Understanding Hybrid Deployment Permissions

 

Applies to: Exchange Server 2010 SP2

The cloud-based organization is based on Exchange 2010 and, like on-premises organizations, uses Role Based Access Control (RBAC) to control permissions. Administrators are granted permissions using management role groups, and end users are granted permissions using management role assignment policies.

Learn more about RBAC at: Understanding Permissions

Administrator Permissions

By default, the user that was used to create the cloud-based service is made a member of the Organization Management role group in the cloud-based organization. This user can manage the entire cloud-based organization, including configuration of organization-level settings and management of cloud-based recipients.

You can add additional administrators in the cloud-based organization, depending on the management that needs to take place. You can add additional organization administrators and recipient administrators, enable specialist users to perform compliance tasks such as discovery, configure custom permissions, and more. All permissions management for cloud-based administrators must be performed in the cloud-based organization using either the Exchange Control Panel (ECP) or remote PowerShell.

However, it's important to note that there is no transfer of permissions between the on-premises organization and the cloud-based organization. Any permissions that you've defined in the on-premises organization must be re-created in the cloud-based organization.

See the following topics for more information:

• Create a Role Group

• Add a Role to a Role Group

• Remove a Role from a Role Group

• Copy a Role Group

• Add Members to a Role Group

• Remove Members from a Role Group

End User Permissions

As with administrator permissions, end users in the cloud can be granted permissions. By default, end users are granted permissions via the default role assignment policy. This policy is applied to every mailbox in the cloud-based organization. If the permissions granted by default are sufficient, you don't need to change anything.

If you do want to customize end user permissions, you can either modify the existing default role assignment policy, or you can create new assignment policies. If you create multiple assignment policies, you can assign different policies to different groups of mailboxes, enabling you to control permissions granted to each group depending on their requirements. All permissions management for cloud-based end users must be performed in the cloud-based organization using either the ECP or remote PowerShell.

Like administrator permissions, end user permissions aren't transferred between the on-premises organization and the cloud-based organization. Any permissions that you've defined in the on-premises organization must be re-created in the cloud-based organization.

The following table lists the permissions granted by the default role assignment policies in the cloud-based organization.

Default role assignment policy permissions

Management role	Description
MyBaseOptions	The MyBaseOptions management role enables individual users to view and modify the basic configuration of their own mailbox and associated settings.
MyContactInformation	The MyContactInformation management role enables individual users to modify their contact information, including address and phone numbers.
MyDistributionGroupMembership	The MyDistributionGroupMembership management role enables individual users to view and modify their membership in distribution groups in an organization, provided that those distribution groups allow manipulation of group membership.
MyDistributionGroups	The MyDistributionGroups management role enables individual users to create, modify, and view distribution groups, and to modify, view, remove, and add members to distribution groups they own.
MyMailSubscription	The MyMailSubscription role enables individual users to view and modify their e-mail subscription settings such as message format and protocol defaults.
MyProfileInformation	The MyProfileInformation management role enables individual users to modify their name.
MyRetentionPolicies	The MyRetentionPolicies management role enables individual users to view their retention tags, and to view and modify their retention tag settings and defaults.
MyTextMessaging	The MyTextMessaging management role enables individual users to create, view, and modify their text messaging settings.
MyVoiceMail	The MyVoiceMail management role enables individual users to view and modify their voice mail settings.

See the following topics for more information:

• Add an Assignment Policy

• Remove an Assignment Policy

• Add a Role to an Assignment Policy

• Remove a Role from an Assignment Policy

• Change the Assignment Policy on a Mailbox

• Change the Default Assignment Policy

 © 2010 Microsoft Corporation. All rights reserved.