solution:

The organization administrator takes the following steps:

  1. Two new management scopes of type ServerScope are created, one for each DAG, using a name that makes it clear to what DAG the scope belongs. The ServerFilter of each scope uses a filter that matches the DatabaseAvailabilityGroup property value for any mailbox server that is a member of the corresponding DAG.
  2. Two new management scopes of type DatabaseScope are created, one for each DAG, using a name that makes it clear to what DAG the scope belongs. The DatabaseFilter of each scope uses a filter that matches the MasterServerOrAvailabilityGroup property value for any database that is bound to the corresponding DAG.
  3. A new role group is created for each DAG, using a name that makes it clear to what DAG each role group belongs. For each role group, a role assignment is made for each management role required for managing servers and databases, using the appropriate scopes for restricting access as required. The administrators for each DAG are added as members to their corresponding role group, and no other role group that might give them inadvertent access to another DAG’s servers or databases.

Restricting Management Access to a Protected Set of Database Copies

Given the new flexible mailbox protection feature in Exchange 2010, an Exchange organization has deployed a new DAG solution and now no longer needs to maintain large quantities of daily backups in a secure location. These backups have been replaced by replicated database copies. The security team is concerned; now all database administrators have the ability to destroy all copies of a given database. Previously they would have also had to also destroy a backup to which they were not granted physical access.

To satisfy the concerns of the security team, the database administrators need to be able to fully manage all database copies except one copy from each database which must be protected from malicious action. Only a select group of highly trusted administrators are given access to manage the protected databases.

Solution:

The organization administrator takes the following steps:

  1. A new Exclusive management scope of type ServerScope is created. The ServerFilter of the scope uses a filter that matches a single selected DAG member server.
  2. A new role group is created to manage the single select server. All the roles that are required for managing the select server and any database copies on that server are assigned to the role group using the exclusive scope that applies to the server.
  3. Highly trusted administrators are added as members to the new role group. Only these role group members have access to management tasks that can be used against any database copies on the selected server.

Restricting Administrative Access to a Set of VIP Users

An organization has a small group of highly visible top level executive users.  The Organization Administrator has decided to restrict management of these particular recipients to a small set of higher level administrators. His goal is to ensure that the larger group of administrators can manage all recipients across the organization with the exception of this small set of executives.

Solution:

The organization administrator takes the following steps:

  1. A new Exclusive management scope of type RecipientScope is created. The RecipientFilter of the scope specifies a filter that matches a specific value on a specific custom attribute for mailbox enabled users.
  2. A new role group is created to manage the executives. All management roles required to manage these recipients are assigned to this new role group using the exclusive scope that applies to the executives.
  3. Highly trusted administrators are added as members to the new role group. Only these role group members have access to management tasks that can be used against the executive recipients.
Advertisements
This entry was posted in Exchange Servers. Bookmark the permalink.

3 Responses to Database & Server Scoping Scenarios – RBAC Exchange 2010

  1. samit says:

    hey Charles! Good to see your blog….keep going!

    Samit

  2. Pingback: E2K10 – RABC: Jane the Administrator | Jonson Yang

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s