Article
07/22/2014

Role-Based Access Control

Topic Last Modified: 2011-03-23

To enable you to delegate administrative tasks while maintaining high standards for security, Microsoft Lync Server 2010 communications software introduces role-based access control (RBAC). With RBAC, administrative privilege is granted by assigning users to predefined administrative roles. Lync Server 2010 includes a rich set of built-in administrative roles, and you can assign user groups to these roles.

Better Server Security and Centralization

In previous versions of Office Communications Server, administrative rights were defined very broadly, and users with administrative access for a server running Lync Server could make many types of changes. With RBAC, access and authorization is based more precisely on a user’s Lync Server role. This enables greater use of the security practice of "least privilege," granting administrators and users only the rights that are necessary for their job.

Important

RBAC restrictions work only on administrators working remotely, using either the Lync Server Control Panel or Lync Server Management Shell. A user sitting at a server running Lync Server is not restricted by RBAC. Therefore, physical security of your Lync Server is important to preserve RBAC restrictions.

Roles and Scope

In RBAC, a role is a list of cmdlets defined by Lync Server, designed to be useful for a certain type of administrator or technician. A scope is the set of objects which the cmdlets defined in a role can operate on. The objects that scope affects can be either user accounts (grouped by organizational unit) or servers (grouped by site).

The following table lists the predefined roles in Lync Server 2010, and gives a general overview of the types of tasks each can do. The fourth column shows the similar Microsoft Exchange Server role for each Lync Server role, if there is one.

For a detailed list of exactly which cmdlets each role can run, see the tables later in this topic.

Predefined Administrative Roles

Role	Tasks allowed	Underlying Active Directory Group	Exchange equivalent
CsAdministrator	Can perform all administrative tasks and modify all settings, including creating roles and assigning users to roles. Can expand a deployment by adding new sites, pools, and services.	CS Administrators	Organization Management
CsUserAdministrator	Can enable and disable users for Lync Server, move users and assign existing policies to users. Cannot modify policies.	CS User Administrators	Mail Recipients
CsVoiceAdministrator	Can create, configure, and manage voice-related settings and policies.	CS Voice Administrators	Not applicable.
CsServerAdministrator	Can manage, monitor, and troubleshoot servers and services. Can prevent new connections to servers, stop and start services, and apply software updates. Cannot make changes with global configuration impact.	CS Server Administrators	Server Management
CsViewOnlyAdministrator	Can view the deployment, including user and server information, in order to monitor deployment health.	CS View-Only Administrators	View-Only Organization Management
CsHelpDesk	Can view the deployment, including user's properties and policies. Can run specific troubleshooting tasks. Cannot change user properties or policies, server configuration, or services.	CS HelpDesk	HelpDesk
CsArchivingAdministrator	Can modify archiving configuration and policies.	CS Archiving Administrators	Retention Management, Legal Hold
CsResponseGroupAdministrator	Can manage the configuration of the Response Group application within a site.	CS Response Group Administrators	Not applicable
CsLocationAdministrator	Lowest level of rights for Enhanced 9-1-1 (E9-1-1) management, including creating E9-1-1 locations and network identifiers, and associating these with each other. This role is always assigned with a global scope.	CS Location Administrators	Not applicable

All predefined roles shipped in Lync Server have a global scope. To follow least privilege practices, you should not assign users to roles with global scope if they are going to administer only a limited set of servers or users. To accomplish this, you can create roles which are based on the predefined roles, but with a more limited scope.

Creating a Role

When you create a role, you specify the scope, along with the existing role it is based on and the Active Directory group to be assigned the role. The Active Directory group you specify must already be created. The following cmdlet is an example of a creating a role with limited scope. It creates a new role called Site01 Server Administrators. The new role has the abilities of the predefined CsServerAdministrator role, but only for the servers located in the Site01 site. For this cmdlet to work, the Site01 site must already be defined, and a security group named Site01 Server Administrators must already exist.

New-CsAdminRole -Identity "Site01 Server Administrators" -Template CsServerAdministrator -ConfigScopes "site:Site01"

After this cmdlet runs, all users who are members of the Site01 Server Administrators group will have server administrator privileges for the servers in Site01. Additionally, any users who are later added to this security group also gain the privileges of this role. Note that both the role itself, and the security group it is assigned to are called Site01 Server Administrators.

The following example limits user scope instead of server scope. It creates a Sales Users Administrator role to administer the user accounts in the Sales organizational unit. The SalesUsersAdministrator security group must already be created for this cmdlet to work.

New-CsAdminRole -Identity "Sales Users Administrator " -Template CsUserAdministrator -UserScopes "OU:OU=Sales, OU=Lync Tenants, DC=Domain, DC=com"

A user can be given multiple RBAC roles by being added to the underlying Active Directory groups that correspond to each role.

Note that when you create a role, users who are later added to the underlying Active Directory group gain the abilities of that role.

Assigning Roles to Users

Each Lync Server role is associated with an underlying Active Directory security group, which is created in Active Directory when you deploy Lync Server. Any users who you add to the underlying group gain the abilities of that role.

The examples in the preceding section both created a new role and assigned a group to it. To assign an existing role to one or more users, add those users to the group associated with the role. You can add both individual users and security groups to these role groups.

For example, the CsAdministrator role is automatically granted to the CS Administrators security group in Active Directory. This security group is created in Active Directory when you deploy Lync Server. To grant a user or group this privilege, you can simply add them to the CS Administrators group.

Planning for RBAC

For each person who is to be given any kind of administrative rights for your Lync Server deployment, consider exactly which tasks they need to perform, then assign them to roles with the least privilege and scope necessary for their job.

Users who have the CsAdministrator role can create all types of roles, including roles based on CsAdministrator, and assign users to them. The best practice is to assign the CsAdministrator role to a very small set of trusted users.

Cmdlets Permitted for Predefined Roles

The following sections list the cmdlets that each predefined role is permitted to run.

CsAdministrator

The CsAdministrator role is permitted to run all cmdlets.

CsUserAdministrator

The CsUserAdministrator role is permitted to run the cmdlets in the following table.

Disable-CsUser

Enable-CsUser

Get-CsAdUser

Get-CsUserPoolInfo

Move-CsUser

Move-CsLegacyUser

Set-CsUser

Grant-CsClientPolicy

Grant-CsClientVersionPolicy

Grant-CsConferencingPolicy

Grant-CsDialPlan

Grant-CsExternalAccessPolicy

Grant-CsHostedVoicemailPolicy

Grant-CsLocationPolicy

Grant-CsPinPolicy

Grant-CsVoicePolicy

Get-CsArchivingPolicy

Get-CsClientPolicy

Get-CsClientVersionPolicy

Get-CsConferencingPolicy

Get-CsExternalAccessPolicy

Get-CsHostedVoicemailPolicy

Get-CsLocationPolicy

Get-CsPinPolicy

Get-CsVoicePolicy

Get-CsClientPinInfo

Unlock-CsClientPin

Lock-CsClientPin

Set-CsClientPin

Get-CsClientVersionConfiguration

Get-CsDialPlan

Get-CsSite

Get-CsComputer

Get-CsNetworkInterface

Get-CsPool

Get-CsService

Get-CsSipDomain

Revoke-CsClientCertificate

Get-CsManagementStoreReplicationStatus

Get-CsAdContact

Get-CsUserAcp

Set-CsUserAcp

Remove-CsUserAcp

Get-CsArchivingConfiguration

Get-CsPresencePolicy

Grant-CsPresencePolicy

Get-CsWindowsService

Get-CsPstnUsage

Get-CsRoutingConfiguration

Set-CsCommonAreaPhone

Remove-CsCommonAreaPhone

Get-CsCommonAreaPhone

New-CsCommonAreaPhone

Move-CsCommonAreaPhone

Set-CsAnalogDevice

Move-CsAnalogDevice

Remove-CsAnalogDevice

Get-CsAnalogDevice

New-CsAnalogDevice

Move-CsExUmContact

Set-CsExUmContact

Remove-CsExUmContact

Get-CsExUmContact

New-CsExUmContact

CsVoiceAdministrator

The CsVoiceAdministrator role is permitted to run the cmdlets listed in the following table.

