Export (0) Print
Expand All

Understanding Management Roles

Applies to: Exchange Server 2010

Topic Last Modified: 2009-10-14

Management roles are part of the role based access control (RBAC) permissions model used in Microsoft Exchange Server 2010. Roles act as a logical grouping of cmdlets that are combined to provide access to view or modify the configuration of Exchange 2010 components, such as mailboxes, transport rules, and recipients. Management roles can be further combined into larger groupings called management role groups and management role assignment policies, which enable management of feature areas and recipient configuration. Role groups and role assignment policies assign permissions to administrators and end users, respectively. For more information about management role groups and management role assignment policies, see Understanding Role Based Access Control.

Contents

Built-in Management Roles

Unscoped Top Level Management Roles

Custom Management Roles

Management Role Hierarchy

Management Role Entries

Unscoped Top Level Role Entries

Management Role Types

Management role scopes and management role assignments are important components for the operation of management roles. For more information about these components, see the following topics:

Exchange 2010 provides many built-in management roles that you can use to administer your organization. Each role includes the cmdlets and parameters necessary for users to manage specific Exchange components. The following are examples of some built-in management roles:

  • Reset Password   Enables administrators to send end-user passwords.
  • Transport Rules   Enables administrators or specialist users assigned the role to manage the transport rules feature.
  • Distribution Groups   Enables administrators or specialist users assigned the role to manage distribution groups and distribution group members.

For a complete list of the management roles included with Exchange 2010, see Built-in Management Roles.

You can take the built-in roles that are provided with Exchange 2010 and combine them in any way to create a permissions model that works with your business. For example, if you want members of a role group to manage recipients and change their passwords, you assign both the Mail Recipients and Reset Password roles to the role group. Most often, you assign roles to role groups or role assignment policies. You can also assign management roles directly to users if you want to control permissions at a granular level. We recommend that you use role groups and role assignment policies rather than direct user role assignment to simplify your permissions model.

Dd298116.note(en-us,EXCHG.140).gifNote:
You can only assign end-user management roles to role assignment policies.

Built-in management roles can't be changed. You can, however, create management roles based on the built-in management roles, and then assign those new roles to role groups or role assignment policies. You can then change the new management roles to suit your needs. Doing so is an advanced task that you should rarely, if ever, have to do.

For more information about creating custom roles based on the built-in Exchange roles, see Custom Management Roles later in this topic.

You need to assign management roles for them to take effect. Most often, you assign management roles to role groups and role assignment policies. In certain circumstances, you might also assign roles directly to users, although this is an advanced task that you should rarely, if ever, need to do.

For more information about assigning management roles, see the following topics:

For more information about management role assignments, see Understanding Management Role Assignments.

Return to top

Unscoped top level management roles are a special type of management role that enables you to grant access to custom scripts and non-Exchange cmdlets to users using RBAC. Regular management roles provide access only to Exchange cmdlets. If you need to provide access to non-Exchange cmdlets that run on an Exchange server, or if you need to publish a script that can be run by your users, you need to add them to an unscoped role. They're called a top level role because when a new unscoped role is first created without deriving from another parent role, it has no parent and is a peer of the built-in management roles provided with Exchange 2010. To indicate that you want to create an unscoped top level role entry, you need to use the UnscopedTopLevel switch with the New-ManagementRole cmdlet.

Unscoped roles are named as such because, unlike regular management roles, they can't be scoped to a specific target. Unscoped roles are always organization wide. This means that someone who's assigned an unscoped role can modify any object in the Exchange 2010 organization. For this reason, care must be taken to make sure that scripts and cmdlets made available through an unscoped role are thoroughly tested so that you know what they will modify, and that you carefully assign unscoped roles.

Unscoped roles can be assigned to role assignees such as role groups, management roles, users, and universal security groups (USG). They can't be assigned to management role assignment policies.

Although Exchange cmdlets can't be added as a management role entry on an unscoped role, they can be included in scripts added as role entries. This enables you to create custom scripts that perform Exchange tasks that you can then assign to users. A useful scenario is where a user must perform a highly privileged task that normally falls outside his or her administrative level and where crafting a new management role or role group would be problematic. You can create a script that performs this specific function, add it to an unscoped role, and then assign the unscoped role to the user. The user can then perform only the specific function provided by the script.

