MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Role Based Permissions in Exchange Server 2016

Microsoft Exchange Server 2016 includes a huge bundle of predefined permissions, based on the Role Based Access Control (RBAC) permission model, which can be used straightaway to grant permissions to administrators and users based on the requirements

A Role defines a set of tasks that an Administrator or a user can perform, the Role based permissions in Exchange 2016 includes Admin Roles and End-User Roles:

Admin Roles:

Admin roles include set of pre-defined permissions that can be assigned to an Administrator or specialist user using Role group which manage recipients, servers, or databases.

To see Admin Roles, Open EAC and Navigate to Permissions àAdmin Roles:


Built-in Role Groups in Exchange server 2016 (TechNet):

Role

Permission

Information

Compliance Management

Data Loss Prevention

This role group will allow a specified user, responsible for compliance, to properly configure and manage compliance settings within Exchange in accordance with their policy.

Information Rights Management

Retention Management

View-Only Audit Logs

View-Only Configuration

View-Only Recipients

Delegated Setup

View-Only Configuration

Members of this management role group have permissions to install and uninstall Exchange on provisioned servers. This role group shouldn’t be deleted.

Discovery Management

Legal Hold

Members of this management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.

Mailbox Search

Help Desk

User Options

Members of this management role group can view and manage the configuration for individual recipients and view recipients in an Exchange organization. Members of this role group can only manage the configuration each user can manage on his or her own mailbox. Additional permissions can be added by assigning additional management roles to this role group.

View-Only Recipients

Hygiene Management

Application Impersonation

Members of this management role group can manage Exchange anti-spam features and grant permissions for antivirus products to integrate with Exchange.

Receive Connectors

Transport Agents

Transport Hygiene

View-Only Configuration

Organization Management

FULL PERMISSIONS

Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group shouldn’t be deleted.

Public Folder Management

Mail Enabled Public Folders

Members of this management role group can manage public folders. Members can create and delete public folders and manage public folders. Public folder settings such as replicas, quotas, age limits and permissions as well as mail-enable and mail-disable public folders.

Public Folders

Recipient Management

Distribution Groups

Members of this management role group have rights to create, manage, and remove Exchange recipient objects in the Exchange organization.

Mail Recipient Creation

Mail Recipients

Message Tracking

Migration

Move Mailboxes

Recipient Policies

Team Mailboxes

Records Management

Audit Logs

 Members of this management role group can configure compliance features such as retention policy tags, message classifications, transport rules, and more.

Journaling

Message Tracking

Retention Management

Transport Rules

Server Management

Database Copies

Members of this management role group have permissions to manage all Exchange servers within the Exchange organization, but members don’t have permissions to perform operations that have global impact in the Exchange organization.

Databases

Exchange Connectors

Exchange Server Certificates

Exchange Servers

Exchange Virtual Directories

Monitoring

POP3 And IMAP4 Protocols

Receive Connectors

Transport Queues

UM Management

UM Mailbox

Members of this management role group can manage Unified Messaging organization, server, and recipient configuration.

UM Prompts

Unified Messaging

View Only

View-Only Recipients

Members of this management role group can view recipient and configuration objects and their properties in the Exchange organization.

Monitoring

View-Only Configuration

User Roles in Exchange 2016:

User role permissions allow users to manage the features of their own mailbox and distribution groups, they cannot manage any other mailboxes, these roles will be assigned using role assignment policies with the prefix My.

To see User roles, Open EAC and Navigate to Permissions àUser Roles:



As we know, Admin roles are assigned using Role groups and User roles will be assigned using Role Assignment policies. Let us see how Role Groups and Role Assignment policies work:

Role Groups:

Role Groups are special universal security groups (USGs) used by Exchange 2016 to grant permissions to administrators and specialist users. The Role Groups can contain Active Directory users, USGs, and other role groups.
When a role is assigned to a role group, the permissions decided by the roles are assigned to all members of the role group. This enables to assign multiple roles to various role group members at once. Role groups naturally incorporate a wide management area, such as recipient management and these are used only with administrative roles, and not end-user roles.

NOTE: It is possible to assign a role directly to a user or USG without using a role group. However, Microsoft recommends using role groups to manage permissions.

Create new Role Group:

Open EAC and Navigate to Permissions àAdmin Roleà Click on

In the New Role Group window provide the name, description of the new role group, Select the Roles you want to add to the roll group, add the members to the group and save as below:



Roles available:


Once the new Role has been created, the new role group can be used as other role groups.

Add the Members to the existing Role Group/Assign the permissions to the administrator:

Open EAC and Navigate to Permissions àAdmin RoleàSelect the Role group, that the role you want to assignàClick on Edit à Click on under Members tab to add the members and save:


Role Assignment Policies:

Exchange Server 2016 provides a role assignment policy which allows granting permissions to end users to change the settings of their own mailboxes and on distribution groups that they own. These settings include their display name, contact information, voice mail settings, and distribution group membership.

An Exchange 2016 organization can have multiple role assignment policies that provide different levels of permissions for the different types of users in the organization depending on the requirement. The Role assignment policies can assign directly to the mailboxes, and each mailbox can only be associated with one role assignment policy at a time. One of the role assignment policies in the organization is marked as default and this default role assignment policy is associated with new mailboxes that are not explicitly assigned a specific role assignment policy when they are created.

  • End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-user roles.
  • Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role assignment policy at a time.
  • After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox. The permissions granted by the roles are granted to the user of the mailbox.

NOTE: Only end-user roles can be assigned to role assignment policies.

Create new Role Group:

Open EAC and Navigate to Permissions àUser Roleà Click on

In the New Role Group window provide the name, description for the Role Assignment policy and select the Roles needs to be provided and click on Save:



PowerShell command for Role Assignment policies:

Create new Role Assignment policy:

New-RoleAssignmentPolicy <assignment policy name> -Roles <roles to assign>

Assign/change a Role Assignment policy to the user:

Set-Mailbox <mailbox alias or name> -RoleAssignmentPolicy <assignment policy>

Remove Role Assignment Policy:

Remove-RoleAssignmentPolicy <role assignment policy>

NOTE: Before removing a role assignment policy need to follow the below steps:

  • All users assigned to the assignment policy must be changed to another assignment policy.
  • All the management role assignments between the assignment policy and the assigned management roles must be removed
  • If default assignment policy needs to be removed, it must be the last assignment policy in the Exchange 2016 organization.

Ratish Nair

Microsoft MVP | Exchange Server

Team @MSExchangeGuru

Leave a Reply

Categories

Archives

MSExchangeGuru.com