Lync Server 2013 administration uses Role-Based Access Control (RBAC) to assign different levels of access privileges to the users, and to enable them to perform specific administrative tasks. The idea behind RBAC in Lync 2013 is that adding a user to a specific group not only defines the features and administrative tasks they are able to manage but also limits the cmdlets they are able to use in the Lync Management Shell. There are some built-in administrative roles, and we are able to add custom groups for more granular control. Another operation we are able to perform is adding authorized cmdlets to both kinds of groups, expanding the allowed tasks for a specific RBAC role.
In our example, we will use both of the previously mentioned customizations, creating a new customized user group, CsUserModifier
, based on the default group CsViewOnlyAdministrator
, and adding access to the Set-CsUser
cmdlet (to modify properties for existing user accounts).
CSUserModifier
user group (with the scope as universal and type as security) in Active Directory.New-CsAdminRole -Identity CsUserModifier -Template CsViewOnlyAdministrator
The cmdlet will clone the permissions of the CsViewOnlyAdministrator
group to the custom group.
Get-CsAdminRole CSUserModifier | Select-Object –ExpandProperty cmdlets | fl
The output will be similar to what is shown in the following screenshot:
Set-CsUser
cmdlet to the available tasks:Set-CsAdminRole -Identity CsUserModifier -Cmdlets @{add="Set-CsUser"}
@{remove
parameter, can be used to remove some administrative tasks that were previously available from a group:Set-CsAdminRole -Identity CsUserModifier –Cmdlets @{remove="Get-CSVoiceRoutingPolicy","Get-CSVoiceTestConfiguration"}
New-CSAdminRole
cmdlet supports the –Cmdlets
switch that we saw in step 5, so when defining a custom group role, we are able to add custom cmdlets. A command like the next one could achieve both role customization and cmdlet customization in a single step:New-CsAdminRole -Identity CSUserModifier -Template CsViewOnlyAdministrator -Cmdlets @{add="set-CsUser"}
As important as it is for security, RBAC has a severe limitation because it is effective only for users that are working with Lync administrative tools from a remote workstation (http://technet.microsoft.com/en-us/library/gg425917.aspx). The controls are not enforced for users who are working locally on the Lync Server (or using a remote PowerShell session). Physical security of our servers is an important topic, and we should address it with all the available solutions (smart card access, doors, cameras, strong passwords, lights-out servers with no physical keyboard or monitor available, and so on).
3.144.106.150