Messaging policy and compliance permissions in Exchange Server
The permissions required to configure messaging policy and compliance vary depending on the procedure being performed or the cmdlet you want to run. For more information about messaging policy and compliance, see Messaging policy and compliance in Exchange Server.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet you want to run.
Next, look at the permissions required for the feature. You must be assigned one of those role groups, an equivalent custom role group, or an equivalent management role. You can also click on a role group to see its management roles. If a feature lists more than one role group, you only need to be assigned one of the role groups to use the feature. For more information about role groups and management roles, see Understanding Role Based Access Control.
Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles assigned to you to see if you have the permissions that are necessary to manage the feature.
Note
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
Messaging policy and compliance permissions
You can use the features in the following table to configure messaging policy and compliance features. The role groups that are required to configure each feature are listed.
Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information, see View-Only Organization Management.
| Feature | Permissions required |
|---|---|
| Data loss prevention (DLP) | Compliance Management |
| Delete mailbox content (using the Search-Mailbox cmdlet with the DeleteContent switch) | Discovery Management and Mailbox Import Export Role Note: By default, the Mailbox Import Export role isn't assigned to any role group. You can assign a management role to a built-in or custom role group, a user, or a universal security group. Assigning a role to a role group is recommended. For more information, see Add a role to a role group. |
| Discovery mailboxes - Create | Organization Management Recipient Management |
| Information Rights Management (IRM) configuration | Compliance Management Organization Management |
| In-Place Archive | Organization Management Recipient Management |
| In-Place Archive - Test connectivity | Organization Management Server Management |
| In-Place eDiscovery | Discovery Management Note: By default, the Discovery Management role group doesn't have any members. No users, including administrators, have the required permissions to search mailboxes. For more information, see Assign eDiscovery permissions in Exchange Server. |
| In-Place Hold | Discovery Management Organization Management Notes:
|
| Journaling | Organization Management Records Management |
| Litigation Hold | Organization Management |
| Mailbox audit logging | Organization Management Records Management |
| Message classifications | Organization Management |
| Messaging records management | Compliance Management Organization Management Records Management |
| Retention policies - Apply | Organization Management Recipient Management Records Management |
| Retention policies - Create | See the entry for Messaging records management |
| Mail flow rules (also known as transport rules) | Organization Management Records Management |