Understanding Exclusive Scopes
Applies to: Exchange Server 2010
Exclusive scopes are a special type of explicit management scope that can be associated with management role assignments. Exclusive scopes are designed to enable situations where you have a group of highly valuable objects, such as a CEO mailbox, and you want to tightly control who has access.
A role assignment that has an exclusive scope is called an exclusive role assignment.
When you create an exclusive scope, only those who are assigned that exclusive scope, or an equivalent exclusive scope, can modify the objects that match the scope. Role assignees who aren't assigned that exclusive scope, or an equivalent, can't modify the objects that match the scope, even if their own roles have scopes that would otherwise include the objects. Exclusive scopes override any other regular scope that isn't exclusive. This behavior is similar to how a deny access control entry (ACE) on an Active Directory access control list (ACL) functions.
An equivalent exclusive scope refers to another exclusive scope that matches some of the same objects as another exclusive scope. The scopes don't have to match the same complete set of objects. Both scopes may be able to modify some, or all, of the objects that match them.
Creating Exclusive Scopes
Exclusive scopes can be created like any other explicit scope. You can specify a prebuilt relative scope, a recipient filter, a server filter, or a server list. Unlike regular scopes, which don't take effect until you associate a scope to a management role assignment, the deny aspect of an exclusive scope takes effect immediately. This means that as soon as an exclusive scope is created, the objects contained within that scope are immediately no longer accessible by any user until the role assignment has been created.
After the assignment has been created, the exclusive scope provides access to those assigned the management role and scope. If another equivalent exclusive scope matches the same objects, the role assignment associated with that exclusive scope is still able to access the objects.
For more information about management scope filters, see Understanding Management Role Scope Filters.
Important
Active Directory replication times should be taken into account when making changes to any management role components, including exclusive scopes.
If you have objects contained within more than one exclusive scope, being assigned to any one of the exclusive scopes provides access to the objects. For more information, see Exclusive and Regular Scope Interaction later in this topic.
Exclusive scopes control only the explicit recipient or configuration write scope of a role assignment. The implicit recipient or configuration read scope of the role assigned to a user or group still applies. This means that the following applies:
- Those assigned a role continue to see objects that match the role's implicit read scope.
- Those assigned other roles may be able to see objects contained within an exclusive scope, if the read scopes of the other roles include the objects. However, the objects can only be modified by those who are assigned a role associated with the exclusive scope.
Exclusive scopes can only be used with administrative or specialist roles and can't be used with end-user roles. For more information about roles, see Understanding Management Roles.
Exclusive and Regular Scope Interaction
The figure at the end of this section illustrates how exclusive scopes interact with each other, and with regular scopes. The users in the figure all have the following attributes associated with them.
User | City | Title | Department |
---|---|---|---|
Terry |
Vancouver |
Accountant |
Accounting |
David |
Vancouver |
Writer |
Marketing |
Walter |
Vancouver |
Manager |
Marketing |
Bob |
Vancouver |
CEO |
Board |
Christine |
Vancouver |
President |
Board |
Fred |
Vancouver |
CFO |
Executives |
Martin |
Vancouver |
CIO |
Executives |
Kim |
Vancouver |
Vice President, Operations |
Executives |
Jennifer |
Vancouver |
Vice President, Technology |
Executives |
The following three management role assignments in the figure manage the users in the preceding table. Each has an associated scope, some of which are exclusive scopes.
Role assignment | Scope filter | Exclusive or regular |
---|---|---|
Recipient Administrators |
City = Vancouver |
Regular |
VIP Administrators |
Title = CEO or CFO or CIO or President |
Exclusive |
Executive Administrators |
Department = Executives |
Exclusive |
The Recipient Administrators role assignment has a scope that matches all of the users because every user is located in Vancouver. Without any exclusive scopes, this would mean that the Recipient Administrators role assignment could manage any of the users. However, this organization has created two exclusive scopes: VIP Administrators and Executive Administrators. These exclusive scopes restrict who can manage the users that match their respective scope filters. The VIP Administrators role assignment has a scope filter that matches any user who has a title of CEO, CFO, CIO, or President. The Executive Administrators role assignment has a scope filter that matches any user who is in the Executives department.
When the regular and exclusive scopes are evaluated, the following is the result:
- The Recipient Administrators role assignment can manage the users Terry, David, and Walter. This role assignment can't manage any of the other users because they match the exclusive scope filters of the VIP Administrators and Executive Administrators role assignments.
- The VIP Administrators role assignment can manage the users Bob, Christine, Fred, and Martin. This is because the exclusive scope filter associated with this role assignment matches the attributes on these objects. This role assignment can't manage the users Kim and Jennifer because their attributes don't match this exclusive scope.
- The Executive Administrators role assignment can manage the users Kim, Jennifer, Fred, and Martin. This is because the exclusive scope filter associated with this role assignment matches the attributes on these objects. This role assignment can't manage the users Bob and Christine because their attributes don't match this exclusive scope.
Notice that Fred and Martin are accessible by both exclusive scopes. This is because the attributes on these users match the filters of both exclusive scopes.
Interaction between exclusive scopes and regular scopes
For more information about management scopes, see Understanding Management Role Scopes.