Management role assignment

Role assignments allow you to assign roles to a user/security group with the option to override the write scope set at the role level. Role assignments can target role groups, users, policies, or security groups.

We will finish the text messaging example by giving permissions to the service account so that the EWS call can impersonate the user.

We initially try to call the EWS command that creates a new inbox rule; because the rule uses text messaging and impersonation has not been set up, the call with fail:

# trying to impersonate through EWS fails before role assignment
$exchWS.UpdateInboxRules($operations, $false)

Exception calling "UpdateInboxRules" with "2" argument(s): "The account does not have permission to impersonate the requested user."

New-ManagementRoleAssignment -Name ImpersonateTest2 -Role ApplicationImpersonation -User admin1 -Confirm:$false

Name             Role                     RoleAssigneeName RoleAssigneeType AssignmentMethod 
----             ----                     ---------------- ---------------- ---------------- 
ImpersonateTest2 ApplicationImpersonation admin1           User             Direct

#reconnect so new assignment applies
Remove-PSSession $Session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $uri -Credential $creds -Authentication Basic -AllowRedirection
Import-PSSession $Session

# EWS impersonation should work now
$exchWS.UpdateInboxRules($operations, $false)

Note that in this example, the assignment was given to a user (admin1); in most scenarios, using a security group is a better practice. We also did not use a scoping mechanism to set the impersonation scope; using the scoping parameter is preferable as it is a good idea to limit the reach of the assignment as much as possible.

The scoping parameters of New-ManagementRoleAssignment are as follows:

  • CustomRecipientWriteScope: Specifies a recipient-based management scope
  • ExclusiveRecipientWriteScope: Specifies an exclusive recipient-based management scope
  • RecipientOrganizationalUnitScope: Specifies an OU where the assignment will be effective
  • RecipientRelativeWriteScope: Restricts the scope of the assignment to one of the following:
    • None
    • Organization
    • MyGal
    • Self
    • MyDistributionGroups
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.164.34