Which RBAC scopes should you identify?

DRAG DROP
You have an Exchange Server 2013 organization that contains several custom RBAC management roles.
You need to identify which RBAC scopes must be used to meet the following requirements:
Manage only the mailboxes of the users in the sales department.
Manage the properties of all the mailbox databases.
Which RBAC scopes should you identify? (To answer, drag the appropriate RBAC scopes to the correct
requirements. Each RBAC scope may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.)
Select and Place:

DRAG DROP
You have an Exchange Server 2013 organization that contains several custom RBAC management roles.
You need to identify which RBAC scopes must be used to meet the following requirements:
Manage only the mailboxes of the users in the sales department.
Manage the properties of all the mailbox databases.
Which RBAC scopes should you identify? (To answer, drag the appropriate RBAC scopes to the correct
requirements. Each RBAC scope may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.)
Select and Place:

Answer:

Explanation:
Understanding Management Role Scopes: Exchange 2013 Help
Management role scopes enable you to define the specific scope of impact or influence of a management role
when a management role assignment is created.
When you apply a scope, the role assignee assigned to the role can only modify the objects contained within
that scope.
A role assignee can be a management role group, management role, management role assignment policy,
user, or universal security group (USG)Every management role, whether it’s a built-in role or a custom role, has management scopes. Management
scopes can be either of the following:
Regular
A regular scope isn’t exclusive. It determines where, in Active Directory, objects can be viewed or modified by
users assigned the management role. In general, a management role indicates what you can create or modify,
and a management role scope indicates where you can create or modify. Regular scopes can be either implicit
or explicit scopes, both of which are discussed later in this topic.
Exclusive
An exclusive scope behaves almost the same as a regular scope. The key difference is that it enables you to
deny users access to objects contained within the exclusive scope if those users aren’t assigned a role
associated with the exclusive scope. All exclusive scopes are explicit scopes, which are discussed later in this
topic.
Scopes can be inherited from the management role, specified as a predefined relative scope on a management
role assignment, or created using custom filters and added to a management role assignment.
Scopes inherited from management roles are called implicit scopes while predefined and custom scopes are
called explicit scopes.
Implicit scopes are the default scopes that apply to a management role type. Because implicit scopes are
associated with a management role type, all of the parent and child management roles with the same role type
also have the same implicit scopes.
Implicit scopes apply to both built-in management roles and also to custom management roles.
Implicit scopes defined on management roles
Implicit scopes Description
Organization If Organization is present in the role’s recipient write scope, the role can create or modify recipient
objects across the Exchange organization.
If Organization is present in the role’s recipient read scope, roles can view any recipient object across the
Exchange organization.
This scope is used only with recipient read and write scopes.
MyGAL If MyGAL is present in the role’s recipient write scope, the role can view the properties of any recipient
within the current user’s global address list (GAL).
If MyGAL is present in the role’s recipient read scope, the role can view the properties of any recipient within the
current GAL.
This scope is used only with recipient read scopes.
Self If Self is present in the role’s recipient write scope, the role can modify only the properties of the current
user’s mailbox.
If Self is present in the role’s recipient read scope, the role can view only the properties of the current user’s
mailbox.
This scope is used only with recipient read and write scopes.
MyDistributionGroups If MyDistributionGroups is present in the role’s recipient write scope, the role can create
or modify distribution list objects owned by the current user.
If MyDistributionGroups is present in the role’s recipient read scope, the role can view distribution list objects
owned by the current user.
This scope is used only with recipient read and write scopes.
OrganizationConfig If OrganizationConfig is present in the role’s configuration write scope, the role can create
or modify any server or database configuration object across the Exchange organization.
If OrganizationConfig is present in the role’s configuration read scope, the role can view any server or databaseconfiguration object across the Exchange organization.
This scope is used only with configuration read and write scopes.
None If None is in a scope, that scope isn’t available to the role. For example, a role that has None in the
recipient write scope can’t modify recipient objects in the Exchange organization.
Explicit scopes are scopes that you set yourself to control which objects a management role can modify.
Although implicit scopes are defined on a management role, explicit scopes are defined on a management role
assignment.
This enables the implicit scopes to be applied consistently across all management roles unless you choose to
use an overriding explicit scope. For more information about management role assignments, see
Understanding Management Role Assignments.
Explicit scopes override the implicit write and configuration scopes of a management role. They don’t override
the implicit read scope of a management role. The implicit read scope continues to define what objects the
management role can read.
Explicit scopes are useful when the implicit write scope of a management role doesn’t meet the needs of your
business. You can add an explicit scope to include nearly anything you want as long as the new scope doesn’t
exceed the bounds of the implicit read scope. The cmdlets that are part of a management role must be able to
read information about the objects or containers that contain objects for the cmdlets to create or modify objects.
For example, if the implicit read scope on a management role is set to Self, you can’t add an explicit write
scope of Organization because the explicit write scope exceeds the bounds of the implicit read scope.
The OrganizationConfig implicit scope
If OrganizationConfig is present in the role’s configuration write scope, the role can create or modify any server
or database configuration object across the Exchange organization.
If OrganizationConfig is present in the role’s configuration read scope, the role can view any server or database
configuration object across the Exchange organization.
CAN MANAGE THE PROPERTIES OF ALL OF THE MAILBOX DATABASES.
The Self Implicit Scope If Self is present in the role’s recipient write scope, the role can modify only the
properties of the current user’s mailbox.
If Self is present in the role’s recipient read scope, the role can view only the properties of the current user’s
mailbox.
CANNOT BE SELF AS IT PERTAINS TO ONLY THE PARTICULAR USER’S MAILBOX
The Organization relative scope
If Organization is present in the role’s recipient write scope, the role can create or modify recipient objects
across the Exchange organization.
If Organization is present in the role’s recipient read scope, roles can view any recipient object across the
Exchange organization.
This scope is used only with recipient read and write scopes.
NOT MEANT FOR MANAGING MAILBOX DATABASES
A recipient is any mail-enabled object in the Active Directory directory service to which Exchange can deliver or
route messages.
In Microsoft Exchange recipients are comprised of mailbox users, mail-enabled users, mail contacts,
distribution groups, security groups, dynamic distribution groups, and mail-enabled public folders.
The Recipient filter explicit scope
Recipient filter scopes use filters to target specific recipients based on recipient type or other recipient
properties such as department, manager, location, and more.



Leave a Reply 0

Your email address will not be published. Required fields are marked *