Role Groups and Roles + Exchange 2010

An important concept you need to understand in order to appreciate RBAC is the relationship between role groups, roles, cmdlets (commandlets) and parameters.

The RBAC Triangle of Power

Before we end this article, let’s have a look at a graphical representation that summarizes how RBAC works.

Members of the Exchange team like to depict the workings of the RBAC with what they call the "Triangle of Power".

The Triangle of Power is made up of four main components: the Where, the What, the Who, and the Glue.

The Where or Scope represents the range over which a particular role assignment is supposed to apply, i.e., a single organizational unit, a single user, a group of users, or the entire organization.

The What or Role represents what your role can actually do. Exchange Server 2010 has 65 built-in roles that you can either use straightaway or build from.

The Who or Role Group, as we mentioned way back, is simply a collection of roles (which in turn are made up of cmdlets and parameters). You combine this with the Scope to come up with a complete Role Assignment.

Predefined Role Groups used in Exchange Server 2010 Role Based Access Control:

1. Delegated Setup - For admins who need to deploy Exchange 2010 servers that have been previously provisioned by a member of the Organization Management role group.
2. Discovery Management - For admins who need to perform searches of mailboxes for data that meet specific criteria as well as configure legal holds on mailboxes.
3. Help Desk - For admins who need to view and modify the Microsoft Office Outlook Web App options.
4. Hygiene Management - For administrators who need to configure the virus and antivirus features of Exchange.
5. Organization Management - For admins who need to have administrative access to the entire Exchange 2010 organization.
6. Public Folder Management - For administrators who need to manage public folders and databases on servers running Exchange 2010.
7. Recipient Management - For admins who need to manage Exchange 2010 recipients.
8. Records Management - For administrators who need to configure compliance features such as retention policies, message classifications, and transport rules.
9. Server Management - For admins who need to set server-specific configurations of transport, Unified Messaging (UM), client access, and mailbox features.
10. UM Management - For admins who need to manage UM-related server configurations, properties on mailboxes, prompts, and auto attendant configurations.
11. View-Only Organization Management - For administrators who need to view the properties of any object in Exchange.

http://technet.microsoft.com/en-us/library/dd298183.aspx
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html