Add a Role to a Role Group
Applies to: Exchange Server 2010
If you want to give administrators assigned a management role group the ability to manage a feature, you need to add the management role that manages the feature to the role group. For more information about role groups, management role assignments, and management scopes in Microsoft Exchange Server 2010, see the following topics:
- Understanding Management Role Groups
- Understanding Management Role Assignments
- Understanding Management Role Scopes
Note
Role assignments are additive. This means that all the roles are added together when they're evaluated. If two roles are assigned to a user and one role contains a cmdlet but the other doesn't, the cmdlet will still be available to the user.
Note
You can't add roles to built-in role groups.
By default, role assignments, including the Organization Management role, don't grant the ability, called role delegation, to assign roles to other users. Role delegation is an advanced task. To enable a user to assign roles to other role groups, see Delegate Role Assignments.
Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.
What Do You Want to Do?
- Use the Shell to create a role assignment with no scope
- Use the Shell to create a role assignment with a predefined scope
- Use the Shell to create a role assignment with a recipient filter-based scope
- Use the Shell to create a role assignment with a configuration filter-based scope
- Use the Shell to create a role assignment with an OU scope
If you create a new assignment with a scope, the scope overrides the role's implicit write scope. However, the role's implicit read scope still applies. The new scope can't return objects outside of the role's implicit read scope. For more information, see Understanding Management Role Scopes.
Use the Shell to create a role assignment with no scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to create a role assignment with no scope.
You can create a role assignment with no scope between a role and a role group. When you do this, the implicit read and implicit write scopes of the role apply.
Use the following syntax to assign a role without any scope to a role group.
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <role group name> -Role <role name>
This example assigns the Transport Rules management role to the Seattle Compliance role group.
New-ManagementRoleAssignment -Name "Transport Rules_Seattle Compliance" -SecurityGroup "Seattle Compliance" -Role "Transport Rules"
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Use the Shell to create a role assignment with a predefined scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to create a role assignment with a predefined scope.
If a predefined scope meets your business requirements, you can apply that scope to the role assignment rather than create a new one. For a list of predefined scopes and their descriptions, see Understanding Management Role Scopes.
Use the following syntax to assign a role to a role group with a predefined scope.
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <role group name> -Role <role name> -RecipientRelativeWriteScope < MyGAL | MyDistributionGroups | Organization | Self >
This example assigns the Message Tracking role to the Enterprise Support role group and applies the Organization predefined scope.
New-ManagementRoleAssignment -Name "Message Tracking_Enterprise Support" -SecurityGroup "Enterprise Support" -Role "Message Tracking" -RecipientRelativeWriteScope Organization
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Use the Shell to create a role assignment with a recipient filter-based scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to create a role assignment with a recipient filter-based scope.
If you created a recipient filter-based scope, you need to include the scope in the command used to assign the role to a role group by using the CustomRecipientWriteScope parameter.
You can also include a configuration write scope when you create a role assignment that has a recipient write scope.
Use the following syntax to assign a role to a role group with a recipient filter-based scope.
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <role group name> -Role <role name> -CustomRecipientWriteScope <role scope name>
This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle Recipients scope.
New-ManagementRoleAssignment -Name "Message Tracking_Seattle Recipient Admins" -SecurityGroup "Seattle Recipient Admins" -Role "Message Tracking" -CustomRecipientWriteScope "Seattle Recipients"
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Use the Shell to create a role assignment with a configuration filter-based scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to create a role assignment with a configuration filter-based scope.
If you created a configuration filter-based scope, you need to include the scope in the command used to assign the role to a role group by using the CustomConfigWriteScope parameter.
You can also include a recipient write scope when you create a role assignment that has a configuration write scope.
Use the following syntax to assign a role to a role group with a configuration filter-based scope.
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <role group name> -Role <role name> -CustomConfigWriteScope <role scope name>
This example assigns the Databases role to the Seattle Server Admins role group and applies the Seattle Servers scope.
New-ManagementRoleAssignment -Name "Databases_Seattle Server Admins" -SecurityGroup "Seattle Server Admins" -Role "Databases" -CustomConfigWriteScope "Seattle Servers"
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Use the Shell to create a role assignment with an OU scope
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.
Note
You can't use the EMC to create a role assignment with an organizational unit (OU) scope.
If you want to scope a role's write scope to an OU, you can specify the OU in the RecipientOrganizationalUnitScope parameter directly.
Use the following command to assign a role to a role group and restrict the write scope of a role to a specific OU.
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <role group name> -Role <role name> -RecipientOrganizationalUnitScope <OU>
This example assigns the Mail Recipients role to the Seattle Recipient Admins role group and scopes the assignment to the Sales\Users OU in the Contoso.com domain.
New-ManagementRoleAssignment -Name "Mail Recipients_Seattle Recipient Admins" -SecurityGroup "Seattle Recipient Admins" -Role "Mail Recipients" - RecipientOrganizationalUnitScope contoso.com/sales/users
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Other Tasks
After you add a role to a role group, you may also want to: