Understanding Management Roles
Applies to: Exchange Server 2010
Management roles are part of the role based access control (RBAC) permissions model used in Microsoft Exchange Server 2010. Roles act as a logical grouping of cmdlets that are combined to provide access to view or modify the configuration of Exchange 2010 components, such as mailboxes, transport rules, and recipients. Management roles can be further combined into larger groupings called management role groups and management role assignment policies, which enable management of feature areas and recipient configuration. Role groups and role assignment policies assign permissions to administrators and end users, respectively. For more information about management role groups and management role assignment policies, see Understanding Role Based Access Control.
Contents
Built-in Management Roles
Unscoped Top Level Management Roles
Custom Management Roles
Management Role Hierarchy
Management Role Entries
Unscoped Top Level Role Entries
Management Role Types
Management role scopes and management role assignments are important components for the operation of management roles. For more information about these components, see the following topics:
Built-in Management Roles
Exchange 2010 provides many built-in management roles that you can use to administer your organization. Each role includes the cmdlets and parameters necessary for users to manage specific Exchange components. The following are examples of some built-in management roles:
- Reset Password Enables administrators to send end-user passwords.
- Transport Rules Enables administrators or specialist users assigned the role to manage the transport rules feature.
- Distribution Groups Enables administrators or specialist users assigned the role to manage distribution groups and distribution group members.
For a complete list of the management roles included with Exchange 2010, see Built-in Management Roles.
You can take the built-in roles that are provided with Exchange 2010 and combine them in any way to create a permissions model that works with your business. For example, if you want members of a role group to manage recipients and change their passwords, you assign both the Mail Recipients and Reset Password roles to the role group. Most often, you assign roles to role groups or role assignment policies. You can also assign management roles directly to users if you want to control permissions at a granular level. We recommend that you use role groups and role assignment policies rather than direct user role assignment to simplify your permissions model.
Note
You can only assign end-user management roles to role assignment policies.
Built-in management roles can't be changed. You can, however, create management roles based on the built-in management roles, and then assign those new roles to role groups or role assignment policies. You can then change the new management roles to suit your needs. Doing so is an advanced task that you should rarely, if ever, have to do.
For more information about creating custom roles based on the built-in Exchange roles, see Custom Management Roles later in this topic.
You need to assign management roles for them to take effect. Most often, you assign management roles to role groups and role assignment policies. In certain circumstances, you might also assign roles directly to users, although this is an advanced task that you should rarely, if ever, need to do.
For more information about assigning management roles, see the following topics:
- Assigning roles to a role group Add a Role to a Role Group
- Assigning roles to a role assignment policy Add a Role to an Assignment Policy
- Assigning roles directly to a user Add a Role to a User or USG.
For more information about management role assignments, see Understanding Management Role Assignments.
Return to top
Unscoped Top Level Management Roles
Unscoped top level management roles are a special type of management role that enables you to grant access to custom scripts and non-Exchange cmdlets to users using RBAC. Regular management roles provide access only to Exchange cmdlets. If you need to provide access to non-Exchange cmdlets that run on an Exchange server, or if you need to publish a script that can be run by your users, you need to add them to an unscoped role. They're called a top level role because when a new unscoped role is first created without deriving from another parent role, it has no parent and is a peer of the built-in management roles provided with Exchange 2010. To indicate that you want to create an unscoped top level role entry, you need to use the UnscopedTopLevel switch with the New-ManagementRole cmdlet.
Unscoped roles are named as such because, unlike regular management roles, they can't be scoped to a specific target. Unscoped roles are always organization wide. This means that someone who's assigned an unscoped role can modify any object in the Exchange 2010 organization. For this reason, care must be taken to make sure that scripts and cmdlets made available through an unscoped role are thoroughly tested so that you know what they will modify, and that you carefully assign unscoped roles.
Unscoped roles can be assigned to role assignees such as role groups, management roles, users, and universal security groups (USG). They can't be assigned to management role assignment policies.
Although Exchange cmdlets can't be added as a management role entry on an unscoped role, they can be included in scripts added as role entries. This enables you to create custom scripts that perform Exchange tasks that you can then assign to users. A useful scenario is where a user must perform a highly privileged task that normally falls outside his or her administrative level and where crafting a new management role or role group would be problematic. You can create a script that performs this specific function, add it to an unscoped role, and then assign the unscoped role to the user. The user can then perform only the specific function provided by the script.
The role entries that you add to an unscoped role must also be designated as an unscoped top level role entry. For more information about unscoped top level role entries, see Unscoped Top Level Role Entries later in this topic.
The Organization Management role group doesn't, by default, have permissions to create or manage unscoped role groups. This is to prevent unscoped role groups from mistakenly being created or modified. The Organization Management role group can delegate the Unscoped Role Management management role to itself and other role assignees. For more information about how to create an unscoped top level management role, see Create an Unscoped Role.
Return to top
Custom Management Roles
You can create custom management roles that are based on built-in Exchange roles when the built-in management roles don't match the needs of your users. When you create a custom management role, the new child role inherits all of the management role entries of the parent role. You can then choose which management role entries you want to keep in the custom management role and remove all of the entries you don't want.
Custom roles become children of the role used to create the new role. You can only use management role entries in the new child role that exist in the parent role. For more information, see the following sections later in this topic:
- Management Role Hierarchy
- Management Role Entries
Creating custom management roles requires multiple steps and is an advanced task that you should rarely, if ever, need to perform. Before you create a custom management role, make sure one of the existing built-in management roles doesn't provide the permissions you need. For more information about the built-in management roles, or if you want to create custom management roles, see the following topics:
For more information about how to create a new management role, see Create a Role.
Return to top
Management Role Hierarchy
Management roles exist in a parent and child hierarchy. At the top of the hierarchy are the built-in management roles that are provided in Exchange 2010 by default. When you create a new role, a copy of a parent role is made. The new role is a child of the role you copied from. You can then customize the new role to suit the needs of the administrators or users you want to assign it to.
Customized roles can be used to create new roles. When you create a new role from an existing customized role, the existing customized role remains a child of its parent role, but also becomes the parent for the new role. Each time a role is copied, the new child role can contain only the role entries that exist in the immediate parent role.
Each management role is given a role type that can't be changed. The role type defines the base context of use for the role. The role type is copied from the parent role when the child role is created.
Management role hierarchy
The preceding figure illustrates the hierarchical relationship of several management roles. The Mail Recipients and Help Desk roles are built-in roles. All of the child roles derived from these roles inherit the role type of each built-in role. For example, all child roles derived either directly or indirectly from the Mail Recipients role inherit the MailRecipients
role type.
The Seattle Recipient Administrators custom role is a child of the Mail Recipients built-in role but it's also the parent of the Seattle Sales Recipient Administrators custom role and the Seattle Legal Recipient Administrators custom role. The Seattle Recipient Administrators custom role contains only a subset of cmdlets that are available in the Mail Recipients role. The child roles of the Seattle Recipients Administrators custom role can only contain cmdlets that also exist in that role. For example, if a cmdlet exists in the Mail Recipients role, but the cmdlet doesn't exist in the Seattle Recipients Administrators custom role, the cmdlet can't be added to the Seattle Sales Recipients Administrators custom role.
All of the custom roles follow the same pattern as the roles discussed previously. For more information about how access to cmdlets is controlled on management roles, see Management Role Entries next in this topic.
Return to top
Management Role Entries
Every management role, whether it’s a custom Exchange role or an unscoped role, must have at least one management role entry. An entry consists of a single cmdlet and its parameters, a script, or a special permission that you want to make available. If a cmdlet or script doesn't appear as an entry on a management role, that cmdlet or script isn't accessible via that role. Likewise, if a parameter doesn't exist in an entry, the parameter on that cmdlet or script isn't accessible via that role.
Exchange 2010 enables you to manage role entries based on built-in Exchange management top level roles and role entries based on unscoped top level management roles. Roles based on built-in Exchange top level roles can only contain role entries that are Exchange 2010 cmdlets. To add custom scripts or non-Exchange cmdlets so that your users can use them, you need to add them as unscoped role entries to an unscoped top level role. For more information about unscoped role entries, see Unscoped Top Level Role Entries later in this topic.
All role entries, regardless of whether the role entry is an Exchange cmdlet-based role entry or an unscoped role entry, adhere to the same principles explained in the following sections.
