Role Based Access Control in Exchange Online

 

Applies to: Office 365 for enterprises, Live@edu

Topic Last Modified: 2010-06-02

You use role based access control (RBAC) to assign capabilities to users. All permissions and capabilities are defined by management roles. A management role, also called an RBAC role or simply role, defines what someone has access to and what tasks they can perform. When you assign a role to a user, the user is then able to perform the tasks that are defined by the role.

In this topic, we cover the following:

Roles by user type

There are two different kinds of roles:

  • End-user roles   These roles assign basic capabilities to end users. For example, there are roles that let users edit their contact information in the shared address book, and to create public groups.

  • Administrator roles   These roles assign administrative capabilities to administrators and other specialists, such as help desk personnel or compliance officers. For example, there are roles that let users create, modify and delete mailboxes, mail contacts, and mail users, and reset users' passwords.

How do I assign roles to users?

Roles are assigned to users by role assignments. There are different ways to assign roles to users:

  • End-user roles assigned to the role assignment policy   Typically, this is how users are assigned end-user roles. Do you want to remove a role from a role assignment policy and thereby affect all users who are assigned that role assignment policy? Simply remove the role from the role assignment policy. Or, you can create a new role assignment policy, and assign it to a large number of users that need greater or lesser capabilities.

    Note   Only end-user roles can be assigned to the role assignment policy. Also, in Live@edu organizations, a role assignment policy is assigned to a mailbox plan. You can't create role assignment policies, nor can you assign role assignment policies directly to users. Instead, you assign mailbox plans to users.

  • Roles assigned to a role group   A role group is a universal security group with administrative rights assigned to it. Typically, this is how administrator roles are assigned to administrators and specialists. Just add users to the appropriate role group, or remove users from the role group. When you assign a role to a role group, or remove a role assignment from a role group, all members of the role group are affected.

    You can also create a new role group and add users to it. This is where you can get very specific. If a built-in role group is assigned many different roles that would give a particular user too much power in the organization, you can create a new role group, assign the roles you want to the group, and then add users to the group.

  • Roles assigned directly to a user   We recommend that you don't assign roles directly to users because assigning roles to individual users and tracking who has what roles assigned to them is difficult. Instead, create a new role group, assign the roles to the group, and then add users to the group.

Can I customize a role?

Yes, but you shouldn't have to. By default, there are approximately 30 administrator roles and 14 end-user roles. You'll find the roles contain specific functionality that isn't duplicated across different roles. If you feel that an existing role group or role assignment policy gives too much power to users, you can remove the specific role assignments without customizing the underlying roles. For example, see the following topics:

How is the user experience affected by role assignments?

When you assign a role to a user, the user can access additional functionality as follows:

  • In the Exchange Control Panel   Each user can use only those tabs and options that are permitted by the roles that are assigned to them. For example, the Discovery tab only appears to a user after you add that user to the Discovery Management role group.

  • In Windows PowerShell   When a user uses Windows Remote Management (WinRM) to connect Windows PowerShell to the cloud-based service, the user can use only those cmdlets and parameters that are permitted by the roles that are assigned to them.

 
Related help topics
Loading...
No resources were found.