Remove-CsNetworkSite

Remove-CsNetworkSubnet

Set-CsNetworkBandwidthPolicyProfile

Set-CsNetworkInterRegionRoute

Set-CsNetworkInterSitePolicy

Set-CsNetworkRegion

Set-CsNetworkRegionLink

Set-CsNetworkSite

Set-CsNetworkSubnet

Get-CsVoicemailReroutingConfiguration

Set-CsVoicemailReroutingConfiguration

Remove-CsVoicemailReroutingConfiguration

New-CsVoicemailReroutingConfiguration

Get-CsTrunkConfiguration

Set-CsTrunkConfiguration

Remove-CsTrunkConfiguration

New-CsTrunkConfiguration

Get-CsOutboundTranslationRule

Set-CsOutboundTranslationRule

Remove-CsOutboundTranslationRule

New-CsOutboundTranslationRule

Get-CsPstnUsage

Set-CsPstnUsage

Get-CsVoiceRoute

Set-CsVoiceRoute

Remove-CsVoiceRoute

New-CsVoiceRoute

Get-CsRoutingConfiguration

Set-CsRoutingConfiguration

Remove-CsRoutingConfiguration

Get-CsDialPlan

Set-CsDialPlan

Remove-CsDialPlan

New-CsDialPlan

Get-CsVoiceNormalizationRule

Set-CsVoiceNormalizationRule

Remove-CsVoiceNormalizationRule

New-CsVoiceNormalizationRule

Get-CsVoicePolicy

Set-CsVoicePolicy

Remove-CsVoicePolicy

New-CsVoicePolicy

Get-CsVoiceTestConfiguration

Set-CsVoiceTestConfiguration

Remove-CsVoiceTestConfiguration

New-CsVoiceTestConfiguration

Get-CsVoiceConfiguration

Set-CsVoiceConfiguration

Remove-CsVoiceConfiguration

Get-CsUCPhoneConfiguration

Set-CsUCPhoneConfiguration

Remove-CsUCPhoneConfiguration

Get-CsEnhancedEmergencyServiceDisclaimer

New-CsUCPhoneConfiguration

Get-CsHostedVoicemailPolicy

Set-CsHostedVoicemailPolicy

Remove-CsHostedVoicemailPolicy

New-CsHostedVoicemailPolicy

Test-CsP2PAV

New-CsAnalogDevice

Move-CsAnalogDevice

Get-CsAnalogDevice

Get-CsExUmContact

Set-CsExUmContact

Move-CsExUmContact

New-CsExUmContact

Remove-CsAnalogDevice

Remove-CsCommonAreaPhone

Remove-CsExUmContact

Set-CsAnalogDevice

Set-CsCommonAreaPhone

New-CsCommonAreaPhone

Move-CsCommonAreaPhone

Test-CsVoiceNormalizationRule

Test-CsDialPlan

Test-CsVoiceRoute

Test-CsVoicePolicy

Test-CsVoiceTestConfiguration

Test-CsVoiceUser

Test-CsTrunkConfiguration

Get-CsDeviceUpdateRule

Remove-CsDeviceUpdateRule

Approve-CsDeviceUpdateRule

Reset-CsDeviceUpdateRule

Restore-CsDeviceUpdateRule

Clear-CsDeviceUpdateFile

Clear-CsDeviceUpdateLog

Get-CsDeviceUpdateConfiguration

Set-CsDeviceUpdateConfiguration

New-CsDeviceUpdateConfiguration

Remove-CsDeviceUpdateConfiguration

Get-CsTestDevice

Set-CsTestDevice

New-CsTestDevice

Remove-CsTestDevice

Get-CsManagementStoreReplicationStatus

Test-CsLisCivicAddress

Test-CsLisConfiguration

Debug-CsLisConfiguration

Export-CsLisConfiguration

Test-CsLocationPolicy

Test-CsPhoneBootStrap

Test-CsPstnOutboundCall

Test-CsPstnPeerToPeerCall

Unlock-CsClientPin

Unpublish-CsLisConfiguration

Set-CsPstnGateway

Set-CsQoEConfiguation

Get-CsNetworkConfiguration

Set-CsRgsAgentGroup

Set- CSRgsHoursofBusiness

Set-CsRgsConfiguration

Set-CsRgsHolidaySet

Set-CsRgsQueue

Set-CsRgsWorkflow

Get-CsAdContact

Get-CsAdUser

Get-CsAudioTestServiceApplication

Get-CsBandwidthPolicyServiceConfiguration

Get-CsClientPinInfo

Get-CommonAreaPhone

Get-CpsConfiguration

Get-CsEnhancedEmergencyServiceDisclaimer

Get-CsLisCivicAddress

Get-CsLisLocation

Get-CsLisPort

Get-CsLisServiceProvider

Get-CsLisSubnet

Get-CsLisSwitch

Get-CsLisWirelessAccessPoint

Get-CsLocationPolicy

Get-CsMediaConfiguration

Get-CsNetworkConfiguration

Get-CsQOEConfiguration

Get-PinPolicy

Get-CsRgsAgentGroup

Get-CsRgsHoursOfBusiness

Get-CsRgsConfiguration

Get-CsRgsHolidaySet

Get-CsRgsQueue

Get-CsRgsWorkflow

Get-CsUserPoolInfo

Get-CsWebServiceConfiguration

Get-CsWindowsService

Grant-CsDialPlan

Grant-CsHostedVoicemailPolicy

Grant-CsLocationPolicy

Grant-CsVoicePolicy

Import-CsLisConfiguration

Import-CsRgsAudioFile

Lock-CsClientPin

Move-CsApplicationEndpoint

Move-CsConferenceDirectory

Move-CsRgsConfiguration

New-CsRgsAgentGroup

New-CsQoEConfiguration

New-CsNetworkMediaBypassConfiguration

New-CsNetworkBWPolicy

New-CsNetworkBWAlternatePath

Get-CsSipResponseCodeTranslationRule

New-CsSipResponseCodeTranslationRule

Set-CsSipResponseCodeTranslationRule

Remove-CsSipResponseCodeTranslationRule

New-CsMediaConfiguration

New-CsLocationPolicy

New-CsCpsConfiguration

New-CsBandwidthPolicyServiceConfiguration

New-CsRgsAnswer

New-CSRgsCallAction

New-CSRgsHoliday

New-CSRgsHolidaySet

New-CSRgsHoursOfBusiness

New-CSRgsQuestion

New-CSRgsQueue

New-CSRgsTimeRange

New-CSRgsWorkflow

New-CSRgsPrompt

New-CsRoutingConfiguration

New-CsVoiceRegex

Publish-CsLisConfiguration

Remove-CsBandwidthPolicyServiceConfiguration

Remove-CsCpsConfiguration

Remove-CsEnhancedEmergencyServiceDisclaimer

Remove-CsLisLocation

Remove-CsLisPort

Remove-CsLisServiceProvider

Remove-CsLisSubnet

Remove-CsLisSwitch

Remove-CsLisWirelessAccessPoint

Remove-CsLocationPolicy

Remove-CsMediaConfiguration

Remove-CsNetworkBandwidthPolicyProfile

Remove-CsNetworkConfiguration

Remove-CsQoEConfiguration

Remove-CSRgsAgentGroup

Remove-CSRgsHolidaySet

Remove-CSRgsHoursOfBusiness

Remove-CSRgsQueue

Remove-CSRgsWorkflow

Set-CsAudioTestServiceApplication

Set-CsBandwidthPolicyServiceConfiguration

Set-CsNetworkConfiguration

Set-CsMediationServer

Set-CsMediaConfiguration

Set-CsLocationPolicy

Set-CsLisWirelessAccessPoint

Set-CsLisSwitch

Set-CsLisSubnet

Set-CsLisServiceProvider

Set-CsLisPort

Set-CsLisLocation

Set-CsEnhancedEmergencyServiceDisclaimer

Set-CsCpsConfiguration

Set-CsClientPin

CsServerAdministrator

The CsServerAdministrator role is permitted to run the cmdlets listed in the following table.

Get-CsApplicationEndpoint

Get-CsPresencePolicy

Set-CsPresencePolicy

New-CsPresencePolicy

Remove-CsPresencePolicy

Get-CsWindowsService

Start-CsWindowsService

Stop-CsWindowsService

Get-CsCertificate

Get-CsAccessEdgeConfiguration

Get-CsAddressBookConfiguration

Get-CsAllowedDomain

Get-CsAnnouncement

Get-CsArchivingConfiguration

Get-CsArchivingPolicy

Get-CsAVEdgeConfiguration

Get-CsBandwidthPolicyServiceConfiguration

Get-CsBlockedDomain

Get-CsCallParkOrbit

Get-CsCdrConfiguration

Get-CsClientPolicy

Get-CsClientVersionConfiguration

Get-CsClientVersionPolicy

Get-CsConferenceDirectory

Get-CsConferenceDisclaimer

Get-CsConferencingConfiguration

Get-CsConferencingPolicy

Get-CsCpsConfiguration

Get-CsDeviceUpdateConfiguration

Get-CsDeviceUpdateRule

Get-CsDiagnosticConfiguration

Get-CsDiagnosticHeaderConfiguration

Get-CsDialInConferencingAccessNumber

Get-CsDialInConferencingConfiguration

Get-CsDialInConferencingDtmfConfiguration

Get-CsDialInConferencingLanguageList

Get-CsDialPlan

Get-CsEnhancedEmergencyServiceDisclaimer

Get-CsExternalAccessPolicy

Get-CsTrustedApplication

Get-CsTrustedApplicationEndpoint

Get-CsExUmContact

Get-CsFileTransferFilterConfiguration

Get-CsHealthMonitoringConfiguration

Get-CsHostedVoicemailPolicy

Get-CsHostingProvider

Get-CsImFilterConfiguration

Get-CsLisCivicAddress

Debug-CsLisConfiguration

Get-CsLisLocation

Get-CsLisPort

Get-CsLisServiceProvider

Get-CsLisSubnet

Get-CsLisSwitch

Get-CsLisWirelessAccessPoint

Get-CsLocationPolicy

Get-CsManagementConnection

Get-CsManagementStoreReplicationStatus

Get-CsMediaConfiguration

Get-CsMeetingConfiguration

Get-CsNetworkBandwidthPolicyProfile

Get-CsNetworkInterRegionRoute

Get-CsNetworkInterSitePolicy

Get-CsNetworkRegion

Get-CsNetworkRegionLink

Get-CsNetworkSite

Get-CsNetworkSubnet

Get-CsNetworkConfiguration

Get-CsOutboundTranslationRule

Get-CsPstnUsage

Get-CsPinPolicy

Get-CsPrivacyConfiguration

Get-CsProxyConfiguration

Get-CsPublicProvider

Get-CsQoEConfiguration

Get-CsRegistrarConfiguration

Get-CsRgsAgentGroup

Get-CsRgsHoursOfBusiness

Get-CsRgsConfiguration

Get-CsRgsHolidaySet

Get-CsRgsQueue

Get-CsRgsWorkflow

Get-CsRoutingConfiguration

Get-CsServerApplication

Get-CsSimpleUrlConfiguration

Get-CsSipDomain

Get-CsStaticRoutingConfiguration

Get-CsTestDevice

Get-CsTrunkConfiguration

Get-CsUCPhoneConfiguration

Get-CsUserReplicatorConfiguration

Get-CsUserServicesConfiguration

Get-CsUnassignedNumber

Get-CsVoiceConfiguration

Get-CsVoicemailReroutingConfiguration

Get-CsVoiceNormalizationRule

Get-CsVoicePolicy

Get-CsVoiceRoute

Get-CsVoiceTestConfiguration

Get-CsWebServiceConfiguration

Get-CsComputer

Get-CsPool

Get-CsService

Get-CsSite

Get-CsTopology

Get-CsNetworkInterface

Set-CsAccessEdgeConfiguration

Set-CsAddressBookConfiguration

New-CsAddressBookConfiguration

Remove-CsAddressBookConfiguration

Set-CsAllowedDomain

New-CsAllowedDomain

Remove-CsAllowedDomain

Set-CsAnnouncement

New-CsAnnouncement

Remove-CsAnnouncement

Set-CsAVEdgeConfiguration

New-CsAVEdgeConfiguration

Remove-CsAVEdgeConfiguration

Set-CsBandwidthPolicyServiceConfiguration

New-CsBandwidthPolicyServiceConfiguration

Remove-CsBandwidthPolicyServiceConfiguration

Set-CsBlockedDomain

New-CsBlockedDomain

Remove-CsBlockedDomain

Set-CsCallParkOrbit

New-CsCallParkOrbit

Remove-CsCallParkOrbit

Set-CsCdrConfiguration

New-CsCdrConfiguration

Remove-CsCdrConfiguration

Set-CsClientPolicy

New-CsClientPolicy

Remove-CsClientPolicy

Set-CsClientVersionConfiguration

New-CsClientVersionConfiguration

Remove-CsClientVersionConfiguration

New-CsConferenceDirectory

Remove-CsConferenceDirectory

Move-CsConferenceDirectory

Set-CsConferenceDisclaimer

Remove-CsConferenceDisclaimer

Set-CsConferencingConfiguration

New-CsConferencingConfiguration

Remove-CsConferencingConfiguration

Set-CsConferencingPolicy

New-CsConferencingPolicy

Remove-CsConferencingPolicy

Set-CsCpsConfiguration

New-CsCpsConfiguration

Remove-CsCpsConfiguration

Set-CsDeviceUpdateConfiguration

New-CsDeviceUpdateConfiguration

Remove-CsDeviceUpdateConfiguration

Remove-CsDeviceUpdateRule

Set-CsDiagnosticConfiguration