For more information about managing role entries, see Management Roles and Role Entries.
Parent and Child Management Role Relationship
As mentioned previously, a management role entry, including the cmdlet and its parameters, must exist in the immediate parent role to add the entry to the child role. For example, if the parent role doesn’t have an entry for New-Mailbox, the child role can't be assigned that cmdlet. Additionally, if Set-Mailbox is on the parent role but the Database parameter has been removed from the entry, the Database parameter on the Set-Mailbox cmdlet can't be added to the entry on the child role.
Because you can't add management role entries to child roles if the entries don't appear in parent roles, and because the role is based on a specific role type, you must carefully choose the parent role to copy when you want to create a new customized role.
Return to top
Management Role Entry Names
Management role entry names are a combination of the management role that they're associated with, and the name of the cmdlet or script. The role name and the cmdlet or script are separated by a backslash character (\). For example, the role entry name for the Set-Mailbox cmdlet on the Mail Recipients role is Mail Recipients\Set-Mailbox
. If the name of a role entry contains spaces, enclose the entire name in quotation marks (").
The wildcard character (*) can be used in the role entry name to return all of the role entries that match the input you provide. The wildcard character can be used on either side of the backslash character. The following table contains a few variations on how you can use the wildcard character in a role entry name.
Management role entry name with wildcard characters
Example | Description |
---|---|
|
Returns a list of all role entries for all roles. |
|
Returns a list of all role entries that contain the Set-Mailbox cmdlet. |
|
Returns a list of all role entries on the Mail Recipients role. |
|
Returns a list of all role entries on the Mail Recipients role that end in Mailbox. |
|
Returns a list of all role entries that contain the string Group in the cmdlet name for all roles that begin with |
Unscoped Top Level Role Entries
Unscoped top level role entries are used with unscoped top level management roles to create roles based on custom scripts or non-Exchange cmdlets. Each unscoped role entry is associated with a single custom script or a non-Exchange cmdlet. To indicate that you want to create an unscoped role entry on an unscoped role, you need to specify the UnscopedTopLevel parameter on the New-ManagementRoleEntry cmdlet.
When you add the unscoped role entry, you need to specify all of the parameters that can be used with the script or non-Exchange cmdlet. Exchange attempts to verify the parameters that you provide when you add the role entry. Only the parameters that you add to the role entry when it's created will be available to the users assigned to the unscoped role. If you add parameters to the script or non-Exchange cmdlet, or if a parameter is renamed, you must update the role entry manually. Exchange doesn't check whether existing parameters on an unscoped role entry have changed. If a parameter on a role entry changes in a script and you try to use that parameter, the command fails.
Scripts that you add to an unscoped role entry must reside in the Exchange 2010 scripts directory on every server where administrators and users connect using the Exchange Management Shell. If you try to add an unscoped role entry based on a script that doesn't exist in the Exchange 2010 scripts directory on the server you're using to add the role entry, an error occurs. The default installation of the Exchange 2010 scripts directory is C:\Program Files\Microsoft\Exchange Server\V14\Scripts.
Non-Exchange cmdlets that you add to an unscoped role entry must be installed on every Exchange 2010 server where administrators and users connect using the Shell and want to use the cmdlets. If you try to add an unscoped role entry based on a non-Exchange cmdlet that isn't installed on the Exchange 2010 server you're using to add the role entry, an error occurs. When you add a non-Exchange cmdlet, you must specify the Windows PowerShell snap-in name that contains the non-Exchange cmdlet.
For more information about how to add an unscoped management role entry, see Add a Role Entry to a Role.
Return to top
Management Role Types
Management role types are the foundation of all management roles. Types define the implicit scopes defined on all management roles of a specified role type and also act as a logical grouping of related roles. All management roles derived from the parent built-in management role have the same role type. Refer to the Management role hierarchy figure earlier in this topic for an illustration of this relationship. Management role types also represent the maximum set of cmdlets and their parameters that can be added to a role associated with an associated role type.
Management role types are split into the following categories:
- Administrative or specialist Roles associated with an administrative or specialist role type have a broader scope of impact in the Exchange organization. Roles of this role type enable tasks such as server or recipient management, organization configuration, compliance administration, auditing, and more.