The role entries that you add to an unscoped role must also be designated as an unscoped top level role entry. For more information about unscoped top level role entries, see Unscoped Top Level Role Entries later in this topic.

The Organization Management role group doesn't, by default, have permissions to create or manage unscoped role groups. This is to prevent unscoped role groups from mistakenly being created or modified. The Organization Management role group can delegate the Unscoped Role Management management role to itself and other role assignees. For more information about how to create an unscoped top level management role, see Create an Unscoped Role.

Return to top

You can create custom management roles that are based on built-in Exchange roles when the built-in management roles don't match the needs of your users. When you create a custom management role, the new child role inherits all of the management role entries of the parent role. You can then choose which management role entries you want to keep in the custom management role and remove all of the entries you don't want.

Custom roles become children of the role used to create the new role. You can only use management role entries in the new child role that exist in the parent role. For more information, see the following sections later in this topic:

Creating custom management roles requires multiple steps and is an advanced task that you should rarely, if ever, need to perform. Before you create a custom management role, make sure one of the existing built-in management roles doesn't provide the permissions you need. For more information about the built-in management roles, or if you want to create custom management roles, see the following topics:

For more information about how to create a new management role, see Create a Role.

Return to top

Management roles exist in a parent and child hierarchy. At the top of the hierarchy are the built-in management roles that are provided in Exchange 2010 by default. When you create a new role, a copy of a parent role is made. The new role is a child of the role you copied from. You can then customize the new role to suit the needs of the administrators or users you want to assign it to.

Customized roles can be used to create new roles. When you create a new role from an existing customized role, the existing customized role remains a child of its parent role, but also becomes the parent for the new role. Each time a role is copied, the new child role can contain only the role entries that exist in the immediate parent role.

Each management role is given a role type that can't be changed. The role type defines the base context of use for the role. The role type is copied from the parent role when the child role is created.

Management role hierarchy

RBAC management role hierarchical diagram

The preceding figure illustrates the hierarchical relationship of several management roles. The Mail Recipients and Help Desk roles are built-in roles. All of the child roles derived from these roles inherit the role type of each built-in role. For example, all child roles derived either directly or indirectly from the Mail Recipients role inherit the MailRecipients role type.

The Seattle Recipient Administrators custom role is a child of the Mail Recipients built-in role but it's also the parent of the Seattle Sales Recipient Administrators custom role and the Seattle Legal Recipient Administrators custom role. The Seattle Recipient Administrators custom role contains only a subset of cmdlets that are available in the Mail Recipients role. The child roles of the Seattle Recipients Administrators custom role can only contain cmdlets that also exist in that role. For example, if a cmdlet exists in the Mail Recipients role, but the cmdlet doesn't exist in the Seattle Recipients Administrators custom role, the cmdlet can't be added to the Seattle Sales Recipients Administrators custom role.

All of the custom roles follow the same pattern as the roles discussed previously. For more information about how access to cmdlets is controlled on management roles, see Management Role Entries next in this topic.

Return to top

Every management role, whether it’s a custom Exchange role or an unscoped role, must have at least one management role entry. An entry consists of a single cmdlet and its parameters, a script, or a special permission that you want to make available. If a cmdlet or script doesn't appear as an entry on a management role, that cmdlet or script isn't accessible via that role. Likewise, if a parameter doesn't exist in an entry, the parameter on that cmdlet or script isn't accessible via that role.

Exchange 2010 enables you to manage role entries based on built-in Exchange management top level roles and role entries based on unscoped top level management roles. Roles based on built-in Exchange top level roles can only contain role entries that are Exchange 2010 cmdlets. To add custom scripts or non-Exchange cmdlets so that your users can use them, you need to add them as unscoped role entries to an unscoped top level role. For more information about unscoped role entries, see Unscoped Top Level Role Entries later in this topic.

All role entries, regardless of whether the role entry is an Exchange cmdlet-based role entry or an unscoped role entry, adhere to the same principles explained in the following sections.

For more information about managing role entries, see Management Roles and Role Entries.

As mentioned previously, a management role entry, including the cmdlet and its parameters, must exist in the immediate parent role to add the entry to the child role. For example, if the parent role doesn’t have an entry for New-Mailbox, the child role can't be assigned that cmdlet. Additionally, if Set-Mailbox is on the parent role but the Database parameter has been removed from the entry, the Database parameter on the Set-Mailbox cmdlet can't be added to the entry on the child role.

Because you can't add management role entries to child roles if the entries don't appear in parent roles, and because the role is based on a specific role type, you must carefully choose the parent role to copy when you want to create a new customized role.

Return to top

Management role entry names are a combination of the management role that they're associated with, and the name of the cmdlet or script. The role name and the cmdlet or script are separated by a backslash character (\). For example, the role entry name for the Set-Mailbox cmdlet on the Mail Recipients role is Mail Recipients\Set-Mailbox. If the name of a role entry contains spaces, enclose the entire name in quotation marks (").

The wildcard character (*) can be used in the role entry name to return all of the role entries that match the input you provide. The wildcard character can be used on either side of the backslash character. The following table contains a few variations on how you can use the wildcard character in a role entry name.

Management role entry name with wildcard characters

Example Description

*\*

Returns a list of all role entries for all roles.

*\Set-Mailbox

Returns a list of all role entries that contain the Set-Mailbox cmdlet.

Mail Recipients\*

Returns a list of all role entries on the Mail Recipients role.

Mail Recipients\*Mailbox

Returns a list of all role entries on the Mail Recipients role that end in Mailbox.

My*\*Group*

Returns a list of all role entries that contain the string Group in the cmdlet name for all roles that begin with My.

Unscoped top level role entries are used with unscoped top level management roles to create roles based on custom scripts or non-Exchange cmdlets. Each unscoped role entry is associated with a single custom script or a non-Exchange cmdlet. To indicate that you want to create an unscoped role entry on an unscoped role, you need to specify the UnscopedTopLevel parameter on the New-ManagementRoleEntry cmdlet.

When you add the unscoped role entry, you need to specify all of the parameters that can be used with the script or non-Exchange cmdlet. Exchange attempts to verify the parameters that you provide when you add the role entry. Only the parameters that you add to the role entry when it's created will be available to the users assigned to the unscoped role. If you add parameters to the script or non-Exchange cmdlet, or if a parameter is renamed, you must update the role entry manually. Exchange doesn't check whether existing parameters on an unscoped role entry have changed. If a parameter on a role entry changes in a script and you try to use that parameter, the command fails.

Scripts that you add to an unscoped role entry must reside in the Exchange 2010 scripts directory on every server where administrators and users connect using the Exchange Management Shell. If you try to add an unscoped role entry based on a script that doesn't exist in the Exchange 2010 scripts directory on the server you're using to add the role entry, an error occurs. The default installation of the Exchange 2010 scripts directory is C:\Program Files\Microsoft\Exchange Server\V14\Scripts.

Non-Exchange cmdlets that you add to an unscoped role entry must be installed on every Exchange 2010 server where administrators and users connect using the Shell and want to use the cmdlets. If you try to add an unscoped role entry based on a non-Exchange cmdlet that isn't installed on the Exchange 2010 server you're using to add the role entry, an error occurs. When you add a non-Exchange cmdlet, you must specify the Windows PowerShell snap-in name that contains the non-Exchange cmdlet.

For more information about how to add an unscoped management role entry, see Add a Role Entry to a Role.

Return to top

Management role types are the foundation of all management roles. Types define the implicit scopes defined on all management roles of a specified role type and also act as a logical grouping of related roles. All management roles derived from the parent built-in management role have the same role type. Refer to the Management role hierarchy figure earlier in this topic for an illustration of this relationship. Management role types also represent the maximum set of cmdlets and their parameters that can be added to a role associated with an associated role type.

Management role types are split into the following categories:

  • Administrative or specialist   Roles associated with an administrative or specialist role type have a broader scope of impact in the Exchange organization. Roles of this role type enable tasks such as server or recipient management, organization configuration, compliance administration, auditing, and more.
  • User-focused   Roles that are associated with a user-focused role type have a scope of impact closely tied with an individual user. Roles of this role type enable tasks such as user profile configuration and self management, management of user-owned distribution groups, and more.
    The names of roles associated with user-focused role types and user-focused role type names begin with My.
  • Specialty   Roles associated with specialty role types enable tasks that don't aren't administrative or user-focused role types. Roles of this role type enable tasks such as application impersonation and the use of non-Exchange cmdlets or scripts.

