Wednesday, November 14, 2012

Creating Custom RBAC Roles in Lync 2013

One of the many improvements in Lync 2013 over its predecessors is the ability to create custom RBAC roles.  This was a topic that came up often in discussions with large and security-conscious organizations where separation of of administrative roles exist.  In these organizations, Lync administrators do not have elevated permissions within the Active Directory domain.  This can also assist in limiting or enhancing the administrative scope of support personnel, while at the same time granting the necessary rights for them to perform their daily duties.

In Lync 2010, some degree of RBAC customization was available.  Custom roles could be created to limit administrative scope to a specific Lync Site, or for user administration, scope could be limited to specific Active Directory Organizational Units (OU).  However, these custom roles must be based one of the nine predefined Lync roles.  If these predefined roles did not exactly fit your needs, you were out of luck.

New in Lync 2013 is the ability to further customize RBAC roles to add or remove specific cmdlets from the scope of the role's abilities.  Additionally, there are two new predefined roles:
  • CsResponseGroupManager - This role now allows management of Response Group features, including the ability to modify the schedule or greetings.  Unlike "CsResponseGroupAdministrator," this role cannot create or delete new Response Groups, Workflows, or Queues.
  • CsPersistentChatAdministrator - Tighter integration of the Persistent Chat server role into the Lync topology expectantly results in a corresponding RBAC role.  Members of this role are permitted administrative rights over Persistent Chat features and rooms.
Currently, the TechNet documentation on Lync 2013 RBAC does not detail out which cmdlets the existing admin roles have permissions to run.  You can run the following command to determine this.

Get-CsAdminRole -Identity "CsAdminRoleName" | select -ExpandProperty cmdlets

Creating a New Custom RBAC Role

The first step in creating a new Lync Custom RBAC role (in 2010 or 2013), is to have the AD security group created.  In my example, I have created a custom AD security group called "LyncHelpDesk."  Note that this must be a Universal Security Group.

We will use the default CsUserAdministrator role as the template for the creation of our new role with the following PowerShell command.

New-CsAdminrole -Identity "LyncHelpDesk" -Template CsUserAdministrator

Notice that the permitted cmdlets were duplicated from the CsUserAdministrator role.  However, we do not want our Helpdesk support personnel to have the ability to enable/disable Lync users or create/remove Common Area Phone accounts.  To achieve this, we simply remove the required cmdlets from our new custom role.

Set-CsAdminRole -Identity "LyncHelpDesk" -Cmdlets @{Remove="Disable-CsUser","Enable-CsUser","New-CsCommonAreaPhone","Remove-CsCommonAreaPhone"}

Note: Alternatively, use "@{Add=" to supplement the role with additional cmdlets.  The double quotes around the cmdlets are required in the above command.

The cmdlets specified above are no longer part of the custom admin role.

Now, when I authenticate to the Lync Control Panel as a member of the LyncHelpDesk admin role, I can no longer enable users.

Taking it a step further, we can also scope this role to a specific site or user OU with the corresponding -ConfigScopes or -UserScopes parameters as we did in Lync 2010.  As you can see, this now gives organizations the flexibility to customize Lync administrative access to fit their needs, however simple or complex that may be.

Related articles:

No comments:

Post a Comment