Role based access control got a lukewarm reception when it was introduced in Exchange 2010. While it allowed Exchange administrators to delegate mundane tasks to the help desk or to certain power users, the interface was cumbersome and proved confusing to delegates. Fortunately, RBAC has been improved in Exchange 2013. Here's what you need to know moving forward.
To access Exchange 2013 role based access control (RBAC), open the Exchange Administration Center console and click the Permissions tab. You will see the screen shown in Figure 1. At the top of this screen, you'll see that the console separates Admin Roles from the User Roles.
The center pane lists the defined administrative roles. The roles shown in the figure are defined by default, but you also have the option to create custom roles.
Gaining a full understanding of the default administrative roles is the most important part of RBAC management in Exchange 2013. Admins should know exactly what each role and role group does, so they don't give people the wrong privileges.
- Compliance Management: The Compliance Management role allows delegated administrators to configure and manage such compliance settings as data loss prevention, information rights management and retention management. These admins can view audit logs, configuration data and recipients.
- Delegated Setup: The Delegated Setup role lets administrators install Exchange Server 2013 on a server that has already been provisioned. This role also gives users the necessary permissions to uninstall Exchange and view Exchange configuration data.
- Discovery Management: The Discovery Management role provides administrators with e-discovery capabilities. Admins with this role can search mailboxes for data that meets the search criteria. Additionally, they can implement a legal hold.
- Help Desk: Administrators with the Help Desk role can manage user properties. It is worth noting, however, that users can also manage their own mailbox properties without the assistance of the help desk.
- Hygiene Management: The Hygiene Management role lets delegated administrators manage Exchange 2013's antispam settings. Admins in this role group can also configure antivirus products to work with Exchange 2013. In addition, they can configure transport agents, transport hygiene, receive connectors and more. The admins can also view recipients and Exchange configuration data.
- Organization Management: The Organization Management role lets administrators manage the entire Exchange Server organization. They can also delegate role groups to others.
- Public Folder Management: Members of the Public Folder Management role group can create and delete public folders. They can also configure such things as public folder replication settings and quotas.
- Recipient Management: As the name implies, administrators added Recipient Management role group can create, delete and modify recipients. They also can move mailboxes, perform message tracking and manage distribution groups.
- Records Management: Members of the Records Management role group are tasked with maintaining compliance. They also can perform such tasks as message tracking, journaling messages, configuring retention management, creating transport rules and managing audit logs.
- Server Management: Members of the Server Management role group can perform server-level management tasks on any Exchange server in the organization, but they can't perform global, organization-level management tasks. For example, a server manager can create databases or manage receive connectors, but can't establish a federated trust.
- UM Management: Administrators with the UM Management role can configure and manage the unified messaging feature.
- View-Only Organization Management: This is a specialized role that is intended for training purposes. Members can see all the configuration options but cannot make configuration changes.
Best practices: Exchange 2013 role group management
Exchange 2013 does let you delete or modify the built-in role groups if you so choose. To delete a role group, select it and click the Delete icon. The Delegated Setup and Organization Management groups, however, should not be deleted because you can break Exchange 2013 if you do.
To modify a role group, double-click it. When you do, you'll see a dialog box that lets you change the group's name, description, roles and members. You also have the option to change the role group's scope, so that it only applies to a specific organizational unit.
The only aspect of the default role groups you should consider modifying is the Members list. If you really want to change a role group's behavior, I suggest creating a custom role group rather than modifying a default role group.
To create a custom role group, click the plus sign icon (+) seen in Figure 1. You will be taken to the New Role Group dialog box (Figure 2). Here you can create a brand-new role group, assign the appropriate roles and control the group's membership.
As you can see, RBAC allows Exchange administrators to delegate limited administrative capabilities to others in the organization as a way of offloading mundane administrative tasks. The key to using RBAC effectively is understanding the capabilities and limitations of the default role groups, and knowing when it's necessary to create custom role groups.
About the author:
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.