Customized RBAC in cDOT 8.2.3

Similar Messages

• NX-OS RBAC role device-alias database

  Trying to create a custom RBAC role for Nexus 5500 SAN Admin. What role permission is required to have the ability to create device-aliases? The default san-admin role doesn't allow it so I created a custom role but can't figure it out.

  Duplicate post #1.

• "Discovery Manager" role cannot place a mailbox on hold

  My Company is testing Exchange 2013 and Exchange Online. We would like to have all discovery functions managed by our legal team.  We have assigned test users the “Discovery Manager” role.  That role should allow them rights to search all mailboxes
  and put search results on hold. Additionally, the discovery manager role should allow them to select a user mailbox in EAC, open the "Mailbox Features" page and enable litigation hold on the mailbox (no searching required). 
  We have found the second feature, enabling litigation hold without searching, is unavailable to discovery managers when using EAC. The "Mailbox Features" page is not exposed to discovery mangers using EAC.  The discovery manager can place a mailbox
  on hold using PowerShell but that would not be a reasonable option for our legal team.
  Please confirm if my understanding is correct, discovery manager should be able to place a mailbox on hold as well as in-place hold using EAC.
  Thanks in advance,
  Ron

  Does "Get-RoleGroup "discovery Management" | FL *role*" show that the Legal Hold role is assigned to the Discovery Mgmt role Group? If so, then  you may need to assign the "Recipient Management" or "Help Desk" role to those users as well or if you wish
  to security trim their access, create a customized RBAC role for them.
  Alternatively, see if they can simply set litigation hold via Powershell with set-mailbox
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Get-csRgsWorkFlow command does not return result if you are using remote shell

  I am connecting to Lync server remotely using windows powshell.
  When I issue the command locally from the Lync server, I get the correct response. When I do the same command from the remote shell, I get empty response.
  Can you help me why this is happening?

  Have you checked RBAC? 
  "The Get-CsRgsWorkflow cmdlet
  provides a way for you to return information about the workflows configured for use in your organization.
  Who can run this cmdlet: By default, members of the following groups are authorized to run the Get-CsRgsWorkflow cmdlet locally: RTCUniversalServerAdmins. To return a list of all the role-based access control (RBAC) roles this cmdlet
  has been assigned to (including any custom RBAC roles you have created yourself), run the following command from the Windows PowerShell prompt:
  Get-CsAdminRole | Where-Object {$_.Cmdlets –match "Get-CsRgsWorkflow"}
  " - http://technet.microsoft.com/en-us/library/gg425766(v=ocs.14).aspx
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• Allow distribution group members only to send to distribution group

  Is it possible to allow the members of a distribution group to be the only ones permitted to send to the distribution group? I've read up on this and I think it's possible with a custom RBAC role. Any other ideas?
  Thanks! 

  You don't need RBAC for this - you just need to go to the Mail Flow Settings
  tab and open the Message Delivery Restrictions properties.  Add the group to the
  Accept messages from: Only senders in the following list.  This will limit it so that only messages from members of the group can send to it.
  You can also use the shell to do this by running:
  Set-DynamicDistributionGroup -Identity <group name> -AcceptMessagesOnlyFromSendersOrMembers <group name>

• Exception when remotely executing Export-CsArchivingData cmdlet from C# managed code

  Hi,
  Hopefully this is the right forum.
  The issue is specifically about remotely executing Export-CsArchivingData cmdlet from C# managed code.
  I use RunspacePool to connect to remote Lync server as described here:
  http://msdn.microsoft.com/en-us/library/ee706598(v=vs.85).aspx
  I can connect to remote Lync server and execute many Lync cmdlets (e.g. Get-CsUser, Get-CsSite, Get-CsPool, etc) and get the results just fine.
  However, when it tries to execute Export-CsArchivingData cmdlet remotely, it throws the following exception:
  System.AggregateException: One or more errors occurred. ---> System.Management.Automation.RemoteException: The term 'Export-CsArchivingData' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the
  name, or if a path was included, verify that the path is correct and try again.
     at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
     at System.Management.Automation.PowerShell.EndInvoke(IAsyncResult asyncResult)
  Additional info:
  1. I created a custom RBAC role and added Export-CsArchivingData to it. Then, assign this new role to the account that runs the application.
  2. Using regular powershell (not Lync powershell) from the machine (that I run my app from) with Lync admin tool installed and ran with the account that has the custom RBAC role assigned, I can connect to remote Lync server and execute Export-CsArchivingData
  just fine.
  3. Execute the app using the same above account (that has custom RBAC role) on two machines (one with Lync admin tool installed, one without) and connect to remote Lync server.
     Same behavior on both machine, I got the above the exception when executing Export-CsArchivingData and no problem when executing other Lync cmdlets mentioned above.
     Yes, even from a machine without Lync admin tool installed, I can execute other Lync cmdlets mentioned above.
  At this point, I am not sure why I get the above exception when Export-CsArchivingData is executed from my app while I can connect to remote Lync server and call Export-CsArchivingData just fine via regular Powershell, both on the same machine.
  Note: I do not call Import-Module Lync in C# managed code since it is not necessary so far for executing other Lync cmdlets remotely.
  Any idea on what to look for?
  Thanks in advance.

