Troubleshooting RBAC

(or determining RBAC Permissions)

  • Get-ManagementScope – displays defined scopes, or details of a individual scope.
  • Get-ManagementRole
    • GetChildren – enumerate roles of immediate children
    • Recurse – enumerate roles of children and the children of those roles
    • Cmdlet – enumerate roles include this specific cmdlet
    • CmdletParameters – enumerate roles include this specific parameter
    • RoleType
  • Get-ManagementRoleEntry – shows all the role entries in a Management role (Ex: Get-ManagementRoleentry “Recipient Policies\*”)
  • Get-RoleGroup – shows all the groups or if you specify one with –ID will give you details on that group
  • Get-RoleGroupMember – shows all the group’s members (ex: Get-RoleGroupMember “Organization Management”)
  • Get-RoleAssignmentPolicy – Shows the role assignment policies
  • Get-ManagementRoleAssignment
    • Examples: 
      • Get-ManagementRoleAssignment –Role “Organization Configuration” –GetEffectiveUser –Delegating $False | FL Name, RoleAssigneeName, EffectiveUserName, AssignmentChain (shows the users and groups that have Org Config RBAC permissions)
      • Get-ManagementRoleAssignment -WritableRecipient administrator –GetEffectiveUsers (shows the users that can make changes to administrator)

Note: As with all powershell commands you can use help cmdlet –examples to get more info (ex: help Get-ManagementRoleAssignment –Examples)



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s