Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2010/2013. With RBAC, you don't need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way.

RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange 2010/2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

In this Blog I’ll walk you through the creation of a custom Role Group “Admin1” that has to perform the tasks below

Procedure

1. Create 2 Management Roles for “Admin1” to make them:

• Mount/Dismount databases

• Update/Suspend/resume databases copies

• Check databases copies status

• Switchover/Failover databases

   

a. Create a Management Role that has the same permission as the “Database Copies” management Role with the following command

b. Remove the management Role entries that are not required for Admin1 Group with the commad below

c. Repeat STEP-B until you remove all the unnecessary commands

d. Check the entries that you left in the Management Role with the following command

Note: Make sure you left only the list shown below:

e. Create a Management Role that has the same permission as the “Databases” Management Role with the following command

f. Remove the management Role entries that are not required for Admin1 Group with the commad below 

g. Repeat Above until you remove all the unnecessary commands as shown below

2. Grant “Admin1” the "View-Only Configuration" role permissions with the command below

3. Create a management Role that has the same permission as the “Organization Configuration” Management Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. Repeat above until you remove all the unnecessary commands as shown below

c. To Grant the “Admin1” Group the management role "Admin1_Organization Configuration" run the command below

4. Create a management role that has the same permission as "Message Tracking" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. To Grant the “Admin1” Group the management role "Admin1_Message Tracking" run the command below

5. Create a management role that has the same permission as "Recipient Policies" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below:

b. Create a new RoleGroup "Admin1_Recipient Management", granted the permissions to create/manage recipients and  add “Admin1” Group as member "Admin1_Message Tracking" with the command below

6. Grant “Admin1” the ""Support Diagnostics" Role permissions with the command below

7. To Grant the “Admin1” Group the right to perform Mailbox Import Export run the command below

8. Create a management role that has the same permission as “Exchange Server Certificates" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. To Grant the “Admin1” Group the management role "Admin1_Exchange Server Certificates" run the command below

9. From the ECP, add the Management Roles “Admin1_Database_Copies” and “Admin1_Databases” to the Role Group “Admin1”

Ghazi Boufaden from NEPA PFE team.