  I would recommend you call Import-Module Lync first, the command is not recognized.
  Lisa Zheng
  TechNet Community Support

• Permission to remove mobile device from mailbox

  Exch 2007 sp3
  I need to allow a tech to remove mobile devices from mailboxes. He is currently a Recipient Admin, but cannot delete devices.  I do not want to allow him Org Admin rights. What can I do?  Thx

  You will probably need to create a custom RBAC role with only the appropriate permissions. You'll need something with more rights than a simple Recipient Admin but less extensive than an Organization Admin.
  This should point you in the right directions:
  http://blogs.technet.com/b/exchange/archive/2012/09/12/rbac-walkthrough-of-creating-a-role-that-can-wipe-activesync-devices.aspx
  Yes, it is for wiping the devices (not for removing them from a mailbox) but the general procedure should be the same. I imagine you'll have to experiment a little to obtain the right combination.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Exchange 2010 Special Permissions

  Is it possible to give my technicians permissions to create email/windows accounts in exchange, but not be able to read mailbox content of other users? 
  I hope that makes sense.

  By default nobody can read mailbox content except who owns the mailbox. If your technician wants to read mailbox content then he has to grant full mailbox permission the mailbox that he wants to open. Here is an example on custom RBAC role... http://blogs.technet.com/b/rmilne/archive/2013/11/21/creating-rbac-role-to-delegate-editing-contacts.aspx
  You can create a custom role for technician and remove ability to execute Add-MailboxPermission cmdlet. 
  Now if you want to give him this ability to grant permission and don't want to block it for some reason (if he is helping for shared mailbox permission etc...) on other mailboxes then you can give him look for
  Admin Audit Log (which is by default enabled) on permission to see if he is granted permission to himself or not and if yes then you can ask him...
  Now if you want to look at granular level on what he is trying to access inside mailbox then you can enable
  Mailbox Audit log but that has to be enabled at each mailbox level.

• Custom Report Syntax - Prompt for limiting collection

  I'm building a customer report that will display maintenance windows for multiple devices.  I'd like to be able to filter the number of devices reported by collection (as to not have EVERY device in the console listed all at once).
  I've got the report working for everything except the filtering part.  Do I need to add a new Dataset and then filter it somehow?  Here's my only dataset so far:
  FIELDS: Computername, CollectionName, Next_Maintenance_Window
  QUERY:
  select
  v_FullCollectionMembership.Name as Computername ,v_Collection.Name as CollectionName,
  v_ServiceWindow.Description as 'Next Maintenance Window'
  from v_ServiceWindow
  inner join v_FullCollectionMembership on (v_FullCollectionMembership.CollectionID = v_ServiceWindow.CollectionID)
  inner join v_Collection on (v_Collection.CollectionID = v_FullCollectionMembership.CollectionID)
  order By Computername
  What do I need to add to be able to select the collection 1st then run the query above?

  HI
  Or you could do it like this:
  Create a new dataset and paste in the following Query:
  SELECT
    v_Collection.Name
    ,v_Collection.CollectionID
  FROM
    v_Collection
  Where CollectionType=2
  Insert the following code in your own Query (dataset) right before order by Computername
  Where v_Collection.Name = (@CollID)
  Expand Parameters in Report Builder, you should see a paramter called @CollID
  Right-click CollID and fill in the following information on the general page:
  Name: CollID
  Prompt: Collection
  On the Available Values select Get values from a query
  Dataset: Dataset2 (the new dataset you just created)
  value field: Name
  Label field: Name
  Design your layout in report builder and run the report. You will get a drop-down box with all your device collections.
  This report is not "RBAC" enabled