The following table lists all of the administrative management role types in Exchange 2010 and whether the configuration that's permitted by the role type is applied across the whole Exchange organization or only to an individual server. For more information about each of the management roles associated with these role types, including a description of each role, who may benefit from being assigned the role, and other information, see Built-in Management Roles.

Administrative role types

Management role type Description Organization or Server

ActiveDirectoryPermissions

This role type is associated with roles that enable administrators to configure Active Directory permissions in an organization. Some features that use Active Directory permissions or an access control list (ACL) include transport Receive and Send connectors, and Send As and send on behalf of permissions for mailboxes.

Dd298116.note(en-us,EXCHG.140).gifNote:
Permissions set directly on Active Directory objects may not be enforced through RBAC.

Organization

AddressLists

This role type is associated with roles that enable administrators to manage address lists, global address list (GALs), and offline address lists in an organization.

Organization

CmdletExtensionAgents

This role type is associated with roles that enable administrators to manage cmdlet extension agents in an organization.

Organization

DatabaseAvailabilityGroups

This role type is associated with roles that enable administrators to manage database availability groups in an organization. Administrators assigned this role either directly or indirectly are the highest level administrators responsible for the high availability configuration in an organization.

Organization

DatabaseCopies

This role type is associated with roles that enable administrators to manage database copies on individual servers.

Server

Databases

This role type is associated with roles that enable administrators to create, manage, mount, and dismount mailbox and public folder databases on individual servers.

Server

DisasterRecovery

This role type is associated with roles that enable administrators to restore mailboxes and database availability groups in an organization.

Organization

DistributionGroups

This role type is associated with roles that enable administrators to create and manage distribution groups and distribution group members in an organization.

Organization

EdgeSubscriptions

This role type is associated with roles that enable administrators to manage edge synchronization and subscription configuration between Edge Transport servers and Hub Transport servers in an organization.

Organization

EMailAddressPolicies

This role type is associated with roles that enable administrators to manage e-mail address policies in an organization.

Organization

ExchangeConnectors

This role type is associated with roles that enable administrators to manage connectors that aren't Send and Receive connectors in an organization. These connectors include routing group connectors and delivery agent connectors.

Organization

ExchangeServerCertificates

This role type is associated with roles that enable administrators to create, import, export, and manage Exchange server certificates on individual servers.

Server

ExchangeServers

This role type is associated with roles that enable administrators to manage Exchange server configuration on individual servers.

Server

ExchangeVirtualDirectories

This role type is associated with roles that enable administrators to manage Microsoft Office Outlook Web App, Microsoft ActiveSync, offline address book (OAB), Autodiscover, Windows PowerShell, and Web administration interface virtual directories on individual servers.

Server

FederatedSharing

This role type is associated with roles that enable administrators to manage cross-forest and cross-organization sharing in an organization.

Organization

InformationRightsManagement

This role type is associated with roles that enable administrators to manage the Information Rights Management (IRM) features of Exchange in an organization.

Organization

Journaling

This role type is associated with roles that enable administrators to manage journaling configuration in an organization.

Organization

LegalHold

This role type is associated with roles that enable administrators to configure whether data within a mailbox should be retained for litigation purposes in an organization.

Organization

MailboxSearch

This role type is associated with roles that enable administrators to search the content of one or more mailboxes in an organization.

Organization

MailEnabledPublicFolders

This role type is associated with roles that enable administrators to configure whether individual public folders are mail-enabled or mail-disabled in an organization.

This role type enables you to manage the e-mail properties of public folders only. It doesn't enable you to manage non-e-mail properties of public folders. To manage non-email properties of public folders, you need to be assigned a role that's associated with the PublicFolders role type.

Organization

MailRecipientCreation

This role type is associated with roles that enable administrators to create mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization. Roles associated with this role type can be combined with roles associated with the MailRecipients role type to enable the creation and management of recipients.

This role type doesn't enable you to mail-enable public folders. To mail-enable public folders, you must be assigned a role associated with the MailEnabledPublicFolders role type.

