Role Based Access Control (RBAC) isn’t a fad. It’s present in products like Exchange 2010 and is available extensively in the new System Center 2012 suite of products. In a nutshell, RBAC differs from the traditional administrative model which was “this is the specific set of powers you have over all objects in the domain”. With RBAC you have a set of specific powers, but those powers have a limited scope.
I’m wildly speculating that one of the big changes that’s coming down the pipe with the release of Windows Server ‘8’ (I still think it will be called Windows Server 2012) will be the introduction of a greater RBAC structure for Windows Server and Active Directory administration.
The signs are partly there. We know that there is a massive increase in the number of PowerShell cmdlets available to administrators in the next release of Windows Server. It isn’t too long a bow to draw to assume that the structure of RBAC in Exchange 2010 (where you grant the use of specific cmdlets and parameters over a scope of specific Exchange objects) could work with Windows Server 2012. There will probably be the traditional Domain Admins and Enterprise Admins groups, but I’m also wildly speculating that you’ll have the ability to create management roles and scopes, being able to simply and easily create administrative groups that have more defined privileges over specific scopes than the current super powered mega groups.
While you can sort of do this already using the delegation of control wizard, using the Exchange model of collecting cmdlets and parameters for the “what you can do” and object scopes for the “where you can do it” would provide substantially more flexibility than the current “this is the list of tasks you can delegate over this AD object and all its children” of the current system.
With RBAC in Windows Server 8, it will be possible to create administrative groups that are tailored to individual job roles, rather than Superman level groups that allow you to do any job you want because they basically give you every permission that you’d ever need.
But again, this is all wildly uninformed speculation. Windows Server 8 is shipping with a heck of a lot of new PowerShell cmdlets. It just seems to make sense that the admin model used in products like Exchange 2010 will cross over and become the default model for managing traditional Windows Server administration.
Follow me on twitter: @orinthomas