Create Role Groups

Applies to: Office 365 for enterprises, Live@edu

Topic Last Modified: 2011-02-03

A role group is a built-in universal security group with administrative rights. These administrative rights are specified by the management roles that are assigned to the role group. When you add members to the role group, those members are given the administrative rights of the role group.

You can create a completely new role group, or you can create a new role group by copying an existing role group.

How do I create a role group?

In the Exchange Control Panel, select Manage My Organization > Roles & Auditing > Administrator Roles.
Do one of the following:
- Click New to create a completely new role group.
- To create a new role group from an existing one, select a role group and click Copy. The roles, scope, description, and display name of the existing role group are copied, but the role group members aren't copied.
  Note   You can't copy a role group if any of the following conditions are true:
  •  An end-user role is assigned to the role group.
  •  A role is assigned to the role group using a different write scope than the other roles.
  •  Roles are assigned to the role group using exclusive write scopes. An exclusive write scope isolates specific mailboxes so they can be managed by designated administrators only. For more information, see Create Exclusive Write Scopes.
Enter the following information in the New Role Group window:

Name

A unique, descriptive name for the role group.

Description

A description of the role's capabilities.
Write Scope
The write scope defines the administrative boundary of the roles assigned to the role group. In other words, the write scope defines where members of the role group can make changes.

When you select a write scope from the drop-down list, it is applied to all the roles that are assigned to the role group. You can select from two kinds of write scopes:
- Default This is the implicit write scope that applies to all the roles assigned to the role group. For built-in administrator roles that allow users to modify objects, the default write scope is the entire organization.
- Custom These are custom write scopes you created using the New-ManagementScope cmdlet.
  - Cloud-based organizations can create custom write scopes based on recipient filters. For example "All users where CustomAttribute1 contains 'students'".
  - On-premises implementations of Microsoft Exchange Server 2010 can also create custom write scopes based on Exchange Server attributes, Exchange database attributes, or organizational units.
Organizational Unit

This option is only available in on-premises implementations of Exchange 2010.

Type the name of an existing organizational unit (OU) to define the write scope boundary for the roles assigned to the role group. For example, if you specify the value, contoso.com/users/americas, and assign the Recipient Management role to the role group, members of the role group can manage recipients in the contoso.com/users/americas OU only.

Roles

Use this section to add or remove the administrator roles that are assigned to the role group. You can add or remove built-in roles or custom roles.

When you add a role, you add the capabilities of the role to the role group members. To add a role, click Add.

To remove a role, select the role and click Remove.

Members

Use this section to add role group members.

When you add a member, you are assigning permissions to perform the administrative tasks assigned to the role group. You can add users, security groups, or other role groups. To add members to the role group, click Add.

To remove a member from the role group, select the member and click Remove.
When you are finished, click Save.
Note Affected users may have to sign out and then sign in again to see the changes.