New-CsDiagnosticConfiguration

Remove-CsDiagnosticConfiguration

Set-CsDiagnosticHeaderConfiguration

New-CsDiagnosticHeaderConfiguration

Remove-CsDiagnosticHeaderConfiguration

Set-CsDialInConferencingAccessNumber

New-CsDialInConferencingAccessNumber

Remove-CsDialInConferencingAccessNumber

Set-CsDialInConferencingConfiguration

New-CsDialInConferencingConfiguration

Remove-CsDialInConferencingConfiguration

Set-CsDialInConferencingDtmfConfiguration

New-CsDialInConferencingDtmfConfiguration

Remove-CsDialInConferencingDtmfConfiguration

Set-CsDialPlan

New-CsDialPlan

Remove-CsDialPlan

Set-CsEnhancedEmergencyServiceDisclaimer

Remove-CsEnhancedEmergencyServiceDisclaimer

Set-CsExternalAccessPolicy

New-CsExternalAccessPolicy

Remove-CsExternalAccessPolicy

Set-CsTrustedApplication

New-CsTrustedApplication

Remove-CsTrustedApplication

Set-CsTrustedApplicationEndpoint

New-CsTrustedApplicationEndpoint

Remove-CsTrustedApplicationEndpoint

Set-CsExUmContact

New-CsExUmContact

Move-CsExUmContact

Remove-CsExUmContact

Set-CsFileTransferFilterConfiguration

New-CsFileTransferFilterConfiguration

Remove-CsFileTransferFilterConfiguration

Set-CsHealthMonitoringConfiguration

New-CsHealthMonitoringConfiguration

Remove-CsHealthMonitoringConfiguration

Set-CsHostedVoicemailPolicy

New-CsHostedVoicemailPolicy

Remove-CsHostedVoicemailPolicy

Set-CsHostingProvider

New-CsHostingProvider

Remove-CsHostingProvider

Set-CsImFilterConfiguration

New-CsImFilterConfiguration

Remove-CsImFilterConfiguration

Set-CsLisLocation

Remove-CsLisLocation

Set-CsLisPort

Remove-CsLisPort

Set-CsLisServiceProvider

Remove-CsLisServiceProvider

Set-CsLisSubnet

Remove-CsLisSubnet

Set-CsLisSwitch

Remove-CsLisSwitch

Set-CsLisWirelessAccessPoint

Remove-CsLisWirelessAccessPoint

Set-CsLocationPolicy

New-CsLocationPolicy

Remove-CsLocationPolicy

Set-CsManagementConnection

Remove-CsManagementConnection

Set-CsMediaConfiguration

New-CsMediaConfiguration

Remove-CsMediaConfiguration

Set-CsMeetingConfiguration

New-CsMeetingConfiguration

Remove-CsMeetingConfiguration

Set-CsNetworkBandwidthPolicyProfile

New-CsNetworkBandwidthPolicyProfile

Remove-CsNetworkBandwidthPolicyProfile

Set-CsNetworkInterRegionRoute

New-CsNetworkInterRegionRoute

Remove-CsNetworkInterRegionRoute

Set-CsNetworkInterSitePolicy

New-CsNetworkInterSitePolicy

Remove-CsNetworkInterSitePolicy

Set-CsNetworkRegion

New-CsNetworkRegion

Remove-CsNetworkRegion

Set-CsNetworkRegionLink

New-CsNetworkRegionLink

Remove-CsNetworkRegionLink

Set-CsNetworkSite

New-CsNetworkSite

Remove-CsNetworkSite

Set-CsNetworkSubnet

New-CsNetworkSubnet

Remove-CsNetworkSubnet

Set-CsOutboundTranslationRule

New-CsOutboundTranslationRule

Remove-CsOutboundTranslationRule

Set-CsPstnUsage

Set-CsPinPolicy

New-CsPinPolicy

Remove-CsPinPolicy

Set-CsPrivacyConfiguration

New-CsPrivacyConfiguration

Remove-CsPrivacyConfiguration

Set-CsProxyConfiguration

New-CsProxyConfiguration

Remove-CsProxyConfiguration

Set-CsPublicProvider

New-CsPublicProvider

Remove-CsPublicProvider

Set-CsQoEConfiguration

New-CsQoEConfiguration

Remove-CsQoEConfiguration

Set-CsRegistrarConfiguration

New-CsRegistrarConfiguration

Remove-CsRegistrarConfiguration

Set-CsRgsAgentGroup

New-CsRgsAgentGroup

Remove-CsRgsAgentGroup

Set-CsRgsHoursOfBusiness

Remove-CsRgsHoursOfBusiness

New-CsRgsHoursOfBusiness

Set-CsRgsConfiguration

Move-CsRgsConfiguration

Set-CsRgsHolidaySet

New-CsRgsHolidaySet

Remove-CsRgsHolidaySet

Set-CsRgsQueue

New-CsRgsQueue

Remove-CsRgsQueue

Set-CsRgsWorkflow

New-CsRgsWorkflow

Remove-CsRgsWorkflow

Set-CsRoutingConfiguration

New-CsRoutingConfiguration

Remove-CsRoutingConfiguration

Set-CsServerApplication

New-CsServerApplication

Remove-CsServerApplication

Set-CsSimpleUrlConfiguration

New-CsSimpleUrlConfiguration

Remove-CsSimpleUrlConfiguration

Set-CsSipDomain

New-CsSipDomain

Remove-CsSipDomain

Set-CsStaticRoutingConfiguration

New-CsStaticRoutingConfiguration

Remove-CsStaticRoutingConfiguration

Set-CsTestDevice

New-CsTestDevice

Remove-CsTestDevice

Set-CsTrunkConfiguration

New-CsTrunkConfiguration

Remove-CsTrunkConfiguration

Set-CsUCPhoneConfiguration

