Using Permissions and Administrative Roles to Control Access
Topic Last Modified: 2005-05-02
As with any application in your environment, when you define the permissions for Exchange, you should consider the roles of your Exchange administrators and assign them only the necessary permissions. To simplify the process, Exchange 2003 uses administrative roles. An administrative role is a collection of Exchange 2003 objects for the purpose of managing and delegating permissions. An administrative role may contain policies, routing groups, public folder hierarchies, and servers.
For example, if your organization has two sets of administrators who manage two sets Exchange 2003 servers, you can create two administrative groups that contain both sets of servers. Based on your administrative model, you can develop an administrative plan that fits your needs.
To easily assign role permissions to administrative groups (and to the Exchange organization), you can use the Exchange Administration Delegation Wizard. To use the wizard, you must be logged on as a user with Full Control over the Exchange organization. To start the Exchange Administration Delegation Wizard, in Exchange System Manager, right-click the organization or administrative group, and then click Delegate Control.
The following table lists the administrative roles in Exchange 2003.
Administrative Roles in Exchange Server 2003
Exchange View Only
Grants permissions to list and read the properties of all objects below that container. Unless the administrator will need to modify object properties, always assign this role.
Grants all permissions except for ability to take ownership, change permissions, or open user mailboxes. If the administrator will need to add objects or modify object properties, but will not be required to delegate permissions on the objects, assign this role.
Exchange Full Administrator
Grants all permissions to all objects below that container except for the ability to open user mailboxes or impersonate a user's mailbox, including the ability to change permissions. Assign this role only to administrators who are required to delegate permissions to objects. Installing Exchange 2003 requires Exchange Full Administrator permissions. The first server in any domain (including the very first in the forest) requires Exchange Full Administrative privileges at the organization level. Additional servers in the same domain can be installed with accounts that have Exchange Full Administrative privileges at the Administrative Group level.
In some cases, the Exchange Administration Delegation Wizard does not provide enough granularity for assigning security permissions. Therefore, for individual objects within Exchange, you can modify the settings on the Security tab. However, by default, the Security tab is displayed only on the following objects:
Global address lists
Databases (mailbox stores and public folder stores)
Top level public folder hierarchy
Normally, it is not necessary to modify the security options on other Exchange objects; however, it is possible to display the Security tab on all Exchange objects.
For detailed steps, see "How to Display the Security Tab on All Exchange Objects."