In Outlook Live, you use role based access control (RBAC) to assign capabilities to users. All permissions and capabilities are defined by management roles. A management role, also called an RBAC role or simply role, defines what someone has access to and what tasks they can perform. When you assign a role to a user, the user is then able to perform the tasks that are defined by the role.
In this topic, we cover the following:
There are two different kinds of roles:
-
End-user roles These roles assign basic capabilities to end users. For example, there are roles that let users edit their contact information in the shared address book, and to create public groups.
-
Administrator roles These roles assign administrative capabilities to administrators and other specialists, such as help desk personnel or compliance officers. For example, there are roles that let users create, modify and delete mailboxes, mail contacts, and mail users, and reset users' passwords.
How do I assign roles to users?
Roles are assigned to users by role assignments. There are different ways to assign roles to users:
-
End-user roles assigned to the role assignment policy in a mailbox plan Typically, this is how users are assigned end-user roles. Do you want to remove a role from a mailbox plan and thereby affect all users who are assigned to the mailbox plan? Simply remove the role from the role assignment policy of the mailbox plan. Some roles can be added or removed in the Web management interface. Other roles can only be added or removed using Windows PowerShell.
Note Only end-user roles can be assigned to the role assignment policy in a mailbox plan.
-
Roles assigned to a role group A role group is a universal security group with administrative rights assigned to it. Typically, this is how administrator roles are assigned to administrators and specialists. Just add users to the appropriate role group, or remove users from the role group. When you assign a role to a role group, or remove a role assignment from a role group, all members of the role group are affected.
Note In Outlook Live, you can't create new role groups, but you can create new security groups.
-
Roles assigned directly to a user or security group This is where you can get very specific. If a role group is assigned many different roles that would give a particular user too much power in the organization, you may want to assign a role directly to the user. We recommend that you don't assign roles directly to users. Instead, create a new security group, assign the roles to the security group, and then add users to the security group.
Yes, but you shouldn't have to. By default, there are approximately 35 administrator roles and nine end-user roles in Outlook Live. You'll find the roles contain specific functionality that isn't duplicated across different roles. If you feel that an existing role group or role assignment policy in a mailbox plan gives too much power to users, you can remove the specific role assignments without customizing the underlying roles. For example, see the following topics:
How is the user experience affected by role assignments?
When you assign a role to a user, the user can access additional functionality as follows:
-
In the Web management interface for Outlook Live Each user can use only those tabs and options that are permitted by the roles that are assigned to them. For example, the Mailbox Searches tab only appears to a user after you add that user to the Discovery Management role group.
-
In Windows PowerShell When a user uses Windows Remote Management (WinRM) to connect Windows PowerShell to Outlook Live, the user can use only those cmdlets and parameters that are permitted by the roles that are assigned to them.