Understanding Exchange Objects and Exchange System Manager
Topic Last Modified: 2005-04-15
Most elements in an Exchange installation are represented by objects. For example, the server itself, an SMTP virtual server, and a mailbox store are all represented as objects. Controlling each of these objects is a set of security permissions. Permissions on objects in Exchange 2003 build on permissions that the Windows operating system makes available through Active Directory and IIS. Exchange 2003 uses both Active Directory and the IIS metabase to store permissions information about Exchange objects.
To address the fact that information about Exchange objects is in two places, you manage these objects using Exchange System Manager. This tool seamlessly presents objects that are stored in Active Directory and the IIS metabase. Therefore, you can administer objects stored in two places through a single interface.
The permissions model that Exchange System Manager exposes builds on the Windows security model—an object-oriented security model, based on the concept of discretionary access control. This means that each Exchange object has its own discrete permissions that govern access to the object, and that these permissions can be administered by anyone who has the appropriate permission level. This permission model makes it possible to implement delegated permission models in which certain roles are assigned varying permissions based on the functional tasks performed by these roles in those environments whose security policy requires that capability.
However, the profusion of objects and permissions that enables Exchange to support complex security requirements can also make it seem complex to administer. Fortunately, Exchange System Manager simplifies managing permissions with the following:
Support for inheritance
Standardized security roles
Exchange Administration Delegation Wizard
Together, these features simplify the management of permissions so that most Exchange implementations can implement their security requirements without having to set permissions on individual attributes on individual objects.