Security Group Creation and Membership role
Applies to: Exchange Server 2013
Security Group Creation and Membership management role enables administrators to create and manage universal security groups (USGs) and their memberships in an organization.
If your organization maintains a Role Based Access Control (RBAC) split permissions model where USG creation and management is performed by a different group other than those who manage servers running Exchange, assign this role to that group.
If your organization has enabled Active Directory split permissions, all non-delegating management role assignments to this management role were removed. When Active Directory split permissions is enabled, only Active Directory administrators using Active Directory management tools can create new security principals such as users and security groups.
For more information, see Understanding split permissions.
Default management role assignments
This role has role assignments to one or more role assignees. The following table indicates whether the role assignment is regular or delegating, and also indicates the management scopes applied to each assignment. The following list describes each column:
- Regular assignment: Regular role assignments enable the role assignee to access the permissions provided by the management role entries on this role.
- Delegating assignment: Delegating role assignments give the role assignee the ability to assign this role to role groups, users, or USGs.
- Recipient read scope: The recipient read scope determines what recipient objects the role assignee is allowed to read from Active Directory.
- Recipient write scope: The recipient write scope determines what recipient objects the role assignee is allowed to modify in Active Directory.
- Configuration read scope: The configuration read scope determines what configuration and server objects the role assignee is allowed to read from Active Directory.
- Configuration write scope: The configuration write scope determines what organizational and server objects the role assignee is allowed to modify in Active Directory.
Default management role assignments for this role
|Role group||Regular assignment||Delegating assignment||Recipient read scope||Recipient write scope||Configuration read scope||Configuration write scope|