New-CsUCPhoneConfiguration

Remove-CsUCPhoneConfiguration

Set-CsUserReplicatorConfiguration

New-CsUserReplicatorConfiguration

Remove-CsUserReplicatorConfiguration

Set-CsUserServicesConfiguration

New-CsUserServicesConfiguration

Remove-CsUserServicesConfiguration

Set-CsUnassignedNumber

New-CsUnassignedNumber

Remove-CsUnassignedNumber

Set-CsVoiceConfiguration

Remove-CsVoiceConfiguration

Set-CsVoicemailReroutingConfiguration

New-CsVoicemailReroutingConfiguration

Remove-CsVoicemailReroutingConfiguration

Set-CsVoiceNormalizationRule

New-CsVoiceNormalizationRule

Remove-CsVoiceNormalizationRule

Set-CsVoicePolicy

New-CsVoicePolicy

Remove-CsVoicePolicy

Set-CsVoiceRoute

New-CsVoiceRoute

Remove-CsVoiceRoute

Set-CsVoiceTestConfiguration

New-CsVoiceTestConfiguration

Remove-CsVoiceTestConfiguration

Set-CsWebServiceConfiguration

New-CsWebServiceConfiguration

Remove-CsWebServiceConfiguration

Approve-CsDeviceUpdateRule

Reset-CsDeviceUpdateRule

Restore-CsDeviceUpdateRule

Enable-CsHostingProvider

Disable-CsHostingProvider

Test-CsLisCivicAddress

Test-CsLisConfiguration

Export-CsLisConfiguration

Import-CSLisConfiguration

Publish-CSLisConfiguration

UnPublish-CSLisConfiguration

Test-CSLocationPolicy

Enable-CSPublicProvider

Disable-CSPublicProvider

Test-CSVoiceNormalizationRule

Test-CSVoicePolicy

Test-CSVoiceRoute

Test-CSVoiceTestConfiguration

Test-CsFederatedPartner

Test-CsGroupExpansion

Test-CsAddressBookService

Test-CsAddressBookWebQuery

Test-CsAVConference

Test-CsClientAuth

Test-CsDialInConferencing

Test-CsGroupIM

Test-CsIM

Test-CsPresence

Test-CsRegistration

Test-CsP2PAV

Test-CsPhoneBootstrap

Test-CsPstnOutboundCall

Test-CsPstnPeerToPeerCall

Test-CsVoiceUser

Test-CsDialPlan

Test-CsTrunkConfiguration

Clear-CsDeviceUpdateFile

Clear-CsDeviceUpdateLog

Get-CsAdContact

Get-CsAdminRole

Get-CsAdminRoleAssignment

Get-CsAdUser

Get-CsAnalogDevice

Get-CsAudioTestServiceApplication

Get-CsClientCertificate

Get-CsClientPinInfo

Get-CsClientVersionPolicyRule

Get-CsCommonAreaPhone

New-CsCommonAreaPhone

Move-CsCommonAreaPhone

Remove-CsCommonAreaPhone

Set-CsCommonAreaPhone

Get-CsRgsHoursOfBusiness

Get-CsTrustedApplicationComputer

Get-CsTrustedApplicationPool

Get-CsUser

Get-CsUserAcp

Get-CsUserDatabaseState

Get-CsUserPoolInfo

Import-CSAnnouncementFile

Import-CsConfiguration

Import-CSRgsAudioFile

Export-CsConfiguration

Invoke-CsManagementStoreReplication

Move-CsApplicationEndpoint

New-CsAnalogDevice

Move-CsAnalogDevice

New-CsClientPolicyEntry

New-CsClientVersionPolicy

New-CsClientVersionPolicyRule

New-CsDiagnosticsFilter

New-CsIssuedCertId

New-CsNetworkBWAlternatePath

New-CsNetworkBWPolicy

New-CsNetworkMediaBypassConfiguration

New-CSRgsAnswer

New-CSRgsCallAction

New-CSRgsHoliday

New-CSRgsQuestion

New-CSRgsTimeRange

New-CSRgsPrompt

New-CsSimpleUrl

New-CsSimpleUrlEntry

New-CsSipProxyCustom

New-CsSipProxyRealm

New-CsSipProxyTCP

New-CsSipProxyTLS

New-CsSipProxyTransport

New-CsSipProxyUseDefault

New-CsSipProxyUseDefaultCert

New-CsStaticRoute

New-CsTrustedApplicationComputer

New-CsTrustedApplicationPool

New-CsVoiceRegex

New-CsWebTrustedCACertificate

Remove-CsAnalogDevice

ReMove-CsClientVersionPolicy

ReMove-CsClientVersionPolicyRule

ReMove-CsNetworkConfiguration

ReMove-CsTrustedApplicationComputer

ReMove-CsTrustedApplicationPool

Set-CsAnalogDevice

Set-CsApplicationServer

Set-CsAudioTestServiceApplication

Set-CsCallParkServiceMusicOnHoldFile

Set-CsClientVersionPolicy

Set-CsClientVersionPolicyRule

Set-CsConferenceServer

Set-CsDirector

Set-CsEdgeServer

Set-CsManagementServer

Set-CsMediationServer

Set-CsMonitoringServer

Set-CsNetworkConfiguration

Set-CsPstnGateway

Set-CsRegistrar

Set-CsSite

Set-CsTrustedApplicationPool

Set-CsUserDatabaseState

Set-CsUserServer

Set-CsWebServer

Update-CsAddressBook

Update-CsUserDatabase

Get-CsSipResponseCodeTranslationRule

New-CsSipResponseCodeTranslationRule

Set-CsSipResponseCodeTranslationRule

Remove-CsSipResponseCodeTranslationRule

CsViewOnlyAdministrator

The CsViewOnlyAdministrator role is permitted to run the cmdlets listed in the following table.

