2. Assigning the Federated Sharing Role
Federated sharing is a built-in management role that enables you to manage
cross-forest and cross-organization sharing
If you want the federated sharing management role to grant permissions, it
must first be assigned to a role assignee. This can be a role group, user, or
universal security group. You may also need to apply either a custom or a
built-in management scope to specify what recipient and server objects federated
sharing role assignees can modify. If the federated sharing role is assigned to
a role assignee but a management scope allows the role assignee to manage only
certain objects based on a defined scope, the role assignee can use the
permissions granted by the federated sharing role only on those specific
objects.
The federated sharing management role is assigned to one or more role groups
by default. You can use the Get-ManagementRoleAssignment
EMS cmdlet, to list these groups. To see role details, including a list of groups,
users, or universal security groups assigned to this role, enter the following
command in the EMS:
Get-ManagementRoleAssignment -Role "Federated Sharing" | FL
Figure 9 shows part of the
output of this command.
You can also remove the federated sharing management role from built-in role
groups or role groups you create and users and universal security groups.
However, there must always be at least one delegating role assignment for this
role granted to a role group or universal security
group. You cannot delete the last delegating role assignment. This limitation
helps to prevent administrators from locking themselves out of the system.
Adding the federated sharing management role to a role group gives
administrators who are assigned to that management role group the ability to
manage federated sharing. You can use the
New-ManagementRoleAssignment cmdlet in the EMS, to add
the role to a role group. For example, the following command assigns the
federated sharing management role to the Adatum Federation role group without
defining a scope:
New-ManagementRoleAssignment -Name "Federated Sharing Adatum Federation" -SecurityGroup
"Adatum Federation" -Role "Federated Sharing"
The following command assigns the federated sharing role to the Adatum
Federation role group and applies the Organization predefined scope:
New-ManagementRoleAssignment -Name "Federated Sharing Adatum Federation" -SecurityGroup
"Adatum Federation" -Role "Federated Sharing" -RecipientRelativeWriteScope Organization
If a predefined scope does not meet your needs, you can use a recipient filter
to define a scope. For example, the following command creates a scope that
includes all mailboxes within the Federation Managers OU in the Adatum.com
domain:
New-ManagementScope -Name "Mailboxes in Federation Managers OU"
-RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "Adatum
.com/Federation Managers OU"
The following command assigns the federated sharing role to the Adatum
Federation role group and applies the Mailboxes in Federation Managers OU scope
that you created using the previous command:
New-ManagementRoleAssignment -Name "Federated Sharing Adatum Federation" -SecurityGroup
"Adatum Federation" -Role "Federated Sharing" -CustomRecipientWriteScope "Mailboxes in
Federation Managers OU"
2.1. Removing the Federated Sharing Role from a Role Group
If you do not want members of a management role group to have permissions
to manage federated sharing, you can remove the role assignment between the
management role group and the federated sharing management role that grants
the permissions. All members of the role group lose the ability to manage
federated sharing when you remove the role assignment. If you want to remove
the permissions from one member only, you need instead to remove that member
from the management role group.
If you want to remove a management role assignment from a management role
group, you first need to find the name of the management role assignment
that assigns the role to the role group (unless you already know this). In
the example given in this lesson, the role group is Adatum Federation. To
find the name of the management role assignment, you enter the following
command in the EMS:
Get-ManagementRoleAssignment -RoleAssignee "Adatum Federation"
This command would in this
instance return the management role assignment name “Federated Sharing
Adatum Federation”. You could remove this role assignment by entering
the following command:
Remove-ManagementRoleAssignment "Federated Sharing Adatum Federation"
This removes the management role that enables administrators assigned the
Adatum Federation role group to manage federated sharing.
2.2. Adding the Federated Sharing Role to a User or Universal Security
Group
You can use management role assignments to assign the federated sharing
management role to a user or universal security group. By assigning a role
to a user or universal security group, you enable the user or group members
to perform tasks dependent on cmdlets or scripts related to the federated
sharing management role.
The commands to assign the federated sharing role to a universal security
group are the same as those used to assign the role to a management role
group except that the SecurityGroup parameter identifies a universal
security group rather than a role group. To assign the role to an individual
user (not recommended), you use a command similar to the following:
New-ManagementRoleAssignment -Name "Federated Sharing Don Hall" -User "Don Hall"
-Role "Federated Sharing"
To remove a role assignment from a user or universal security group, you
follow the same procedure that you did for a management role group. If
necessary, first use the Get-ManagementRoleAssignment
cmdlet to determine the name of the assignment and then use the
Remove-ManagementRoleAssignment cmdlet to remove
it.
