Administrator Role Groups

 

Applies to: Office 365 for enterprises, Live@edu

Topic last modified: 2011-11-23

 

Role groups make assigning administrative permissions easy. To assign a user the permissions to perform specific administrative tasks, you add the user as a member of the role group for those administrative tasks. For example, if you hire a new employee for your helpdesk staff, you simply add the new employee to the Help Desk role group and they're ready to go.

Let's look at how role groups work and what role groups are available by default:

Anatomy of a role group

An administrator role group is a universal security group with administrative rights assigned to it. These administrative rights are specified by built-in management roles, which are part of the role based access control (RBAC) permissions model. A management role, also called an RBAC role or simply role, defines what someone has access to and what tasks they can perform.

What that makes up a role group?

Administrator Role Groups

Role group members   Like distribution groups, or public groups, administrator role groups have members. The roles assigned to the role group are applied to each member who is added to the role group. This grants each user all the permissions allowed by the roles assigned to the role group.

To view the members of a role group:

  • In the Exchange Control Panel

    1. Select Manage My Organisation > Roles & Auditing > Administrator Roles.

    2. Select a role group, and you'll see its membership in the details pane.

  • In Windows PowerShell, run the following command:

    Get-RoleGroupMember "<name of role group>"
    

Role group   Roles are assigned to the role group. The combination of all roles assigned to the role group defines everything that role group members can manage in their organisation.

To view the role groups for your organisation:

  • In the Exchange Control Panel

    Select Manage My Organisation > Roles & Auditing > Administrator Roles.

  • In Windows PowerShell, run the following command:

    Get-RoleGroup
    

Role assignments   A role assignment associates a management role to a role group. Assigning a role to a role group grants members of the role group permissions to use the Windows PowerShell cmdlets and parameters defined in the role. Role assignments also use management scopes to control where the assignment can be used.

Because a role can be assigned to different role groups, a role assignment identifies a specific assignment, and the name of that assignment is unique within your organisation. For example, the User Options role is assigned to the Organisation Management group and Help Desk role group, but the name of the assignment is different and uniquely identifies the assignment for each group: User Options-Help Desk and User Options-Organisation Management.

To view the roles assigned to a specific role group:

  • In the Exchange Control Panel

    1. Select Manage My Organisation > Roles & Auditing > Administrator Roles.

    2. Select a role group, and you'll see the roles assigned to the role group in the details pane.

      Note   Not all roles assigned to a role group are applicable or available to all cloud-based organisations.

  • In Windows PowerShell, run the following command:

    Get-ManagementRoleAssignment -RoleAssignee "<name of role group>"
    

    To view all role assignments in your organisation, run the following command:

    Get-ManagementRoleAssignment
    

Role write scopes   The write scope defines the administrative boundary of the roles assigned to the role group. In other words, the write scope defines where members of the role group can make changes. For built-in administrator roles that allow users to modify objects, the default write scope is the entire organisation.

You can also create custom write scopes based on recipient filters. For example "All users where Department equals 'finance'". If you create a new role group and assign the User Options role using the custom write scope, members of the role group can view and change account settings on the mailbox's Options page only for those mailboxes where "Department equals 'finance'". You create custom write scopes using the New-ManagementScope cmdlet.

To view the write scopes for each role assigned to a specific role group:

  • In the Exchange Control Panel

    1. Select Manage My Organisation > Roles & Auditing > Administrator Roles.

    2. Select a role group and click Details to view the write scope for all assigned roles.

      Note   If any of the following conditions is true, you can't view the write scope in Exchange Control Panel:

      •  An end-user role is assigned to the role group.

      •  A role is assigned to the role group using a different write scope than the other roles.

      •  Roles are assigned to the role group using exclusive write scopes. An exclusive write scope isolates specific mailboxes so they can be managed by designated administrators only. For more information, see Create Exclusive Write Scopes.

  • In Windows PowerShell, run the following command:

    Get-ManagementRoleAssignment -RoleAssignee "<name of role group>" | Format-List Role,RecipientWriteScope
    

Roles   An RBAC role is a container for a grouping of management role entries. Roles define the specific tasks that can be performed by the members of a role group that the role is assigned to.

To view the administrator roles in your organisation:

  • In the Exchange Control Panel

    1. Select Manage My Organisation > Roles & Auditing > Administrator Roles.

    2. Click New or select an existing role group and click Details.

    3. In the Role Group page, in the Roles section, click Add. Note that we aren't going to modify the roles assigned to the role group. Instead, we just want to look at the list of administrator roles.

    4. In the Select a Role page, you can view the names and descriptions of the roles.

    5. When you are finished, click Cancel in the Select a Role page, and again in the Role Group page.

  • In Windows PowerShell, run the following command:

    Get-ManagementRole | Where {$_.IsEndUserRole -eq $false}
    

Role entries   Role entries are the individual entries on a management role. Role entries provide access to cmdlets, scripts and other special permissions that let users perform a specific task. A role entry is often a single cmdlet and the parameters that members of a role group can run when the role is assigned to the role group.

To view the cmdlets and the parameters associated with a role without truncating the results:

  • In Windows PowerShell, run the following command:

    Get-ManagementRoleEntry "<name of the role>\*" | ConvertTo-Html > "<file name>.html"
    

    Open the resulting HTML file in a Web browser. The information is in the Name and Parameters columns.

Return to top

Built-in role groups

The following built-in role groups are available by default. Remember that not all roles assigned to a role group are applicable or available to a cloud-based organisation.

 

Role group Administrative tasks members can perform

Discovery Management

Use Multi-Mailbox Search to search mailboxes across the organisation for email and other message types that contain specific keywords.

Help Desk

Reset passwords for users and manage settings on the Options page for users' cloud-based account. To help troubleshoot user issues, members can also view, but not modify, all mailboxes, distribution groups and external contacts in the organisation.

Note   In Office 365 for enterprises, you can't reset passwords in the Exchange Control Panel or Windows PowerShell. To allow a user to reset passwords in the Microsoft Online Services Portal, you must assign the Office 365 password administrator role to the user in the Microsoft Online Services Portal.

Organisation Management

Manage all aspects of the cloud-based organisation. By default, the account that you specified during the initial enrolment in the cloud-based email service is a member of this role group.

Important   This is very powerful role group. Only users who perform organisational-level administrative tasks that may impact your entire organisation should be members of this role group.

Recipient Management

Create and manage mailboxes, distribution groups and external contacts. Members can also import new users, track messages sent and received by users and manage Exchange ActiveSync settings for the organisation.

Records Management

Create and manage organisation-wide rules, also known as transport rules. Members can also track messages sent and received by users.

UM Management

Manage Unified Messaging (UM) server configurations, UM properties on mailboxes, UM prompts and UM auto attendant configuration.

Note   This role group isn't available in Live@edu organisations.

View-Only Organisation Management

View, but not modify, all mailboxes, distribution groups and external contacts in the organisation. Members can also view settings for role assignment policies, transport rules and organisation-wide settings.

Return to top

 
Related help topics
Loading...
No resources were found.