- Lync Server Cookbook
- Fabrizio Volpe Alessio Giombini Lasse Nordvik Wed? António Vargas
- 472字
- 2021-08-06 19:28:34
Controlling administrative rights with RBAC and custom cmdlets
Lync Server 2013 administration uses Role-Based Access Control (RBAC) to assign different levels of access privileges to the users, and to enable them to perform specific administrative tasks. The idea behind RBAC in Lync 2013 is that adding a user to a specific group not only defines the features and administrative tasks they are able to manage but also limits the cmdlets they are able to use in the Lync Management Shell. There are some built-in administrative roles, and we are able to add custom groups for more granular control. Another operation we are able to perform is adding authorized cmdlets to both kinds of groups, expanding the allowed tasks for a specific RBAC role.
Getting ready
In our example, we will use both of the previously mentioned customizations, creating a new customized user group, CsUserModifier, based on the default group CsViewOnlyAdministrator, and adding access to the Set-CsUser cmdlet (to modify properties for existing user accounts).
How to do it...
- Create the
CSUserModifieruser group (with the scope as universal and type as security) in Active Directory. - Open the Lync Server Management Shell and launch the following cmdlet:
New-CsAdminRole -Identity CsUserModifier -Template CsViewOnlyAdministrator
The cmdlet will clone the permissions of the
CsViewOnlyAdministratorgroup to the custom group. - Launch the following cmdlet to verify the list of administrative tasks delegated to the new group:
Get-CsAdminRole CSUserModifier | Select-Object –ExpandProperty cmdlets | fl
The output will be similar to what is shown in the following screenshot:
- Now, we are able to use the cmdlet customization, adding the
Set-CsUsercmdlet to the available tasks:Set-CsAdminRole -Identity CsUserModifier -Cmdlets @{add="Set-CsUser"} - The same command, with an
@{removeparameter, can be used to remove some administrative tasks that were previously available from a group:Set-CsAdminRole -Identity CsUserModifier –Cmdlets @{remove="Get-CSVoiceRoutingPolicy","Get-CSVoiceTestConfiguration"} - Verification of the previously mentioned cmdlet is done using the same process we used in step 2, to verify the list of delegated tasks.
- The
New-CSAdminRolecmdlet supports the–Cmdletsswitch that we saw in step 5, so when defining a custom group role, we are able to add custom cmdlets. A command like the next one could achieve both role customization and cmdlet customization in a single step:New-CsAdminRole -Identity CSUserModifier -Template CsViewOnlyAdministrator -Cmdlets @{add="set-CsUser"}
There's more...
As important as it is for security, RBAC has a severe limitation because it is effective only for users that are working with Lync administrative tools from a remote workstation (http://technet.microsoft.com/en-us/library/gg425917.aspx). The controls are not enforced for users who are working locally on the Lync Server (or using a remote PowerShell session). Physical security of our servers is an important topic, and we should address it with all the available solutions (smart card access, doors, cameras, strong passwords, lights-out servers with no physical keyboard or monitor available, and so on).
- Mastering Ember.js
- Visual C++數(shù)字圖像模式識(shí)別技術(shù)詳解
- JavaScript+jQuery開發(fā)實(shí)戰(zhàn)
- Java:Data Science Made Easy
- Learn Scala Programming
- Expert Android Programming
- SAS數(shù)據(jù)統(tǒng)計(jì)分析與編程實(shí)踐
- Android移動(dòng)開發(fā)案例教程:基于Android Studio開發(fā)環(huán)境
- Unity 3D/2D移動(dòng)開發(fā)實(shí)戰(zhàn)教程
- 小型編譯器設(shè)計(jì)實(shí)踐
- Swift語言實(shí)戰(zhàn)晉級(jí)
- PHP與MySQL權(quán)威指南
- UML軟件建模
- Python程序設(shè)計(jì)教程
- PHP高性能開發(fā):基礎(chǔ)、框架與項(xiàng)目實(shí)戰(zhàn)