Understanding Management Role Groups

A management role group is a universal security group (USG) used in the Role Based Access Control (RBAC) permissions model in Microsoft Exchange Server 2010. A management role group simplifies the assignment of management roles to a group of users. All members of a role group are assigned the same set of roles. Role groups are assigned administrator and specialist roles that define major administrative tasks in Exchange 2010 such as organization management, recipient management, and other tasks. Role groups enable you to more easily assign a broader set of permissions to a group of administrators or specialist users.

Role holder A role holder is a mailbox that can be added as a member of a role group. When a mailbox is added as a member of a role group, the assignments that have been made between management roles and a role group are applied to the mailbox. This grants the mailbox all of the permissions provided by the management roles.

Management role group The management role group is a special USG that contains mailboxes that are members of the role group. This is where you add and remove members, and it's also what management roles are assigned to. The combination of all the roles on a role group defines everything that users added to a role group can manage in the Exchange organization.

Management role assignment A management role assignment links a management role and a role group. Assigning a management role to a role group grants members of the role group the ability to use the cmdlets and parameters defined in the management role. Role assignments can use management scopes to control where the assignment can be used. For more information, see Understanding Management Role Assignments.

Management role scope A management role scope is the scope of influence or impact on a role assignment. When a role is assigned with a scope to a role group, the management scope targets specifically what objects that assignment is allowed to manage. The assignment, and its scope, are then given to the members of the role group, which restricts what those members can manage. A scope can be made up of lists of servers or databases, organizational units, or filters on server, database or recipient objects. For more information, see Understanding Management Role Scopes.

Management role A management role is a container for a grouping of management role entries. Roles are used to define the specific tasks that can be performed by the members of a role group assigned the role. For more information, see Understanding Management Roles.

Management role entries Management role entries are the individual entries on a management role that provide access to cmdlets, scripts, and other special permissions that enable access to perform a specific task. Most often, role entries consist of a single cmdlet and the parameters that can be accessed by the management role, and therefore the role group to which the role is assigned.

Role Group Management

When you create a role group, you create the USG that holds the members of the role group, and you create the assignments between the role group and the management roles you specify. Optionally, you can also specify a management scope to apply to the role assignments, and you can add any mailboxes that you want to be members of the new role group.

After you create a role group, each layer becomes an independent object. The role group continues to be the central point at which all of the layers are joined together, however, each layer is managed individually. For example, to modify the management scope that you applied to the role group when it was created, you need to change the scope on each individual role assignment after the role group is created. The management of the role group model is performed using the cmdlets that manage the individual layers of the role group model.

The following table lists the role group layer and the procedural topics that you can use to manage each layer.

Role group management topics

Role group model layer	Management topic
Role holder	Add Members to a Role Group Remove Members from a Role Group
Role group	Create a Role Group Change a Linked Foreign USG on a Linked Role Group Add or Remove a Role Group Delegate Remove a Role Group
Management roles and assignments	Add a Role to a Role Group Remove a Role from a Role Group Change the Scope of Role Assignments to a Role Group
Management role entries	Add a Role Entry to a Role Change a Role Entry Remove a Role Entry from a Role Note: Changing the management role entries in management roles in a role group is an advanced task and is generally not required in most cases. You may, instead, be able to use a preexisting management role that suits your requirements. For more information, see Built-in Role Groups.

Return to top

Built-in Role Groups

Built-in roles groups are roles shipped with Exchange 2010. They provide you with a set of role groups that you can use to provide varying levels of administrative permissions to groups of users. You can add or remove users to or from any built-in role group. You can also add or remove role assignments to or from most role groups. The only exceptions are the following:

• You can't remove any delegating role assignments from the Organization Management role group.
  
• You can't remove the Role Management role from the Organization Management role group.
  

The following table lists all of the built-in role groups included with Exchange 2010. For more information about built-in role groups, see Built-in Role Groups.

Built-in role groups

Role group	Description
Organization Management	Administrators who are members of the Organization Management role group have administrative access to the entire Exchange 2010 organization and can perform almost any task against any Exchange 2010 object.
View-Only Organization Management	Administrators who are members of the View Only Organization Management role group can view the properties of any object in the Exchange organization.
Recipient Management	Administrators who are members of the Recipient Management role group have administrative access to create or modify Exchange 2010 recipients within the Exchange 2010 organization.
UM Management	Administrators who are members of the UM Management role group can manage the Unified Messaging (UM) features in the Exchange organization such as Unified Messaging server configuration, UM properties on mailboxes, UM prompts, and UM auto attendant configuration.
Discovery Management	Administrators or users who are members of the Discovery Management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.
Records Management	Users who are members of the Records Management role group can configure compliance features, such as retention policy tags, message classifications, transport rules, and more.
Server Management	Administrators who are members of the Server Management role group have administrative access to Exchange 2010 server configuration. They don't have access to administer Exchange 2010 recipient configuration.
Help Desk	Users who are members of the Help Desk role group can perform limited recipient management of Exchange 2010 recipients.
Hygiene Management	Administrators who are members of the Hygiene Management role group can configure the antivirus and anti-spam features of Exchange 2010. Third-party programs that integrate with Exchange 2010 can add service accounts to this role group to grant those programs access to the cmdlets required to retrieve and configure the Exchange configuration.
Public Folder Management	Administrators who are members of the Public Folder Management role group can manage public folders and databases on Exchange 2010 servers.
Delegated Setup	Administrators who are members of the Delegated Setup role group can deploy previously provisioned Exchange 2010 servers.