To apply RBAC customization, follow these steps:
- Create a new role group, and populate the group. The user who performs these actions must be a member of the SSA-Role Management role group.
- Identify the cmdlets that are needed for the new management role, identify candidate baseline management roles that have these cmdlets, and create the new role.
- Assign the new management role to the new role group.
- Create a custom write scope, and assign the scope to the newly created role group and management role (optional).
Note We also recommend that you specify the ManagedBy parameter when a role group is created. If no owner is specified, the user who creates the role group will automatically be listed as the owner. The ManagedBy parameter can be changed by using the Set-RoleGroup cmdlet. For more information about Set-RoleGroup, see Set-RoleGroup and "You don't have sufficient permissions" error when you change the membership of a role group in Office 365 dedicated/ITAR .
The following example shows how to create a role group that has a custom role scope that enables only members of the group to change user options for Home Office users.
- Create a new role group:
New-RoleGroup "SSA-Home Office" –ManagedBy "SSA-Role Management"
- Create a new management role based on the baseline role SSA_User Options:
New-ManagementRole.ps1 "SSA_Home Office - User Options" -Parent "SSA_User Options"
- Create a custom write scope:
New-ManagementScope "SSA-Home Office Scope" -RecipientRestrictionFilter 'Office -like "Home Office"' -RecipientRoot MMSSPP
- Create a role assignment to associate the new role group that has the new management role and apply the custom write scope:
New-ManagementRoleAssignment -SecurityGroup "SSA-Home Office" -Role "SSA_Home Office - User Options" -CustomRecipientWriteScope "SSA-Home Office Scope"
Article ID: 3135521 - Last Review: Jan 19, 2016 - Revision: 1