• Exchange 2007/2010 Console doesn't show up Exchange 2007 Databases after RBAC Implementation

  I have implemented a RBAC model after which Exchange 2010/2007 Console won't show up Exchange 2007 Mailbox Databases.
  Everything was working fine up until the Users were members of "Exchange Recipient Administrators" Group.
  I have created Custom Roles based on PArent Roles, Mail Recipients, Mail Recipient Creation, Distribution Groups & Public Folders and assigned that to a universal security group "Helpdesk operations". I removed membership for Helpdesk operations
  from "Exchange Recipient Administrators" Group and assigned the Custom Roles to "Helpdesk Operations" using the cmdlet below:
  New-ManagementRoleAssignment "Custom Role" -SecurityGroup "HelpDesk Operations"
  Exchange 2010 console shows Exchange 2010 Databases but not Exchange 2007 DAtabases. Exchange 2007 console doesn't show up any databases on New-Mailbox and simply displays a message "No Objects Found".
  Even Get-MailboxDatabase REturns blank output on Exchange 2007 SHell. Please help me with this and let me know in case if there is something that i need to be looking at!
  any help on this is much appreciated.
  M.P.K ~ ( Exchange | 2003/2007/2010/E15(2013)) ~~ Please remember to click “Vote As Helpful" if it really helps and "Mark as Answer” if it answers your question, “Unmark as Answer” if a marked post does not actually answer your question. ~~ This
  Information is provided is "AS IS" and confers NO Rights!!

  Hi,
  I recommend you use the following cmdlet and check the result.
  Get-MailboxDatabase -Server "Exchange 2007 server name"
  In my environment, if I don't specify the Server parameter on Exchange 2010 Management Shell, Exchange 2007 mailbox database can't be displayed. If I specify the Server parameter, Exchange 2007 mailbox database will be displayed.
  What's more, please check if the account you use has been delegated the Exchange View-Only Administrator role.
  Here is a thread for your reference.
  Get-MailboxDatabase
  http://technet.microsoft.com/en-us/library/bb676367(v=exchg.80).aspx
  Hope it helps.
  Best regards,
  Amy
  Amy Wang
  TechNet Community Support

• Moving over to RBAC from responsibilities based model

  Hello,
  We are on 11.5.10 and are evaluating moving over to Role based, RBAC model for user management from the current responsibilities based model. We have a HRMS and Financials implementation.
  Would anybody have any pointers about any documentation or roadmap on how to implement this move over to RBAC model. I could find the documentation which describes how you will be able to implement a new user management structure from scratch incorporating custom roles, but was not able to find anything describing the migration/consolidation path to RBAC from current responsibilities based model.
  Any advice/experiences regarding moving over to RBAC will be highly appreciated.
  Thanks.

  Have you checked these docs?
  E-Business Suite Diagnostics RBAC Basics [ID 753979.1]
  Oracle Applications System Administrator's Guide - Security
  http://download.oracle.com/docs/cd/B25516_18/current/acrobat/115sasg.pdf
  Thanks,
  Hussein

• Maximum Storage Size in cDOT 8.2 Simulator???

  Hi All, I'm trying to help my customer to preserve his 5 years of weekly Snapshots (!). Many of them are 32-Bit an are not out of age in the near future. He wants/needs to turn to 8.3 due to a very dirty SMB Bug (currently on cDOT 8.2P3) and because we don't offer4 32-Bit Snapshots Capability in 8.3 I have the following in Mind: Install cDOT82-Sim in VMWare, SnapMirror all Data from current SnapVault-Destination into Sim to preserve it forever. Then delete 32-Bit Snaps on physical System and Upgrade Env to 8.3. Capacity is around 6 TB. Can 8.2 cDOT Simulator handle this? >> Bringing Data to Cloud is not an Option due to Person data, buying new Gear is also not an Option because they just bought new gear and are very unhappy about our Snapshot "Story"... RegardsOli

  That's much too large for the sim. The one we can download is good to about 220gb raw, but it could be configured to about 0.5t raw.
  Edge would be a much better fit, but you would need a full version key for FDvM200. The evaluation version has a 2tb limit but the full version can take 10tb raw. Even after WAFL reserve and peeling off a root vol it should comfortably hold your 6tb archive.
  Cloud ONTAP wouldn't work for you anyway since it can't run anything older than 8.3RC1.

