Your network contains one Active Directory domain named contoso.com.
The domain contains an IP Address Management (IPAM) server named Server1.
Server1 manages several DHCP and DNS servers.
From Server Manager on Server1, you create a custom role for IPAM.
You need to assign the role to a group named IP_Admins.
What should you do?
A.
From Windows PowerShell, run the Add-Member cmdlet.
B.
From Server Manager, create an access policy.
C.
From Windows PowerShell, run the Set-IpamConfiguration cmdlet.
D.
From Server Manager, create an access scope.
Explanation:
A role is a collection of IPAM operations. You can associate a role with a user or group in
Windows using an access policy. Several built-in roles are provided, but you can also create
customized roles to meet your business requirements.
https://technet.microsoft.com/en-us/library/dn741281.aspx
Don’t take my word for this, and feel free to chime in…
B is probably correct.
From my extensive (10 minute) stint of research, there are three steps to configuring Role-Based Access Control for IPAM.
1. Specify a role. (The leading text states that you have already done this.)
2. Specify an Access Scope.
3. Specify and Access Policy.
Now, “An access scope determines the objects that a user has access to” thus this will have already been created since the question states that you have already created the custom role.
So, “An access policy combines a role with an access scope to assign permission to a user or group.”
The first two steps are already done, as stated in the question’s leading text. The only thing left to do AND the thing the Q is asking us to do is assign the Role to the group, which is done through the access policy.
https://technet.microsoft.com/en-us/library/dn789161.aspx
https://technet.microsoft.com/en-us/library/dn741281.aspx
I agree, next step looks like Specify and access scope however, user assignment is done with the policy
I don’t agree..
The first step.. Specify a Role (in this case a custom role) .. only defines the role(s) for the Role you are creating.. I don’t see anywhere in the procedure where to add “objects that the user has access to”
So my take in this one is that answer is
D. Specify Access Scope
I believe the answer is D. Specify access scope
The problem does not state adding or assigning permissions, only roles to the group.
Access scopes: An access scope determines the objects that a user has access to. You can use access scopes to define administrative domains in IPAM. For example, you might create access scopes based on geographical location. By default, IPAM includes an access scope of Global. All other access scopes are subsets of the Global access scope. Users or groups that are assigned to the Global access scope have access to all objects in IPAM that are permitted by their assigned role.
Access policies: An access policy combines a role with an access scope to assign permission to a user or group. For example, you might define an access policy for user1 with a role of IP Block Admin and an access scope of Global\Asia. Therefore, user1 will have permission to edit and delete IP address blocks that are associated to the Asia access scope. This user will not have permission to edit or delete any other IP address blocks in IPAM.
It’s B, you are associating group or user with role and scope using Access Policy:
e. In the Add Access Policy dialog box, under User Settings, click Add, enter a user or group name, and then click OK. Note: The default location is the local computer. To add a user or group from Active Directory, click Locations, and then specify the Active Directory location or specify Entire Directory.
g. Under New Setting, use the drop-down list under Select role to choose a role for this user.
i. Under Select the access scope for the role, click the name of the access scope you wish to use, and then click Add Setting.
https://technet.microsoft.com/en-us/library/dn789161(v=ws.11).aspx