Built-in management roles

Applies to: Exchange Server 2013

Microsoft Exchange Server 2013 includes many management roles by default. The following roles are assigned to management role groups or management role assignment policies in various combinations that grant permissions to manage and use the features provided by Exchange 2013. For more information about roles, see Understanding management roles.

Active Directory Permissions role

Address Lists role

ApplicationImpersonation role

ArchiveApplication role

Audit Logs role

Cmdlet Extension Agents role

Data Loss Prevention role

Database Availability Groups role

Database Copies role

Databases role

Disaster Recovery role

Distribution Groups role

Edge Subscriptions role

E-Mail Address Policies role

Exchange Connectors role

Exchange Server Certificates role

Exchange Servers role

Exchange Virtual Directories role

Federated Sharing role

Information Rights Management role

Journaling role

Legal Hold role

LegalHoldApplication role

Mail Enabled Public Folders role

Mail Recipient Creation role

Mail Recipients role

Mail Tips role

Mailbox Import Export role

Mailbox Search role

MailboxSearchApplication role

Message Tracking role

Migration role

Monitoring role

Move Mailboxes role

My Custom Apps role

My Marketplace Apps role

MyAddressInformation role

MyBaseOptions role

MyContactInformation role

MyDiagnostics role

MyDisplayName role

MyDistributionGroupMembership role

MyDistributionGroups role

MyMobileInformation role

MyName role

MyPersonalInformation role

MyProfileInformation role

MyRetentionPolicies role

MyTeamMailboxes role

MyTextMessaging role

MyVoiceMail role

OfficeExtensionApplication role

Org Custom Apps role

Org Marketplace Apps role

Organization Client Access role

Organization Configuration role

Organization Transport Settings role

POP3 and IMAP4 Protocols role

Public Folders role

Receive Connectors role

Recipient Policies role

Remote and Accepted Domains role

Reset Password role

Retention Management rolet

Role Management role

Security Group Creation and Membership role

Send Connectors role

Support Diagnostics role

Team Mailboxes role

TeamMailboxLifecycleApplication role

Transport Agents role

Transport Hygiene role

Transport Queues role

Transport Rules role

UM Mailboxes role

UM Prompts role

Unified Messaging role

Unscoped Role Management role

User Options role

UserApplication role

View-Only Audit Logs role

View-Only Configuration role

View-Only Recipients role

These management roles are one of several built-in roles in the Role Based Access Control (RBAC) permissions model in Microsoft Exchange Server 2013. Management roles, which are assigned to one or more management role groups, management role assignment policies, users, or universal security groups (USG), act as a logical grouping of cmdlets or scripts that are combined to provide access to view or modify the configuration of Exchange 2013 components, such as mailbox databases, transport rules, and recipients. If a cmdlet or script and its parameters, together called a management role entry, are included on a role, that cmdlet or script and its parameters can be run by those assigned the role. For more information about management roles and management role entries, see Understanding management roles.

For more information about management roles, management role groups, and other RBAC components, see Understanding Role Based Access Control.

Management role assignments

For these roles to grant permissions, it must be assigned to a role assignee, which can be a role group, user, or universal security group (USG). This assignment is done using management role assignments. Role assignments link role assignees and roles together. If more than one role is assigned to a role assignee, the role assignee is granted the combination of all the permissions granted by all the assigned roles.

In addition to linking role assignees to roles, role assignments can also apply custom or built-in management scopes. Management scopes control which recipient, server, and database objects can be modified by role assignees. If these roles are assigned to a role assignee, but a management scope allows the role assignee only to manage certain objects based on a defined scope, the role assignee can only use the permissions granted by these roles on those specific objects. The permissions provided by these roles can't be applied to objects outside the scope defined on the role assignment. For more information about role assignments and scopes, see the following topics:

These roles are assigned to one or more role groups by default. For more information, see the "Default Management Role Assignments" section later in this topic.

If you want to view a list of role groups, users, or USGs assigned to these roles, use the following command.

Get-ManagementRoleAssignment -Role "<role name>"

Regular and delegating role assignments

These roles can be assigned to role assignees using either regular or delegating role assignments. Regular role assignments grant the permissions provided by the role to the role assignee. Delegating role assignments grant the role assignee the ability to assign the role to other role assignees. For more information about regular and delegating role assignments, see Understanding management role assignments.

Adding or removing role assignments

You can change which role assignees are assigned these roles. By changing which role assignee is assigned these roles, you change who is granted its permissions. You can assign these roles to other built-in role groups, or you can create role groups and assign these roles to them. You can also assign these roles to users or USGs. However, we recommend that you limit assignment of roles to users and USGs because such assignments can greatly increase the complexity of your permissions model.

To assign these roles to role assignees, the role must be assigned to a role group you're a member of, directly to you, or to a USG you're a member of, using a delegating role assignment. For more information about delegating role assignments, see the "Regular and Delegating Role Assignments" section.

You can also remove these roles from built-in role groups, role groups you create, users, and USGs. However, there must always be at least one delegating role assignment between these roles and a role group or USG. You can't delete the last delegating role assignment. This limitation helps prevent you from locking yourself out of the system.

Important

There must be at least one delegating role assignment between these roles and a role group or USG. You can't remove the last delegating role assignment associated with these roles if the last assignment is to a user.

For more information about how to add or remove assignments between these roles and role groups, users, and USGs, see the following topics:

Changing the management scopes on role assignments

You can also change the management scopes on existing role assignments between these roles and role assignees. By changing the scopes on role assignments, you control what objects can be managed using the permissions provided by these roles. You have several choices when changing the scope on a role assignment. You can do one of the following:

  • Add a new custom scope using the Set-ManagementRoleAssignment cmdlet. For more information, see the following topics:

  • Add or change an organizational unit scope using the Set-ManagementRoleAssignment cmdlet. For more information, see Change a role assignment.

  • Add or change a predefined scope using the Set-ManagementRoleAssignment cmdlet. For more information, see Change a role assignment.

  • Change the recipient, server, or database scope on a custom scope associated with a role assignment using the Set-ManagementScope cmdlet. For more information, see Change a role scope.

Enabling or disabling role assignments

By enabling or disabling a role assignment, you control whether that role assignment should be in effect. If a role assignment is disabled, the permissions granted by the associated role aren't applied to the role assignee. This is convenient if you want to temporarily remove permissions without deleting a role assignment. For more information, see Change a role assignment.

Management role customization

These roles have been configured to provide a role assignee with all necessary cmdlets and parameters to manage the features and components listed at the beginning of this topic. Other roles have also been provided to enable management of other features. By adding and removing roles to and from role groups, you can create a customized permissions model without the need to customize individual management roles. For a complete list of roles, see Built-in management roles. For more information about customizing role groups, see Manage role groups.

If you decide that you need to create a customized version of these roles, you must create a role as a child of these roles, and customize the new role.

Warning

The following information enables you to perform advanced management of permissions. Customizing management roles can significantly increase the complexity of your permissions model. You could cause certain features to stop functioning if you replace a built-in management role with an incorrectly configured custom role.

The following are the most common steps to create a customized role and assign it to a role assignee:

  1. Create a copy of a role. For more information, see Create a role.

  2. Change or remove the role entries on the new role using the Set-ManagementRoleEntry and Remove-ManagementRoleEntry cmdlets. You can't add additional role entries to the new role because it can only contain the role entries on the parent built-in role. For more information, see the following topics:

  3. If you want to replace the built-in role with this new customized role, remove any role assignments associated with the built-in role. For more information, see the following topics:

  4. Add the new customized role to the required role assignees. For more information, see the following topics:

    • "Add or remove a role to or from a role group" section in Manage role groups

    • Add a role to a user or USG

      Important

      If you want other users, in addition to the user that created the role, to be able to assign the new customized role, be sure to add a delegating role assignment to at least one role assignee. For more information, see Delegate role assignments.