Introduction Role Based Access Control (RBAC) is the new permissions model in Microsoft Exchange Server 2010. With RBAC, you don't need to modify and manage access control lists (ACLs), which was...
Published Nov 17, 2009
Version 1.0
Blog Post
Hi David,
In response to your question about assigning users directly to a group. I guess I should have been more specific. In general you will be assigning RBAC roles to the lowest level in your group structure as possible. This is because RBAC roles are addative ... so you want to make sure to get i the assignments as close to the user as you can to ensure that no one gets rights they are not supposed to get.
In the case of Role Groups ... Please do not think that you need to go and create a whole new group structure to manage RBAC on top of your existing Groups. Role groups are just an exchange "construct" to make RBAC managment a touch easier. You can assign an RBAC role to any Security Group, or User object in AD. So you can assign any roles you create directly to your existing AD group structure.
If you want an existing Security Group to show up as a Role Group you can change a few properties in AD and will show up.
msExchCoManagedByLink: CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=com;
msExchRecipientTypeDetails: 1073741824;
msExchVersion: 44220983382016;
Hopefully that clears up your concerns?
-Matt
In response to your question about assigning users directly to a group. I guess I should have been more specific. In general you will be assigning RBAC roles to the lowest level in your group structure as possible. This is because RBAC roles are addative ... so you want to make sure to get i the assignments as close to the user as you can to ensure that no one gets rights they are not supposed to get.
In the case of Role Groups ... Please do not think that you need to go and create a whole new group structure to manage RBAC on top of your existing Groups. Role groups are just an exchange "construct" to make RBAC managment a touch easier. You can assign an RBAC role to any Security Group, or User object in AD. So you can assign any roles you create directly to your existing AD group structure.
If you want an existing Security Group to show up as a Role Group you can change a few properties in AD and will show up.
msExchCoManagedByLink: CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=com;
msExchRecipientTypeDetails: 1073741824;
msExchVersion: 44220983382016;
Hopefully that clears up your concerns?
-Matt