Benefiting from Standardized Security Roles in Exchange

To help simplify the process of managing permissions, Exchange 2003 provides three predefined security roles that are available in the Exchange Administrative Delegation Wizard. These roles are a collection of standardized permissions that can be applied at either the organization or the administrative group level.

When these roles are applied, the accounts or groups against which they are applied are immediately granted a set of standardized permissions on the object in question. Roles rely strongly on permission inheritance to make sure that permissions are applied consistently. When a role is applied, the standard permissions associated with that role are applied down the object hierarchy using inheritance.

Because the roles have been designed to meet the security requirements that are frequently found in an Exchange deployment, try to use these roles as much as possible.

The standard security roles that Exchange 2003 provides are:

• Exchange Full Administrator   This role can fully administer Exchange system information and modify permissions. This role is appropriate for those who must be able to modify permissions, and view and administer Exchange configuration information.

• Exchange Administrator   This role can fully administer Exchange system information. This role differs from the Exchange Full Administrator. The primary difference is that this role cannot modify permissions. This role is appropriate for those who must be able to view and administer Exchange configuration information without being able to modify permissions.

• Exchange View Only Administrator   This role can view but cannot administer Exchange configuration information. This role is appropriate for those who must be able to view Exchange configuration information without being able to change that configuration information. As with the Exchange Administrator role, this role cannot modify permissions.

  Note

  The Exchange security roles should not be confused with security groups in Active Directory. The roles are a collection of standardized permissions that are applied to users or groups in Active Directory. The roles can best be thought of as a template, instead of as a security group.

Because these roles are a set of standardized permissions, unlike security groups, roles inherently supersede one other. Therefore, you do not have to apply both a higher and a lower privileged role. It is sufficient to apply the higher privileged role. Roles differ slightly, depending on whether they are applied to an organization or an administrative group. Therefore, the effective permissions that result when a role is applied can differ slightly.

The following tables list the effective permissions, based on the role applied and where it has been applied. These tables help explain how roles supersede each other, and the impact of differences at the organization level and administrative level.

Effective roles at the administrative group level from roles applied at the administrative group level

Effective roles at the administrative group level from roles applied at the organization level

Effective roles at the organization level from roles applied at the organization level