- User-focused Roles that are associated with a user-focused role type have a scope of impact closely tied with an individual user. Roles of this role type enable tasks such as user profile configuration and self management, management of user-owned distribution groups, and more.
The names of roles associated with user-focused role types and user-focused role type names begin withMy
. - Specialty Roles associated with specialty role types enable tasks that don't aren't administrative or user-focused role types. Roles of this role type enable tasks such as application impersonation and the use of non-Exchange cmdlets or scripts.
The following table lists all of the administrative management role types in Exchange 2010 and whether the configuration that's permitted by the role type is applied across the whole Exchange organization or only to an individual server. For more information about each of the management roles associated with these role types, including a description of each role, who may benefit from being assigned the role, and other information, see Built-in Management Roles.
Administrative role types
Management role type | Description | Organization or Server |
---|---|---|
|
This role type is associated with roles that enable administrators to configure Active Directory permissions in an organization. Some features that use Active Directory permissions or an access control list (ACL) include transport Receive and Send connectors, and Send As and send on behalf of permissions for mailboxes.
Note:
Permissions set directly on Active Directory objects may not be enforced through RBAC.
|
Organization |
|
This role type is associated with roles that enable administrators to manage address lists, global address list (GALs), and offline address lists in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage cmdlet extension agents in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage database availability groups in an organization. Administrators assigned this role either directly or indirectly are the highest level administrators responsible for the high availability configuration in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage database copies on individual servers. |
Server |
|
This role type is associated with roles that enable administrators to create, manage, mount, and dismount mailbox and public folder databases on individual servers. |
Server |
|
This role type is associated with roles that enable administrators to restore mailboxes and database availability groups in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to create and manage distribution groups and distribution group members in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage edge synchronization and subscription configuration between Edge Transport servers and Hub Transport servers in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage e-mail address policies in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage connectors that aren't Send and Receive connectors in an organization. These connectors include routing group connectors and delivery agent connectors. |
Organization |
|
This role type is associated with roles that enable administrators to create, import, export, and manage Exchange server certificates on individual servers. |
Server |
|
This role type is associated with roles that enable administrators to manage Exchange server configuration on individual servers. |
Server |
|
This role type is associated with roles that enable administrators to manage Microsoft Office Outlook Web App, Microsoft ActiveSync, offline address book (OAB), Autodiscover, Windows PowerShell, and Web administration interface virtual directories on individual servers. |
Server |
|
This role type is associated with roles that enable administrators to manage cross-forest and cross-organization sharing in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage the Information Rights Management (IRM) features of Exchange in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage journaling configuration in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to configure whether data within a mailbox should be retained for litigation purposes in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to search the content of one or more mailboxes in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to configure whether individual public folders are mail-enabled or mail-disabled in an organization. This role type enables you to manage the e-mail properties of public folders only. It doesn't enable you to manage non-e-mail properties of public folders. To manage non-email properties of public folders, you need to be assigned a role that's associated with the |
Organization |
|
This role type is associated with roles that enable administrators to create mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization. Roles associated with this role type can be combined with roles associated with the This role type doesn't enable you to mail-enable public folders. To mail-enable public folders, you must be assigned a role associated with the If your organization maintains a split permissions model where recipient creation is performed by a different group than those who perform recipient management, assign the |
Organization |
|
This role type is associated with roles that enable administrators to manage existing mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization. Roles associated with this role type can't create these recipients but can be combined with roles associated with the This role type doesn't enable you to manage mail-enabled public folders or distribution groups. To manage mail-enabled public folders, you must be assigned a role associated with the If your organization maintains a split permissions model where recipient creation is performed by a different group than those who perform recipient management, assign the |
Organization |
|
This role type is associated with roles that enable administrators to manage mail tips in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to track messages in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to migrate mailboxes and mailbox content into or out of a server. |
Server |
|
This role type is associated with roles that enable administrators to monitor the Microsoft Exchange services and component availability in an organization. In addition to administrators, roles associated with this role type can be used with the service account used by monitoring applications to collect information about the state of Exchange servers. |
Organization |
|
This role type is associated with roles that enable administrators to move mailboxes between servers in an organization and between servers in the local organization and another organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage Client Access server settings in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage organization-wide settings in an organization. Organization configuration that can be controlled with this role type include the following and more:
This role type doesn't include the permissions included in the |
Organization |
|
This role type is associated with roles that enable administrators to manage organization-wide transport settings, such as system messages, site configuration, and other organization-wide transport settings in an organization. This role doesn't enable you to create or manage transport Receive or Send connectors, queues, hygiene, agents, remote and accepted domains, or rules. To create or manage each of the transport features, you must be assigned roles associated with the following role types:
|
Organization |
|
This role type is associated with roles that enable administrators to manage POP3 and IMAP4 configuration, such as authentication and connection settings, on individual servers. |
Server |
|
This role type is associated with roles that enable administrators to start and stop public folder replication in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage public folders in an organization. This role type doesn't enable you to manage whether public folders are mail-enabled or manage public folder replication. To mail-enable or disable a public folder, you must be assigned a role associated with the |
Organization |
|
This role type is associated with roles that enable administrators to manage transport Receive connector configuration, such as size limits on an individual server. |
Server |
|
This role type is associated with roles that enable administrators to manage recipient policies, such as provisioning policies, in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage remote and accepted domains in an organization. |
Organization |
|
This role type is associated with roles that enable users to reset their own passwords and administrators to reset users' passwords in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage retention policies in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes in an organization. Users assigned roles associated with this role type can override the role group managed by property, configure any role group, and add or remove members to or from any role group. |
Organization |
|
This role type is associated with roles that enable administrators to create and manage USGs and their memberships in an organization. If your organization maintains a split permissions model where USG creation and management is performed by a different group than those who manage Exchange servers, assign roles associated with this role type to that group. |
Organization |
|
This role type is associated with roles that enable administrators to manage transport Send connectors in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to perform advanced diagnostics under the direction of Microsoft support services in an organization.
Caution:
Roles associated with this role type grant permissions to cmdlets and scripts that should only be used under the direction of Microsoft Customer Service and Support.
|
Organization |
|
This role type is associated with roles that enable administrators to manage transport agents in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage antivirus and anti-spam features in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage transport queues on an individual server. |
Server |
|
This role type is associated with roles that enable administrators to manage transport rules in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage the Unified Messaging (UM) configuration of mailboxes and other recipients in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to create and manage custom UM voice prompts in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to manage Unified Messaging servers in an organization. This role doesn't enable you to manage UM-specific mailbox configuration or UM prompts. To manage UM-specific mailbox configuration, use roles associated with the |
Organization |
|
This role type is associated with roles that enable administrators to create and manage unscoped top level management roles in an organization. |
Organization |
|
This role type is associated with roles that enable administrators to view the Outlook Web App options of a user in an organization. Roles associated with this role type can be used to help a user with diagnosing problems with his or her configuration. |
Organization |
|
This role type is associated with roles that enable administrators to view all of the non-recipient Exchange configuration settings in an organization. Examples of configuration that are viewable are server configuration, transport configuration, database configuration, and organization-wide configuration. Roles associated with this role type can be combined with roles associated with the |
Organization |
|
This role type is associated with roles that enable administrators to view the configuration of recipients, such as mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups. Roles associated with this role type can be combined with roles associated with the |
Organization |
The following table lists all of the user-focused management role types in Exchange 2010.
User-focused role types
Management role type | Description |
---|---|
|
This role type is associated with roles that enable individual users to view and modify the basic configuration of their own mailbox and associated settings. |
|
This role type is associated with roles that enable individual users to modify their contact information. This information includes their address and phone numbers. |
|
This role type is associated with roles that enable individual users to view and modify their membership in distribution groups in an organization, provided that those distribution groups allow manipulation of group membership. |
|
This role type is associated with roles that enable individual users to create, modify, and view distribution groups and modify, view, remove, and add members to distribution groups they own. |
|
This role type is associated with roles that enable individual users to view and modify their e-mail subscription settings such as message format and protocol defaults. |
|
This role type is associated with roles that enable individual users to modify their name. |
|
This role type is associated with roles that enable individual users to view their retention tags and view and modify their retention tag settings and defaults. |
|
This role type is associated with roles that enable individual users to create, view, and modify their text messaging settings. |
|
This role type is associated with roles that enable individual users to view and modify their voice mail settings. |
Return to top