Lync RBAC architecture supposed to solve all the flaws, that OCS had regarding the inability to share administration taks among multiple business/organizational entities, like delegation of some well strictly scoped tasks to lower-privileged administrators. With Lync most of these issues are perfectly resolved. However, some of the RBAC limitations are still painful, if Lync is deployed in a multi-country huge international organization, where administrative access of Lync has to be controlled according to security procedures of the company.
Even if site-specific delegated are done to separate admin groups, a couple of configuration steps still can only be run by the allmighty Lync administrator:
- simple things like device updates (which really affect only a particular FE/pool, not the whole organizon) should be allowed via the delegation, and not require the allmighty Lync administrator to upload/approve such updates
- voice features \call park (because of the uniqueness of call park orbit range this MAY be understandable, but the site-scoped CPSconfiguration should be allowed), unassigned numbers (because the uniqueness of number range, this is acceptable, but the site-scoped configuration not)
- csmediaconfiguration site-scoped
- LIS config
- site-scoped client policy (I dont understand why this cannot be properly handled with delegation)
- dialinconferencingconfiguration (the same, even if it is scoped for site, a delegated site-admin does not have the privileges to create/modify it)