RBAC is used to assign or distribute the responsibility of placing legal holds and the sensitive task of searching mailboxes for the purpose of eDiscovery.
- [Narrator] Discovery, including electronic discovery, is not a happy topic for very many people. It refers to the ability to search electronic data for information to be used in civil or criminal proceedings. And while it may not be the most positive of scenarios to discuss, it's one of the most important features to understand. When the time comes that you need to know these features, you will want to know how to use them properly and not simply learn as you go in that moment.
The ability to search the entire exchange organization is pretty powerful stuff, and is not a permission that is assigned to anyone by default. Most often, this ability will be assigned to a non-technical employee, someone in the legal or compliance department, and may be assigned or revoked as needed. Role-Based Access Control, or RBAC, uses role groups and management rules to allow you to delegate specific access to different users, to split up the responsibilities by splitting up the permissions, in an exchange environment.
We have a discovery management role group created by default and I can easily add a user here in the admin center or I can do it from the management shell. And the syntax to add a user to the discovery management role group is Add-RoleGroupMember and then we specify the identity of the role group. And, as has been pointed out before, since there's a space in that value we're including it inside quotation marks.
And finally, we'll use the Member parameter to add Chase Montgomery, the director of compliance for our corporate office. So adding a member to a role group is pretty simple. I'm going to go back over to the admin center, where we can refresh this view and see a couple of details about this role group. I can see that Chase Montgomery has been indeed added as a member of this role group and we can see two assigned roles: Legal Hold and Mailbox Search.
The ability to place a hold on a mailbox is not as sensitive as the ability to search every message, so that management role is already included in the organization management role group. It may be that your organization wants to split up the responsibility of placing holds and conducting the searches. If I wanted to create a custom role group for discovery only, I could do that from this screen. When I click on the New button I can go ahead and assign this role group a name.
And if the name can't be descriptive enough, there is a box to define the role group for future administrators or others on your team. Now we haven't defined any scopes besides the active directory forest, so I'm going to accept the default scope and move on to add the management role. Specifically, we want to allow mailbox searches. So I'm going to scroll down and find Mailbox Search and add that to this role group. And that's the only one, so let me accept those changes.
And if I were to scroll down, I could use the admin center to go ahead and apply members to this group. I can select the add button here and I will see all of my mailbox users as well as other role groups. If this list is too long to find the user you're looking for, feel free to just search them using the box above and we can easily find the user we're looking for. So let me accept that and save the changes to this new role group.
Now if I were to go into Discovery Management and remove Chase as a member of that role group, the end result would be that Chase could conduct a search as needed, but the exchange administrators cannot. The administrators in the organization management role can place legal holds on the users, but the compliance department could not. The purpose of RBAC is to grant the right access to the right people. The ability to conduct e-discovery searches is a perfect example of a permission that needs to be very carefully assigned.
- Data loss prevention (DLP) solutions
- DLP solutions for business requirements
- Archiving and message records management
- Planning and configuring retention policies
- Assigning retention policies to users
- RBAC roles for eDiscovery
- Compliance solutions
- How to use MailTips
- Mailbox and administrative auditing