If your organization maintains a split permissions model where recipient creation is performed by a different group than those who perform recipient management, assign the MailRecipientCreation role to the group that performs recipient creation, and the MailRecipients role to the group that performs recipient management.

Organization

MailRecipients

This role type is associated with roles that enable administrators to manage existing mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization. Roles associated with this role type can't create these recipients but can be combined with roles associated with the MailRecipientCreation role type to enable the creation and management of recipients.

This role type doesn't enable you to manage mail-enabled public folders or distribution groups. To manage mail-enabled public folders, you must be assigned a role associated with the MailEnabledPublicFolders role type. To manage distribution groups, you must be assigned a role associated with the DistributionGroups role type.

If your organization maintains a split permissions model where recipient creation is performed by a different group than those who perform recipient management, assign the MailRecipientCreation roles to the group that performs recipient creation, and the MailRecipients roles to the group that performs recipient management.

Organization

MailTips

This role type is associated with roles that enable administrators to manage mail tips in an organization.

Organization

MessageTracking

This role type is associated with roles that enable administrators to track messages in an organization.

Organization

Migration

This role type is associated with roles that enable administrators to migrate mailboxes and mailbox content into or out of a server.

Server

Monitoring

This role type is associated with roles that enable administrators to monitor the Microsoft Exchange services and component availability in an organization. In addition to administrators, roles associated with this role type can be used with the service account used by monitoring applications to collect information about the state of Exchange servers.

Organization

MoveMailboxes

This role type is associated with roles that enable administrators to move mailboxes between servers in an organization and between servers in the local organization and another organization.

Organization

OrganizationClientAccess

This role type is associated with roles that enable administrators to manage Client Access server settings in an organization.

Organization

OrganizationConfiguration

This role type is associated with roles that enable administrators to manage organization-wide settings in an organization. Organization configuration that can be controlled with this role type include the following and more:

  • Whether mail tips are enabled or disabled for the organization.
  • The URL for the managed folder home page.
  • The Microsoft Exchange recipient SMTP address and alternate e-mail addresses.
  • The resource mailbox property schema configuration.
  • The Help URLs for the Exchange Management Console and Outlook Web App.

This role type doesn't include the permissions included in the OrganizationClientAccess or OrganizationTransportSettings role types.

Organization

OrganizationTransportSettings

This role type is associated with roles that enable administrators to manage organization-wide transport settings, such as system messages, site configuration, and other organization-wide transport settings in an organization.

This role doesn't enable you to create or manage transport Receive or Send connectors, queues, hygiene, agents, remote and accepted domains, or rules. To create or manage each of the transport features, you must be assigned roles associated with the following role types:

  • Receive connectors   ReceiveConnectors
  • Send connectors   SendConnectors
  • Transport queues   TransportQueues
  • Transport hygiene   TransportHygiene
  • Transport agents   TransportAgents
  • Remote and accepted domains   RemoteandAcceptedDomains
  • Transport rules   TransportRules

Organization

Pop3andIMAP4Protocols

This role type is associated with roles that enable administrators to manage POP3 and IMAP4 configuration, such as authentication and connection settings, on individual servers.

Server

PublicFolderReplication

This role type is associated with roles that enable administrators to start and stop public folder replication in an organization.

Organization

PublicFolders

This role type is associated with roles that enable administrators to manage public folders in an organization.

This role type doesn't enable you to manage whether public folders are mail-enabled or manage public folder replication. To mail-enable or disable a public folder, you must be assigned a role associated with the MailEnabledPublicFolders role type. To configure public folder replication, you must be assigned a role associated with the PublicFolderReplication role type.

Organization

ReceiveConnectors

This role type is associated with roles that enable administrators to manage transport Receive connector configuration, such as size limits on an individual server.

Server

RecipientPolicies

This role type is associated with roles that enable administrators to manage recipient policies, such as provisioning policies, in an organization.

Organization

RemoteandAcceptedDomains

This role type is associated with roles that enable administrators to manage remote and accepted domains in an organization.

Organization

ResetPassword

This role type is associated with roles that enable users to reset their own passwords and administrators to reset users' passwords in an organization.

Organization

RetentionManagement

This role type is associated with roles that enable administrators to manage retention policies in an organization.

Organization

RoleManagement

This role type is associated with roles that enable administrators to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes in an organization.

Users assigned roles associated with this role type can override the role group managed by property, configure any role group, and add or remove members to or from any role group.

Organization

SecurityGroupCreationandMembership

This role type is associated with roles that enable administrators to create and manage USGs and their memberships in an organization.

If your organization maintains a split permissions model where USG creation and management is performed by a different group than those who manage Exchange servers, assign roles associated with this role type to that group.

Organization

SendConnectors

This role type is associated with roles that enable administrators to manage transport Send connectors in an organization.

Organization

SupportDiagnostics

This role type is associated with roles that enable administrators to perform advanced diagnostics under the direction of Microsoft support services in an organization.

Dd298116.Caution(en-us,EXCHG.140).gifCaution:
Roles associated with this role type grant permissions to cmdlets and scripts that should only be used under the direction of Microsoft Customer Service and Support.

Organization

TransportAgents

This role type is associated with roles that enable administrators to manage transport agents in an organization.

Organization

TransportHygiene

This role type is associated with roles that enable administrators to manage antivirus and anti-spam features in an organization.

Organization

TransportQueues

This role type is associated with roles that enable administrators to manage transport queues on an individual server.

Server

TransportRules

This role type is associated with roles that enable administrators to manage transport rules in an organization.

Organization

UMMailboxes

This role type is associated with roles that enable administrators to manage the Unified Messaging (UM) configuration of mailboxes and other recipients in an organization.

Organization

UMPrompts

This role type is associated with roles that enable administrators to create and manage custom UM voice prompts in an organization.

Organization

UnifiedMessaging

This role type is associated with roles that enable administrators to manage Unified Messaging servers in an organization.

This role doesn't enable you to manage UM-specific mailbox configuration or UM prompts. To manage UM-specific mailbox configuration, use roles associated with the UMMailboxes role type. To manage UM prompts, use the roles associated with the UMPrompts role type.

Organization

UnScopedRoleManagement

This role type is associated with roles that enable administrators to create and manage unscoped top level management roles in an organization.

Organization

UserOptionsSupport

This role type is associated with roles that enable administrators to view the Outlook Web App options of a user in an organization. Roles associated with this role type can be used to help a user with diagnosing problems with his or her configuration.

Organization

ViewOnlyConfiguration

This role type is associated with roles that enable administrators to view all of the non-recipient Exchange configuration settings in an organization. Examples of configuration that are viewable are server configuration, transport configuration, database configuration, and organization-wide configuration.

Roles associated with this role type can be combined with roles associated with the ViewOnlyRecipients role type to create a role that can view every object in an organization.

Organization

ViewOnlyRecipients

This role type is associated with roles that enable administrators to view the configuration of recipients, such as mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups.

Roles associated with this role type can be combined with roles associated with the ViewOnlyConfiguration role type to create a role that can view every object in the organization.

Organization

The following table lists all of the user-focused management role types in Exchange 2010.

User-focused role types

Management role type Description

MyBaseOptions

This role type is associated with roles that enable individual users to view and modify the basic configuration of their own mailbox and associated settings.

MyContactInformation

This role type is associated with roles that enable individual users to modify their contact information. This information includes their address and phone numbers.

MyDistributionGroupMembership

This role type is associated with roles that enable individual users to view and modify their membership in distribution groups in an organization, provided that those distribution groups allow manipulation of group membership.

MyDistributionGroups

This role type is associated with roles that enable individual users to create, modify, and view distribution groups and modify, view, remove, and add members to distribution groups they own.

MyMailSubscriptions

This role type is associated with roles that enable individual users to view and modify their e-mail subscription settings such as message format and protocol defaults.

MyProfileInformation

This role type is associated with roles that enable individual users to modify their name.

MyRetentionPolicies

This role type is associated with roles that enable individual users to view their retention tags and view and modify their retention tag settings and defaults.

MyTextMessaging

This role type is associated with roles that enable individual users to create, view, and modify their text messaging settings.

MyVoiceMail

This role type is associated with roles that enable individual users to view and modify their voice mail settings.

Return to top

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft