Tuesday, 29 June 2010 08:49

RBAC Management Role Assignment Policy

Written by

Hope you all aware about the Role Based Access Control (RBAC) permission model introduced with Microsoft Exchange Server 2010. Here we will discuss more about the RBAC Management Role Assignment Policy. If you are not clear about how RBAC works as a permission model, see http://www.exchangedictionary.com/index.php/Articles/role-based-access-control-exchange-2010.html

As I discussed in my previous post about RBAC, Management role assignment policies associate end-user management roles to users. Role assignment policies consist of roles that control what a user can do with his or her mailbox or distribution groups. When we create an assignment policy we can define all action that a user can do with his or her mailbox. By using an assignment policy you can control what specific mailbox and distribution group settings our end users can modify.


Now, what do you mean by the end-user management role?

End User Management Role is nothing but a role that has the scope limited to ‘self’ or ‘MyGAL’. You can find out the end user management role by verifying the parameter “IsEndUserRole” of a management role.

You can use the below command to list down all the end user management role available,

Cmdlet:  Get-ManagementRole | where-object {  $_.IsEndUserRole –eq “$True” }


Role Assignment Policy Layers:

Below simple diagram shows you the management role assignment policy model.


Let us now see in brief what these 4 layers are:

Mailbox: A mailbox or a user is to which we assign the role assignment policy. When a mailbox is assigned a role assignment policy, the assignments between management roles and a role assignment policy is applied to the mailbox. This grants the mailbox all of the permission provided by management roles.

Management Role Assignment Policy: Users are associated with the default role assignment policy when their mailbox is created. This is also what you assign end user role to a user. The combination of all the permission of the roles on an assignment policy tells everything that a user can do. We can not specify the scope, the scope applied by the assignment is based on the role and is either self or MyGAL.

Management Role: Management role is a container of management role entries, see Management Role

Management Role Entry: Management role entries are the individual entries on a management role that determine what cmdlets and parameters are available to the management role.

How to Create and Assign Role Assignment Policy:

As we discussed earlier in this post, all the users (mailboxes) who have either created in Exchange 2010 or have been moved from other version of exchange will have a default management role assignment policy applied. The Exchange org only have one policy by default which is the ‘Default Role Assignment Policy’.  Now let us see what all roles are part of this default policy, for which you can run the below command.

Cmdlets: Get-ManagementRoleAssignment | Where-Object {$_.RoleAssigneeName -eq 'Default Role Assignment Policy'} | fl RoleAssignee,Role
You can see that the policy is assigned with the below roles,

  • MyBaseOptions
  • MyContactInformation
  • MyVoiceMail
  • MyTextMessaging
  • MyDistributionGroupMembership

Now let us take a scenario where you don’t want the end users to administer the Text Messaging section. You can very much create a new management assignment policy by removing the MyTextMessaging role from it. Before we proceed let us see the current ECP options of a user.


You can see the user has permission to view and modify the text messaging options. Now let us create a new policy and assign it to the same user, the brief steps to accomplish the requirement is,

  1. Create Roles
  2. Create Policy
  3. Add roles into the new policy
  4. Apply the new policy to the user Exchange Dictionary

You may be now confused why new roles, why can’t the existing roles. Of course you can use the existing roles, but it is recommended to create separate roles from the existing role. This will help you in customizing further without disturbing the built-in role, which can cause some impact on the other users to whom the default policy is applied.

Create Roles from built in Roles: You can use the cmdlet New-ManagementRole to create new roles from an existing role, read more about Management Role here

New-ManagementRole -Name "EDMyBaseOptions" -Parent MyBaseOptions

New-ManagementRole -Name "EDMyContactInformation" -Parent MyContactInformation

New-ManagementRole -Name "EDMyVoiceMail" -Parent MyVoiceMail

New-ManagementRole -Name "EDMyDistributionGroupMembership" -Parent MyDistributionGroupMembership

We can use the command Get-ManagementRole to list the newly created roles,
Cmdlet: Get-ManagementRole EDMy*


We have not created the new Role from ‘MyTextMessaging’ role, because we will be creating the new policy by not including the text messaging permission.

Create the new policy: You can use the cmdlet New-RoleAssignmentPolicy to create a new policy, see below.
Cmdlets: New-RoleAssignmentPolicy -Name "ED Assignment Policy"


Add roles into the new policy ED Assignment Policy: You can use the cmdlet ‘New-ManagementRoleAssignment’ to add a role to the assignment policy, use the below commands in sequence to assign all four roles to the policy “ED Assignment Policy”

New-ManagementRoleAssignment -Name "ED Policy-BaseOptions" -Role EDMyBaseOptions -Policy "ED Assignment Policy"

New-ManagementRoleAssignment -Name "ED Policy-ContactInformation" -Role EDMyContactInformation -Policy "ED Assignment Policy"

New-ManagementRoleAssignment -Name "ED Policy-VoiceMail" -Role EDMyVoiceMail -Policy "ED Assignment Policy"

New-ManagementRoleAssignment -Name "ED Policy-DistributionGroupMembership" -Role EDMy DistributionGroupMembership -Policy "ED Assignment Policy"

Now let us confirm the list roles associated with the policy “ED Assignment Policy”, for that run the below cmdlet,

Cmdlet: Get-ManagementRoleAssignment | Where-Object {$_.RoleAssigneeName -eq ED Assignment Policy '} | fl RoleAssignee,Role


Now we are all set to associate the new policy to the user.

Apply the new role assignment policy to the end user: To assign a new policy to the end user you can use the command Set-Mailbox, because the assignment policy is one of the user mailbox parameters.

Cmdlet:  Set-Mailbox –Identity “Exchange Dictionary” -RoleAssignmentPolicy "ED Assignment Policy"
Now let us log back in to the Exchange Dictionary mailbox options and verify,


You can see that the Text Messaging tab is not there, the policy is successfully applied.
Very Nice!!! Isn’t it? Try this.


theme by reviewshub