Add a Role to a User or USG

Applies to: Exchange Server 2010

Management role assignments can assign a management role to a user or universal security group (USG). By assigning a role to a user or USG, you enable those users to perform tasks dependent on cmdlets or scripts and their parameters defined on the management role.

While you can assign roles directly to users and USGs, the recommended method of granting permissions to administrators and end users is to use management role groups and management role assignment policies. When you use role groups and assignment policies, you greatly simplify your permissions model.

If you want to assign roles to a management role group or a management role assignment policy, see the following topics:

• Add a Role to a Role Group
• Add a Role to an Assignment Policy

If you want to add members to a role group or assign a role assignment policy to an end user, see the following topics:

• Add Members to a Role Group
• Change the Assignment Policy on a Mailbox

For more information, see Understanding Role Based Access Control.

Note

Role assignments are additive. This means that all the roles are added together when they are evaluated. If two roles are assigned to a user and one role contains a cmdlet but the other does not, the cmdlet will still be available to the user.
By default, role assignments don't grant the ability to assign roles to other users. To enable a user to assign roles to other users or USGs, see Delegate Role Assignments.

You must use the Exchange Management Shell to add a role assignment.

What Do You Want to Do?

• Create a role assignment with no scope
• Create a role assignment with a pre-defined relative scope
• Create a role assignment with a recipient filter-based scope
• Create a role assignment with a server filter or list-based configuration scope
• Create a role assignment with an organizational unit (OU) scope
• Create a role assignment with an exclusive recipient or configuration scope

If you create a new assignment with a scope, the scope overrides the role's implicit write scope. However, the role's implicit read scope still applies. The new scope can't return objects that are outside of the role's implicit read scope. For more information, see Understanding Management Role Scopes.

All the procedures in this topic use the SecurityGroup parameter to assign roles to a USG. If you instead want to assign the role to a specific user, use the User parameter instead of the SecurityGroup parameter. All other syntax for each command is the same.

Create a role assignment with no scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

You can create a role assignment with no scope. When you do this, the implicit read and implicit write scopes of the role apply.

Use the following syntax to assign a role to a USG without any scope:

New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <USG> -Role <role name>

For example, to assign the "Exchange Servers" role to the SeattleAdmins USG, run the following command:

New-ManagementRoleAssignment -Name "Exchange Servers_SeattleAdmins" -SecurityGroup SeattleAdmins -Role "Exchange Servers"

Create a role assignment with a pre-defined relative scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

If a pre-defined relative scope meets your business requirements, you can apply that scope to the role assignment rather than create a custom scope. For a list of pre-defined scopes and their descriptions, see Understanding Management Role Scopes.

Use the following syntax to assign a role to a USG with a pre-defined scope:

New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup < USG> -Role <role name> -RecipientRelativeWriteScope < MyDistributionGroups | Organization | Self >

For example, to assign the "Exchange Servers" role to the SeattleAdmins USG and apply the Organization pre-defined scope, use the following command:

New-ManagementRoleAssignment -Name "Exchange Servers_SeattleAdmins" -SecurityGroup SeattleAdmins -Role "Exchange Servers" -RecipientRelativeWriteScope Organization

Create a role assignment with a recipient filter-based scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

If you created a recipient filter-based scope and want to use it with a role assignment, you need to include the scope in the command that is used to assign the role to a USG by using the CustomRecipientWriteScope parameter. If you use the CustomRecipientWriteScope parameter you can't use the RecipientOrganizationalUnitScope parameter.

Before you can add a scope to a role assignment, you need to create one. For more information, see Create a Regular or Exclusive Scope.

Use the following syntax to assign a role to a USG with a recipient filter-based scope:

New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup < USG> -Role <role name> -CustomRecipientWriteScope <role scope name>

For example, to assign the "Mail Recipients" role to the "Seattle Recipient Admins" USG and apply the "Seattle Recipients" scope, run the following command:

New-ManagementRoleAssignment -Name "Mail Recipients_Seattle Recipient Admins" -SecurityGroup "Seattle Recipient Admins" -Role "Mail Recipients" -CustomRecipientWriteScope "Seattle Recipients"

Create a role assignment with a server filter or list-based configuration scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

If you created a server filter or list-based configuration scope and want to use it with a role assignment, you need to include the scope in the command that is used to assign the role to a USG by using the CustomConfigWriteScope parameter.

Before you can add a scope to a role assignment, you need to create one. For more information, see Create a Regular or Exclusive Scope.

Use the following syntax to assign a role to a USG with a configuration scope:

New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <USG> -Role <role name> -CustomConfigWriteScope <role scope name>

For example, to assign the "Exchange Servers" role to the MailboxAdmins USG and apply the "Mailbox Servers" scope, run the following command:

New-ManagementRoleAssignment -Name "Exchange Servers_MailboxAdmins" -SecurityGroup MailboxAdmins -Role "Exchange Servers" -CustomConfigWriteScope "Mailbox Servers"

Create a role assignment with an OU scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

If you want to scope a role's write scope to an organization unit (OU), you can specify the OU in the RecipientOrganizationalUnitScope parameter directly. If you use the RecipientOrganizationalUnitScope parameter you can't use the CustomRecipientWriteScope parameter.

Use the following command to assign a role to a USG and restrict the write scope of a role to a specific OU:

New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <USG> -Role <role name> -RecipientOrganizationalUnitScope <OU>

For example, to assign the "Mail Recipients" role to the SalesRecipientAdmins USG and scope the assignment to the Sales\Users OU in the contoso.com domain, use the following command:

New-ManagementRoleAssignment -Name "Mail Recipients_SalesRecipientAdmins" -SecurityGroup SalesRecipientAdmins -Role "Mail Recipients" -RecipientOrganizationalUnitScope contoso.com/sales/users

Create a role assignment with an exclusive recipient or configuration scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role assignments" entry in the Role Management Permissions topic.

To create an exclusive role assignment with an exclusive recipient or configuration scope, the same procedures provided in the Create a role assignment with a recipient filter-based scope and Create a role assignment with a server filter or list-based configuration scope sections can be used. The only difference is that when you create a role assignment with an exclusive scope, you must specify the following exclusive parameters depending on whether you're using an exclusive recipient scope or an exclusive configuration scope:

• Exclusive recipient scopes   Use the ExclusiveRecipientWriteScope parameter instead of the CustomRecipientWriteScope parameter.
• Exclusive configuration scopes   Use the ExclusiveConfigWriteScope parameter instead of the CustomConfigWriteScope parameter.

When you perform this procedure, the role assignees that are assigned the role can perform actions against the objects that are included in the exclusive scope. For more information about exclusive scopes, see Understanding Exclusive Scopes.

You can't create a role assignment with both exclusive and regular scopes.

For example, to assign the "Mail Recipients" role to the "Protected User Admins" USG and apply the "Protected Users" exclusive scope, run the following command:

New-ManagementRoleAssignment -Name "Mail Recipients_Protected User Admins" -SecurityGroup "Protected User Admins" -Role "Mail Recipients" -ExclusiveRecipientWriteScope "Protected Users"