Can’t complete RBAC customization in Exchange 2013 for Office 365 Dedicated/ITAR users


In Office 365 Dedicated/ITAR, you discover that you can’t make a particular customization by using Remote PowerShell (RPS). When you try to run a command to customize Role Based Access Control (RBAC) settings, you receive an error message that resembles the following:
You don't have access to create, change or remove the "<>" management role assignment


This issue occurs because the Office 365 Dedicated/ITAR deployment has specific naming requirements when you customize role groups or management roles.


By default, there are 15 baseline role groups that have specific management roles assigned. You may want to change the baseline configuration to create additional limits on the permissions that are granted to administrators and users.

To apply RBAC customization, follow these steps: 
  1. Create a new role group, and populate the group. The user who performs these actions must be a member of the SSA-Role Management role group.
  2. Identify the cmdlets that are needed for the new management role, identify candidate baseline management roles that have these cmdlets, and create the new role. 
  3. Assign the new management role to the new role group.
  4. Create a custom write scope, and assign the scope to the newly created role group and management role (optional). 
The customized role groups must start with "SSA-" as in "SSA-Helpdesk Administrators." A customized management role must start with "SSS_" as in "SSA_Modify Mailbox Permissions." Administrators may encounter errors when they try to assign a management role or custom write scope if the correct naming standards are not used.

Note We also recommend that you specify the ManagedBy parameter when a role group is created. If no owner is specified, the user who creates the role group will automatically be listed as the owner. The ManagedBy parameter can be changed by using the Set-RoleGroup cmdlet. For more information about Set-RoleGroup, see Set-RoleGroup and "You don't have sufficient permissions" error when you change the membership of a role group in Office 365 dedicated/ITAR .

The following example shows how to create a role group that has a custom role scope that enables only members of the group to change user options for Home Office users. 
  1. Create a new role group:
    New-RoleGroup "SSA-Home Office" –ManagedBy "SSA-Role Management"  
  2. Create a new management role based on the baseline role SSA_User Options:
    New-ManagementRole.ps1 "SSA_Home Office - User Options" -Parent "SSA_User Options" 
  3. Create a custom write scope:
    New-ManagementScope "SSA-Home Office Scope" -RecipientRestrictionFilter 'Office -like "Home Office"' -RecipientRoot MMSSPP 
  4. Create a role assignment to associate the new role group that has the new management role and apply the custom write scope:
    New-ManagementRoleAssignment -SecurityGroup "SSA-Home Office" -Role "SSA_Home Office - User Options" -CustomRecipientWriteScope "SSA-Home Office Scope" 
For more information about RBAC customization examples, see the Self-Service Administration guide (expand "Exchange Online Dedicated" and "Exchange Server 2013 - ANSI").

Ідентифікатор статті: 3135521 – останній перегляд: 19 січ. 2016 р. – виправлення: 1

Зворотний зв’язок