Make Role Based Access Control (RBAC) work for you
description
Transcript of Make Role Based Access Control (RBAC) work for you
![Page 1: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/1.jpg)
![Page 2: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/2.jpg)
Bhargav ShuklaDirector – Product Research and InnovationKEMP Technologies
Make Role Based Access Control (RBAC) work for you
MNG303
![Page 3: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/3.jpg)
AgendaUnderstanding RBACRBAC in Exchange 2013RBAC in Lync 2013Real world deployment planning for RBAC
![Page 4: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/4.jpg)
Understanding RBAC
![Page 5: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/5.jpg)
History of RBACApproach to restricting systems access to authorized usersConcept or RBAC at Microsoft goes back to 2003 or maybe even earlierAnyone remember AzMan or Authorization Manager?Separate location of security objects (Active Directory) and policy store (AzMan)Provides granular permissions based on organizational requirements and not based on DACLs
![Page 6: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/6.jpg)
History of RBACRBAC as we know itIntroduced in Exchange and Lync 2010Simplifies access control administrationRemoves dependency on AD administrators for routine tasksRoles are closely mapped to application e.g. Exchange or LyncProvided ability to grant granular permissions
Ability to control cmdlet and parameter level accessBetter permission assignments than canned permission groups
![Page 7: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/7.jpg)
RBAC in Exchange 2013
![Page 8: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/8.jpg)
RBAC in Exchange 2013All Exchange 2013 tools are based on Remote PowerShellExchange Management ShellExchange Administration Center
All tools leveragePowerShell v3.0Windows Remote Management (WinRM)Remote PowerShell through IISRBAC incorporated into the IIS Remote PowerShell implementationThis is why even local EMS goes through IIS!
![Page 9: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/9.jpg)
RBAC in Exchange 2013No dependency on PowerShell listenerwinrm enumarate winrm/config/Listener doesn’t return any listener on Exchange 2013
Connect to Exchange remotely using PowerShell$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange server>/PowerShell/Import-PSSession $Session
![Page 10: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/10.jpg)
Better than ACLsRBAC provides much more granular modelExchange 2003 had 3 management groups
Exchange Full AdministratorExchange AdministratorExchange View-Only Administrator
Exchange 2007 had 5 management groupsExchange Organization AdministratorExchange Recipient AdministratorExchange View-Only AdministratorExchange Public Folder AdministratorExchange Server Administrator
![Page 11: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/11.jpg)
RBAC Components
AssignmentPolicy
Reipient Read Scope
Recipient Write Scope
Configuration Read Scope
Configuration Write Scope
ManagementRole
Role Entries
Cmdlet: Parameters Cmdlet: Parameters Cmdlet: Parameters
Management Role Group
Administrators Users
Where?
What? Who?
RoleAssignment
![Page 12: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/12.jpg)
RBAC Components“What” – Roles/Cmdlets/ParametersManagement Roles
Group of cmdlets and parametersDefines a job role~83 pre-defined roles in Exchange 2013
Management Role EntriesRepresents individual cmdlet and it’s parametersList Role Entries for a role
Get-ManagementRoleEntry “RoleName\*”You can select cmdlets or parameters using appropriate switch
![Page 13: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/13.jpg)
RBAC Components“What” – Roles/Cmdlets/ParametersCreating new management roles
Parent-Child hierarchyBuilt-In roles serve as a parentExisting custom roles can also be used to create new roles New “child” roles can be modified
Can remove entriesCan’t add entries parent role doesn’t have
In general, every new role must be created from existing roleThere are always exceptions…
![Page 14: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/14.jpg)
RBAC Components“What” – Roles/Cmdlets/ParametersCreating new management roles
The exception - “Unscoped Top Level” roleAs the name implies:
No scope can be assignedNo parent can be assignedCreates an empty role container
Must be member of “Unscoped Role Management” role to create one
Benefits of “Unscoped Top Level” roleProvide restricted access to business logic
Assign scripts to a roleScripts reside on Exchange serverUsers can run scripts as an exported cmdlet but can’t see or modify sourceUsers don’t need access to cmdlets that script runs
RBAC and Principle of Least Privilege - http://bit.ly/unscopedtoplevel
![Page 15: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/15.jpg)
Demo
Unscoped Top Level Role
![Page 16: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/16.jpg)
RBAC Components“Where” – Self/OU/ScopeDefined by RBAC management scopeInherited from parent if none specifiedUse ServerList to define server scopesUse RecipientRoot to define OU scopeUse OPATH filters define recipient or server restrictionsUse Exclusive to block inheritanceCan’t assign a scope outside of implicit scope boundaries
![Page 17: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/17.jpg)
RBAC Components“Who” – Admins/UsersRole Assignees
Can be direct assignment to a userCommonly assignments are created for a groupRole Assignments for administratorsRole Assignment Policies for end users