Get-CsAccessEdgeConfiguration

Get-CsAddressBookConfiguration

Get-CsAllowedDomain

Get-CsAnnouncement

Get-CsArchivingConfiguration

Get-CsArchivingPolicy

Get-CsAVEdgeConfiguration

Get-CsBandwidthPolicyServiceConfiguration

Get-CsBlockedDomain

Get-CsCallParkOrbit

Get-CsCdrConfiguration

Get-CsClientPolicy

Get-CsClientVersionConfiguration

Get-CsClientVersionPolicy

Get-CsConferenceDirectory

Get-CsConferenceDisclaimer

Get-CsConferencingConfiguration

Get-CsConferencingPolicy

Get-CsCpsConfiguration

Get-CsDeviceUpdateConfiguration

Get-CsDeviceUpdateRule

Get-CsDiagnosticConfiguration

Get-CsDiagnosticHeaderConfiguration

Get-CsDialInConferencingAccessNumber

Get-CsDialInConferencingConfiguration

Get-CsDialInConferencingDtmfConfiguration

Get-CsDialInConferencingLanguageList

Get-CsDialPlan

Get-CsExternalAccessPolicy

Get-CsTrustedApplication

Get-CsTrustedApplicationEndpoint

Get-CsExUmContact

Get-CsFileTransferFilterConfiguration

Get-CsHealthMonitoringConfiguration

Get-CsHostedVoicemailPolicy

Get-CsHostingProvider

Get-CsImFilterConfiguration

Get-CsLisCivicAddress

Debug-CsLisConfiguration

Get-CsLisLocation

Get-CsLisPort

Get-CsLisServiceProvider

Get-CsLisSubnet

Get-CsLisSwitch

Get-CsLisWirelessAccessPoint

Get-CsLocationPolicy

Get-CsManagementConnection

Get-CsManagementStoreReplicationStatus

Get-CsMediaConfiguration

Get-CsMeetingConfiguration

Get-CsNetworkBandwidthPolicyProfile

Get-CsNetworkRInteregionRoute

Get-CsNetworkInterSitePolicy

Get-CsNetworkRegion

Get-CsNetworkRegionLink

Get-CsNetworkSite

Get-CsNetworkSubnet

Get-CsOutboundTranslationRule

Get-CsPstnUsage

Get-CsPinPolicy

Get-CsPrivacyConfiguration

Get-CsProxyConfiguration

Get-CsPublicProvider

Get-CsQoEConfiguration

Get-CsRegistrarConfiguration

Get-CsRgsAgentGroup

Get-CsRgsConfiguration

Get-CsRgsHolidaySet

Get-CsRgsQueue

Get-CsRgsWorkflow

Get-CsRgsHoursOfBusiness

Get-CsRoutingConfiguration

Get-CsServerApplication

Get-CsSimpleUrlConfiguration

Get-CsSipDomain

Get-CsStaticRoutingConfiguration

Get-CsTestDevice

Get-CsTrunkConfiguration

Get-CsUCPhoneConfiguration

Get-CsUserReplicatorConfiguration

Get-CsUserServicesConfiguration

Get-CsUnassignedNumber

Get-CsVoicemailReroutingConfiguration

Get-CsVoiceNormalizationRule

Get-CsVoicePolicy

Get-CSVoiceRoute

Get-CSVoiceTestConfiguration

Get-CSWebServiceConfiguration

Get-CSComputer

Get-CSPool

Get-CSSite

Get-CSService

Test-CSNetworkInterface

Test-CSSetupPermission

Get-CSTopology

Get-CSAnalogDevice

Get-CSCommonAreaPhone

Get-CSCertificate

Get-CSWindowsService

Get-CSAdUser

Get-CSUser

Get-CSClientPinInfo

Get-CSVoiceConfiguration

Get-CsPresencePolicy

Get-CsAdContact

Get-CsAudioTestServiceApplication

Get-CsClientCertificate

Get-CsClientVersionPolicyRule

Get-CsTrustedApplicationComputer

Get-CsTrustedApplicationPool

Get-CsUserAcp

Get-CsUserDatabaseState

Get-CsUserPoolInfo

Get-CsSipResponseCodeTranslationRule

CsHelpDesk

The CsHelpDesk role is permitted to run the cmdlets listed in the following table.

