Role Based Access Control (RBAC) for Office 365
ON THIS PAGE:
One of the basic functions of an IT administrator supporting an application is to control permissions and access to the data within that application. When an organization makes the move to cloud services, this process becomes far more important and considerably more complicated as you can imagine.
In this blog post I’ll explore what Role Based Access Control (RBAC) is, how it works in Office 365, and why an add-on management solution might be the answer for some organizations.
WHAT IS ROLE BASED ACCESS CONTROL?
RBAC is a permissions scheme that is based on the idea of granting IT administrators the ability to perform specific actions while denying them the ability to perform other actions. In contrast, NTFS permissions is the more traditional permissions scheme used by Windows that allows or denies access to files and folders. RBAC schemes are much more flexible, and allow for many distinct levels of administrative permissions, especially with the wide-array of Office 365 applications (Exchange, SharePoint, OneDrive, Skype for Business, etc).
HOW IS RBAC IMPLEMENTED IN OFFICE 365?
I’m sorry to tell you, but the word “inconsistently” is probably the best way to describe how administrator access control is implemented in the Microsoft cloud. As I said above, there is no one way RBAC works. Different software companies implement their own spin on RBAC, so RBAC implementations in different software tend to look and work differently. In the case of Office 365, this is also true across the different applications within the service.
I’m not going to have space here to go into a full explanation of the difference between Exchange Online RBAC and Skype for Business RBAC, but I can give you a couple of examples of the differences.
- In Exchange Online custom RBAC roles must be built from existing roles and removing PowerShell cmdlets or restricting permissions
- In Skype for Business Online customer RBAC roles can be built from the ground up
- In Exchange Online permissions can be assigned that allow scripts to be run without granting rights to run the individual cmdlets in the scripts
The point I’m trying to make here is that RBAC for Office 365 is not governed by one set of rules. Each application has its own rules, and if you want to manage “Office 365” then you need to learn the rules for each application, and then manually build the permission settings and rules to divvy out the different capabilities to administrators. If this sounds like a nightmare, it is. And I haven’t even mentioned SharePoint yet. Permissions for SharePoint Online are way more confusing.
ADVANTAGE OF ADDING ON A THIRD PARTY RBAC MANAGEMENT SYSTEM TO MY OFFICE 365 TENANT
In my opinion, the biggest advantage of adding a third party RBAC management tool on top of your Office 365 tenant is consistency. A single third party RBAC management tool that gives you a consistent experience across all the Office 365 applications can make life much more simple for IT directors.
A third party RBAC tool is probably not going to have the same depth of control that you can get from within the individual Office 365 product’s RBAC systems. If you need to get into the advanced scenarios of creating your own role groups and role assignments, then that work is most likely going to need to be done from within the native tools. But that type of manual intervention is fraught with headaches to support long-term.
If you just need to delegate admin tasks to regional administrators so they can support their own local business unit, or you need to setup help desk permissions to provide simple tasks such as password changes for your users, then why not purchase a third-party management tool. Seriously, if you are looking for consistency applied across the delegated permissions for the entire suite of Office 365 software, then a third-party management tool is going to be the way to go.
RBAC IN COREVIEW
CoreView gives you a single, consistence interface to control and delegate admin permissions across all of Office 365. CoreView does this by using a single Global Administrator account itself, and then granting permissions to administrators within the CoreView hierarchy.
Using CoreView you don’t need to learn all the details of how the different Microsoft implementations of RBAC work to be able to control access to your Office 365 tenant. There may be some more advanced scenarios where your administrators will have to dive into specific permissions for a single Office 365 application, but CoreView takes care of the vast majority of permissions management situations for you. And it does so CONSISTENTLY, so you can alleviate the stress-level on your Chief Information Security Officer.
Nathan actively contributes to the Exchange and Office 365 communities by writing articles for several tech websites and his own blog www.mcsmlab.com. He can be seen speaking at IT conferences including IT/DEV Connections, Microsoft Ignite, Collab365, and in frequent webcasts for Redmond Magazine.