9

Exchange 2010 has a delegation model where groups of winrm cmdlets are essentally grouped into roles, and the roles assigned to a user.

Exchange Roles Image (Image source)

This is a great & flexible model considering how I can leverage all the benefits of PowerShell, while using the right low level technologies (WCF, SOAP etc), and requiring no additional software on the client side.

image of how Exchange 2010 remote admin works (Image source)

Question(s)

  1. Is there a way for me to leverage Exchange's delegation model in my .NET application?

  2. Has anyone attempted to imitate this model?

  3. If I must start from scratch, how would I go about imitating this approach?

makerofthings7
  • 6,038
  • 4
  • 39
  • 77
  • Did you make any progress with this? I'm especially curious about how to implement the 'recipient/configuration with scope' part of the model. – Jacco May 21 '12 at 08:38

2 Answers2

1

The two largest RBAC for .NET are NetSqlAzMan http://netsqlazman.codeplex.com/ and RhinoSecurity https://github.com/ayende/rhino-security

If you end up having to go the route of starting from scratch, you could use either of the above as a starting base.

Jared Shaver
  • 121
  • 2
1

Exchange is providing a constained runspace, and there aren't actually any cmdlets available in that runspace. What appear to be cmdlets are actually proxy functions. Your capabilities in the runspace are controlled by limiting what proxy functions are provided, and what capabilites of each cmdlet are exposed by the proxy function.

Duplicating that would involve developing a routines that populate the runspace with proxy functions tailored to the user requesting the runspace, based on the role groups they belong to. I don't see any reason AD groups couldn't be as your role groups.

Implementation details would be application specific, but basically it means that you limit who can use which parameters of the cmdlets by choosing which parameters the proxy functions provided to that user will have and/or limiting what values the function will accept for particular parameters.

  • That makes sense; do you have more information on how I can create such a proxy function? I can figure out the AD / AzMan piece. – makerofthings7 Feb 22 '12 at 15:58
  • See if this helps: http://blogs.msdn.com/b/powershell/archive/2009/01/04/extending-and-or-modifing-commands-with-proxies.aspx –  Feb 22 '12 at 16:09