In Lync 2010, some degree of RBAC customization was available. Custom roles could be created to limit administrative scope to a specific Lync Site, or for user administration, scope could be limited to specific Active Directory Organizational Units (OU). However, these custom roles must be based one of the nine predefined Lync roles. If these predefined roles did not exactly fit your needs, you were out of luck.
New in Lync 2013 is the ability to further customize RBAC roles to add or remove specific cmdlets from the scope of the role's abilities. Additionally, there are two new predefined roles:
- CsResponseGroupManager - This role now allows management of Response Group features, including the ability to modify the schedule or greetings. Unlike "CsResponseGroupAdministrator," this role cannot create or delete new Response Groups, Workflows, or Queues.
- CsPersistentChatAdministrator - Tighter integration of the Persistent Chat server role into the Lync topology expectantly results in a corresponding RBAC role. Members of this role are permitted administrative rights over Persistent Chat features and rooms.
Get-CsAdminRole -Identity "CsAdminRoleName" | select -ExpandProperty cmdlets
Creating a New Custom RBAC Role
The first step in creating a new Lync Custom RBAC role (in 2010 or 2013), is to have the AD security group created. In my example, I have created a custom AD security group called "LyncHelpDesk." Note that this must be a Universal Security Group.
We will use the default CsUserAdministrator role as the template for the creation of our new role with the following PowerShell command.
New-CsAdminrole -Identity "LyncHelpDesk" -Template CsUserAdministrator
Notice that the permitted cmdlets were duplicated from the CsUserAdministrator role. However, we do not want our Helpdesk support personnel to have the ability to enable/disable Lync users or create/remove Common Area Phone accounts. To achieve this, we simply remove the required cmdlets from our new custom role.
Set-CsAdminRole -Identity "LyncHelpDesk" -Cmdlets @{Remove="Disable-CsUser","Enable-CsUser","New-CsCommonAreaPhone","Remove-CsCommonAreaPhone"}
Note: Alternatively, use "@{Add=" to supplement the role with additional cmdlets. The double quotes around the cmdlets are required in the above command.
The cmdlets specified above are no longer part of the custom admin role.
Now, when I authenticate to the Lync Control Panel as a member of the LyncHelpDesk admin role, I can no longer enable users.
Taking it a step further, we can also scope this role to a specific site or user OU with the corresponding -ConfigScopes or -UserScopes parameters as we did in Lync 2010. As you can see, this now gives organizations the flexibility to customize Lync administrative access to fit their needs, however simple or complex that may be.
Related articles:
http://technet.microsoft.com/en-us/library/gg425917.aspx
http://technet.microsoft.com/en-us/library/gg398271.aspx
http://technet.microsoft.com/en-us/library/gg399066.aspx
The cmdlets specified above are no longer part of the custom admin role.
Now, when I authenticate to the Lync Control Panel as a member of the LyncHelpDesk admin role, I can no longer enable users.
Taking it a step further, we can also scope this role to a specific site or user OU with the corresponding -ConfigScopes or -UserScopes parameters as we did in Lync 2010. As you can see, this now gives organizations the flexibility to customize Lync administrative access to fit their needs, however simple or complex that may be.
Related articles:
http://technet.microsoft.com/en-us/library/gg425917.aspx
http://technet.microsoft.com/en-us/library/gg398271.aspx
http://technet.microsoft.com/en-us/library/gg399066.aspx
No comments:
Post a Comment