Get-CsAccessEdgeConfiguration

Get-CsAddressBookConfiguration

Get-CsAllowedDomain

Get-CsAnnouncement

Get-CsArchivingConfiguration

Get-CsArchivingPolicy

Get-CsAVEdgeConfiguration

Get-CsBandwidthPolicyServiceConfiguration

Get-CsBlockedDomain

Get-CsCallParkOrbit

Get-CsCdrConfiguration

Get-CsClientPolicy

Get-CsClientVersionConfiguration

Get-CsClientVersionPolicy

Get-CsConferenceDirectory

Get-CsConferenceDisclaimer

Get-CsConferencingConfiguration

Get-CsConferencingPolicy

Get-CsCpsConfiguration

Get-CsDeviceUpdateConfiguration

Get-CsDeviceUpdateRule

Get-CsDiagnosticConfiguration

Get-CsDiagnosticHeaderConfiguration

Get-CsDialInConferencingAccessNumber

Get-CsDialInConferencingConfiguration

Get-CsDialInConferencingDtmfConfiguration

Get-CsDialInConferencingLanguageList

Get-CsDialPlan

Get-CsEnhancedEmergencyServiceDisclaimer

Get-CsExternalAccessPolicy

Get-CsTrustedApplication

Get-CsTrustedApplicationEndpoint

Get-CsExUmContact

Get-CsFileTransferFilterConfiguration

Get-CsHealthMonitoringConfiguration

Get-CsHostedVoicemailPolicy

Get-CsHostingProvider

Get-CsImFilterConfiguration

Get-CsLisCivicAddress

Get-CsLisConfiguration

Get-CsLisLocation

Get-CsLisPort

Get-CsLisServiceProvider

Get-CsLisSubnet

Get-CsLisSwitch

Get-CsLisWirelessAccessPoint

Get-CsLocationPolicy

Get-CsManagementConnection

Get-CsManagementStoreReplicationStatus

Get-CsMediaConfiguration

Get-CsMeetingConfiguration

Get-CsNetworkBandwidthPolicyProfile

Get-CsNetworkInterRegionRoute

Get-CsNetworkInterSitePolicy

Get-CsNetworkRegion

Get-CsNetworkRegionLink

Get-CsNetworkSite

Get-CsNetworkSubnet

Get-CsNetworkConfiguration

Get-CsOutboundTranslationRule

Get-CsPstnUsage

Get-CsPinPolicy

Get-CsPrivacyConfiguration

Get-CsProxyConfiguration

Get-CsPublicProvider

Get-CsQoEConfiguration

Get-CsRegistrarConfiguration

Get-CsRgsAgentGroup

Get-CsRgsHoursOfBusiness

Get-CsRgsConfiguration

Get-CsRgsHolidaySet

Get-CsRgsQueue

Get-CsRgsWorkflow

Get-CsRoutingConfiguration

Get-CsServerApplication

Get-CsSimpleUrlConfiguration

Get-CsSipDomain

Get-CsStaticRoutingConfiguration

Get-CsTestDevice

Get-CsTrunkConfiguration

Get-CsUCPhoneConfiguration

Get-CsUserReplicatorConfiguration

Get-CsUserServicesConfiguration

Get-CsUnassignedNumber

Get-CsVoiceConfiguration

Get-CsVoicemailReroutingConfiguration

Get-CsVoiceNormalizationRule

Get-CsVoicePolicy

Get-CsVoiceRoute

Get-CsVoiceTestConfiguration

Get-CsWebServiceConfiguration

Get-CsComputer

Get-CsPool

Get-CsService

Get-CsSite

Get-CsTopology

Get-CsAnalogDevice

Get-CsCommonAreaPhone

Get-CsAdUser

Get-CsUser

Get-CSClientPinInfo

Lock-CSClientPin

Unlock-CSClientPin

Set-CSClientPin

Get-CSClientVersionPolicyRule

Get-CSWindowsService

Get-CsNetworkInterface

Get-CsPresencePolicy

Test-CsFederatedPartner

Test-CsGroupExpansion

Test-CsAddressBookService

Test-CsAddressBookWebQuery

Test-CsAVConference

Test-CsClientAuth

Test-CsDialInConferencing

Test-CsTrunkConfiguration

Test-CsGroupIM

Test-CsIM

Test-CsPresence

Test-CsRegistration

Test-CsPhoneBootstrap

Test-CsP2PAV

Test-CsPstnOutboundCall

Test-CsPstnPeerToPeerCall

Test-CsVoiceUser

Get-CsAdContact

Get-CsRgsHoursOfBusiness

Get-CsUserAcp

Get-CsUserPoolInfo

Get-CsAudioTestServiceApplication

Get-CsSipResponseCodeTranslationRule

CsArchivingAdministrator

The CsArchivingAdministrator role is permitted to run the cmdlets listed in the following table.

New-CsArchivingPolicy

Get-CsArchivingPolicy

Set-CsArchivingPolicy

Remove-CsArchivingPolicy

Grant-CsArchivingPolicy

New-CsArchivingConfiguration

Get-CsArchivingConfiguration

Set-CsArchivingConfiguration

Remove-CsArchivingConfiguration

Get-CsUser

Export-CsArchivingData

Get-CsSite

Get-CsService

Get-CsPool

Get-CsComputer

Get-CsNetworkInterface

Get-CsManagementStoreReplicationStatus

Get-CSWindowsService

Get-CsUserPoolInfo

Set-CsArchivingServer

CsResponseGroupAdministrator

The CsResponseGroupAdministrator role is permitted to run the cmdlets listed in the following table.

Get-CsRgsAgentGroup

Get-CsRgsHoursofBusiness

Get-CsRgsConfiguration

Get-CsRgsHolidaySet

Get-CsRgsQueue

Get-CsRgsWorkflow

Get-CsService

Get-CsUser

Import-CsRgsAudioFile

Move-CsRgsConfiguration

New-CsRgsAgentGroup

New-CsRgsAnswer

New-CsRgsHoursofBusiness

New-CsRgsCallAction

New-CsRgsHoliday

New-CsRgsHolidaySet

New-CsRgsQuestion

New-CsRgsQueue

New-CsRgsTimeRange

New-CsRgsWorkflow

New-CsRgsPrompt

Remove-CsRgsAgentGroup

Remove-CsRgsHoursofBusiness

Remove-CsRgsHolidaySet

Remove-CsRgsQueue

Remove-CsRgsWorkflow

Set-CsRgsAgentGroup

Set- CSRgsHoursofBusiness

Set-CsRgsConfiguration

Set-CsRgsHolidaySet

Set-CsRgsQueue

Set-CsRgsWorkflow

Get-CsSite

Get-CsPool

Get-CsComputer

Get-CsWindowsService

Get-CsNetworkInterface

Get-CsManagementStoreReplicationStatus

Get-CsUserPoolInfo

CsLocationAdministrator

The CsLocationAdministrator role is permitted to run the cmdlets listed in the following table.

Get-CsNetworkSite

Get-CsNetworkSubnet

Get-CsNetworkRegion

Get-CsNetworkBandwidthPolicyProfile

New-CsNetworkSite

New-CsNetworkSubnet

Remove-CsNetworkSite

Remove-CsNetworkSubnet

Set-CsNetworkSite

Set-CsNetworkSubnet

Get-CsLisCivicAddress

Test-CsLisCivicAddress

Debug-CsLisConfiguration

Publish-CsLisConfiguration

Unpublish-CsLisConfiguration

Get-CsLisLocation

Remove-CsLisLocation

Set-CsLisLocation

Get-CsLisPort

Remove-CsLisPort

Set-CsLisPort

Get-CsLisSubnet

Remove-CsLisSubnet

Set-CsLisSubnet

Get-CsLisSwitch

Remove-CsLisSwitch

Set-CsLisSwitch

Get-CsLisWirelessAccessPoint

Remove-CsLisWirelessAccessPoint

Set-CsLisWirelessAccessPoint

Get-CsSite

Get-CsService

Get-CsPool

Get-CsUser

Get-CsComputer

Get-CsWindowsService

Get-CsNetworkInterface

Get-CsManagementStoreReplicationStatus

Get-CsUserPoolInfo

Get-CsLocationPolicy

Grant-CsLocationPolicy

Export-CsLisConfiguration

Get-CsLisServiceProvider

Get-CsWebServiceConfiguration

Import-CsLisConfiguration

Test-CsLisConfiguration

Test-CsLocationPolicy

Share via

Role-Based Access Control

Better Server Security and Centralization

Roles and Scope

Predefined Administrative Roles

Creating a Role

Assigning Roles to Users

Planning for RBAC

Cmdlets Permitted for Predefined Roles

CsAdministrator

CsUserAdministrator

CsVoiceAdministrator

CsServerAdministrator

CsViewOnlyAdministrator

CsHelpDesk

CsArchivingAdministrator

CsResponseGroupAdministrator

CsLocationAdministrator

Additional resources