As mentioned earlier I am involved with several Lync implementations at the moment. During one of these implementation we ran into some issues with the Lync Response Groups. During the configuration of the Response groups we saw them using the Lync Server Control Panel. However a day later we mentioned that the workflows, queues’ and Agent Groups were not longer displayed. Using some of the PowerShell commands available for Lync Server 2013 (see citing below) we noticed that the Agent groups still existed in the database, as we found the configured Agent groups, Queues’ and Workflows been returned using the PowerShell commands below (see picture below).
At first we thought this might be some kind of bug of Lync Server 2013, as this isn’t the first time that a GUI of a program is not showing data. However when talking to some of the folks of Microsoft during the recent TechEd Europe conference, their wasn’t any clue or known issue, so we had to dig deeper into the problem.
Last week during some searches for finding a resolution for the issue I stumbled upon a blog of Phil Sharp. Within this blog Phil describes the possibility to create custom RBAC roles in Lync Server 2013. Creating the custom RBAC roles weren’t part of the solution. However Phil mentioned the two Active Directory Groups which are involved in managing the Response features. As there are two groups (the manager and the Administrator role), it is obvious that managing the groups should be done by members of these groups).
When looking into these groups we noticed that the administrator which we logged into was placed directly into both Active Directory groups. So at first sight we thought this was the right way to configure the RBAC situation. However after some searches without any results we decided to remove the administrator from the CsResponseGroupManager group. By doing this and refreshing the workflow page and the Lync control panel made the workflows, Agent Groups and Queues’ reappear to the administrator.
CsResponseGroupAdministrator Can manage the configuration of the Response Group application within a site. CsResponseGroupManager Can manage specific response groups.
The above mentioned scenario means that the the administrator has indeed all permissions, but these permissions will be overwritten by by managers group. Therefore it is necessary to add the administrator only the the CsResponseGroupAdministrator Active Directory group in order to make sure that the administrator is able to manage these groups. Managing these groups means also managing the unmanaged Lync Response Group workflows!
RBAC is a powerful solution but you have to be careful about where accounts will be added and which groups have permissions to manage certain configurations. This is not only for the access based groups but also for the functionality which is provided to the managers and administrators of the functionality in Lync 2013 and in particular the Response Groups.