Introduction Role Based Access Control (RBAC) is the new permissions model in Microsoft Exchange Server 2010. With RBAC, you don't need to modify and manage access control lists (ACLs), which was...
Published Nov 17, 2009
Version 1.0
Blog Post
Hi bday,
I understand your concern. And to a degree in a large organization you are still going to end up with some spray. There is just no way around that if you are a highly decentralized administration model.
The advantage of RBAC in that situtation is that all of your managment is in one place. There is no hunting thru ADSIedit for the complex AD permissions that you need to set to limit this users to a set of actions. It is all done with RBAC. So yes you end up with 100s of Assignments ... but all of your management is in one place, using one set of rules, and one common easy to understand rule set.
Also with RBAC you can reuse quite a bit, from roles assigned with different scopes to different roles with the same scopes. The number of Roles and Scopes you have to created is limited ... you just need to setup all of the assignments matching the Scopes with the Roles.
In reference to your Scope request ... currently can you setup scopes using group membership. e.g. a scope can be defined as all members of Group "VIPs". Database scoping is not currently in the product but was a big ask of the tap members on the beta so I suspect we are working on that for the future.
-Matt
I understand your concern. And to a degree in a large organization you are still going to end up with some spray. There is just no way around that if you are a highly decentralized administration model.
The advantage of RBAC in that situtation is that all of your managment is in one place. There is no hunting thru ADSIedit for the complex AD permissions that you need to set to limit this users to a set of actions. It is all done with RBAC. So yes you end up with 100s of Assignments ... but all of your management is in one place, using one set of rules, and one common easy to understand rule set.
Also with RBAC you can reuse quite a bit, from roles assigned with different scopes to different roles with the same scopes. The number of Roles and Scopes you have to created is limited ... you just need to setup all of the assignments matching the Scopes with the Roles.
In reference to your Scope request ... currently can you setup scopes using group membership. e.g. a scope can be defined as all members of Group "VIPs". Database scoping is not currently in the product but was a big ask of the tap members on the beta so I suspect we are working on that for the future.
-Matt