Role Group MembersRole groups located within “Microsoft Exchange Security Groups” OU in ADNew-RoleGroup cmdlet creates a new USG in the OU*-RoleGroupMember cmdlets allow manipulation of Role Group membershipsUse BypassSecurityGroupManagerCheck parameter to override owner as admin or to manage Security Distribution Groups
![Page 18: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/18.jpg)
RBAC ComponentsIt is possible to move “Microsoft Exchange Security Groups” OU to a different domain in the forest“otherWellKnownobjects” attribute of the org object is updated if OU is moved
Can also move groups to different OUOnly moving all groups is supported, moving only few groups is not
![Page 19: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/19.jpg)
RBAC ComponentsRole assignmentGlue to connect Who/Where/WhatNew-ManagementRoleAssignment
Role and Group are requiredScope is optionalIf no scope defined, assignment inherits scope from role
![Page 20: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/20.jpg)
Demo
Creating custom RBAC roles in Exchange 2013
![Page 21: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/21.jpg)
Watch out for…Don’t remove View-AdServerSettings cmdlets
Update RBAC scopes if moving an OU
![Page 22: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/22.jpg)
RBAC behind the scenesAll tasks run under the security context of the Exchange server providing the PowerShell sessionThe Exchange servers are members of the Exchange Trusted Subsystems USGExchange Trusted Subsystems USG has the permissions to carry out all Exchange tasksRBAC determines the level of access given to the user
![Page 23: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/23.jpg)
RBAC behind the scenesWhat do you see in Active Directory audits when an object is created or changed?Active Directory modifications are made by Exchange Trusted Subsystem, use Exchange Audit logs for actions performed by admins
![Page 24: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/24.jpg)
RBAC split permissionsPermissions to create security principals controlled by RBAC
Only Exchange servers, services and members of appropriate groups can create security principals
Switching to RBAC Split Permissions is a manual process
To implement - http://bit.ly/17yvC5i
To Remove - http://bit.ly/16TgQGZ
![Page 25: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/25.jpg)
Active Directory split permissionssetup.com to implement during or after install
Microsoft Exchange Protected Groups OU is created
Exchange Windows Permissions group is created or moved to that OU
ETS isn’t added to EWP group
ACEs aren't added to AD domain object for EWP group
Non-Delegating assignments are not created for Mail Recipient Creation and Security Group Creation and Membership
More details - http://bit.ly/16Thp3w
![Page 26: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/26.jpg)
Split permissionsUsing RBAC
Separate who can create security principals from those who administer Exchange configuration
Simplified process while maintaining separation
Can use Exchange management tools
Allow Exchange Servers and services to create security principals
Using Active DirectorySeparation of roles as well as tools
Several changes are made to permissions granted to ETS and Exchange Servers
Can’t use Exchange management tools to create security principals
Can’t manage DG membership from Exchange management tools
![Page 27: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/27.jpg)
RBAC in Lync 2013
![Page 28: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/28.jpg)
RBAC in Lync 2013Access granted based on user’s Lync Server roleAllows administrators to delegate precisely the rights neededRestrictions are effective only on remote connectionsRBAC does not apply to local connection on serverMust use Lync Server Control Panel, Lync Server Management Shell or remote PowerShell session
![Page 29: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/29.jpg)
RBAC in Lync 2013Connect remotely using PowerShell$cred = Get-Credential “Domain\Lync_Administrator” $session = New-PSSession -ConnectionURI “https://LyncServer/OcsPowershell” -Credential $cred Import-PsSession $session
![Page 30: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/30.jpg)
How it differs from Exchange 2013Scope is limited toConfiguration Scope “Site:SiteID”User Scope “OU:OU Path”
Role group membersMember of Universal Security GroupsNo cmdlet for managing role members
New role creationNot as granular as Exchange, can’t control parameter level accessRole definitions are stored in CMS, Exchange stores it in AD
![Page 31: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/31.jpg)
Demo
Creating custom RBAC roles in Lync 2013
![Page 32: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/32.jpg)
Deployment planning
![Page 33: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/33.jpg)
Deployment planningUnderstanding of organizational structureUnderstanding of Job rolesMapping Job roles to Built-in Management rolesDocumenting Permissions requirementCreating repeatable process and supporting documentation
![Page 34: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/34.jpg)
Demo
RBAC planning process
![Page 35: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/35.jpg)
Key TakeawaysRBAC provides granular control over permissionsSeparates policy storage from security object storagePermissions map closely to application and user requirementsPlan requirements and create custom roles to provide least access based on job roles
![Page 36: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/36.jpg)
![Page 37: Make Role Based Access Control (RBAC) work for you](https://reader035.fdocuments.us/reader035/viewer/2022062305/56816921550346895de052c0/html5/thumbnails/37.jpg)