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• RBAC (Roles Based Access Control) "Broken" in WCS

  In my opinion, RBAC in WCS is broken. They have taken a good concept and implemented it wrong. The way it is currently working is as follows. Roles are defined in WCS. In ACS (or whatever Radius server you want to use), you have to first set up a new "Service" in the TACACS "Interface" configuration called "Wireless-WCS". All this is good. In WCS you then have to go to the "role" or Group that you want, click on task list and it will give you both a TACACs and Radius output that you have to take and then paste into the "Wireless-WCS" custom attribute box in ACS. An example for "SuperUser" role would be a list like below, note the real list is 48 different "tasks", I shortened it here.
  role0=SuperUsers
  task0=Users and Groups
  task46=Auto Provisioning
  task47=Voice Audit Report
  Here is the problem. Why, if you have the role defined in WCS, do you have to repeat its definition in ACS? Why can't you simply pass the first line ("role0=SuperUsers") and have it use the defined role in WCS? This just seems silly. They changed the role of the "SuperUser" in the new 5.0 code too, which means if you assigned these at the user level, you would have to potentially go update a ton of User accounts in ACS so people would have access to their appropriate roles.
  The last time I complained I was told that the reason for it was "The reason it had to be done that way is b/c WCS is not IOS based and the code dictates that it must be done that way.". Seems like a silly reason for not doing things in a good way...
  Just letting everyone know so they can complain when they come across it. Maybe with enough complaints they'll fix it.. 8-)

  Hi,
  I believe all your questions are answered in "System Administrator's Guide - Security" manual.
  Applications Releases 11i and 12
  http://www.oracle.com/technology/documentation/applications.html
  You may also review this document.
  Note: 753979.1 - E-Business Suite Diagnostics RBAC Basics
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=753979.1
  Regards,
  Hussein

• Trying to make sense on how and if RBAC and MOAC could work together

  Hi All,
  We upgraded from 11.5.9 to R12.1.1 in Nov-2009.
  Since the time we have upgraded to R12, we are trying to make sense as to how and if RBAC and MOAC could work together.
  The use case is as below:
  *11i Days*
  US Accountant - accesses ‘AR superuser US’
  Canada Accountant - accesses ‘AR superuser Canada’
  France Accountant - accesses ‘AR superuser France’
  Spain Accountant - accesses ‘AR superuser Spain’
  North America Financial controller - Switches between 'AR superuser US' and 'AR superuser Canada'
  European Financial controller - Switches between 'AR superuser France' and 'AR superuser Spain'
  CFO - Switches amongst 'AR superuser US','AR superuser Canada', 'AR superuser France' and 'AR superuser Spain'
  Now in R12- (Wow there is MOAC!)
  US Accountant - accesses ‘AR superuser US’
  Canada Accountant - accesses ‘AR superuser Canada’
  France Accountant - accesses ‘AR superuser France’
  Spain Accountant - accesses ‘AR superuser Spain’
  North America Financial controller - accesses 'AR superuser North America'
  European Financial controller - accesses 'AR superuser Europe'
  CFO - accesses 'AR superuser Global'
  With R12 now there are 3 additional responsibilities.
  We have (like most of the other EBS customers) custom responsibilities and so there is maintenance.
  More the responsibilities more the maintenance...More the SOD issues.
  To prevent creating new responsibilities, we could use the ‘MO: Security Profile’ at the user level BUT that would mean that now these users would have access to multiple OUs for all the responsibilities...that is not good.
  What-If: There is only 1 responsibility 'AR SuperUser' and somehow using RBAC, roles are created and assigned to users so that they only have access to specific OUs.
  Apparently, MOAC works based on MO:Security Profile that is something that RBAC cannot control.
  Am I missing something...RBAC seems to be no good?
  In PROD(R12.1.1)- We are expecting that we would end up creating 100+ new responsibilities since we have many shared services users and they all want to benefit from MOAC...Appreciate, if you could please help us understand how we can prevent these 100+ new responsibilities from getting created?
  Thanks
  Rahul Gupta

  Hi Rahul,
  your question is quite interesting. I did a lot in the area of RBAC to understand the background.
  RBAC mainly allows you to
  - group responsibilities
  - build hierarchies
  - manage low level data access (via VPD)
  - Grant permissions (new with R12)
  Unfortunately you can't control profile options via RBAC. Therefore, the MO:Sec Profile has to stay on responsibility level. I was playing with the alternative to put this profile option on user level, but also in this case the number of maintenance steps will stay the same.
  I would like to share a document with you, what's your email (or search my name in linkedin)?
  kr
  Volker Eckardt