Del via


Add a Role to a Role Group

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Adding a management role to a management role group is the best and simplest way to grant permissions to a group of administrators or specialist users in Microsoft Exchange Server 2010. If you want to give users that are members of a role group the ability to manage a feature, you add the management role that manages the feature to the role group. After the role is added, the members of the role group are granted the permissions provided by the role.

For more information about role groups, in Exchange 2010, see Understanding Management Role Groups.

Looking for other management tasks related to administrators and specialist users? Check out Managing Administrator and Specialist Users.

Use the ECP to add a management role to a role group

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Important

You can't use the Exchange Control Panel (ECP) to add roles to a role group if you've used the Exchange Management Shell to configure multiple management role scopes or exclusive scopes on the role group. If you've configured multiple scopes or exclusive scopes on the role group, you must use the Shell procedures later in this topic to add roles to the role group. For more information about management role scopes, see Understanding Management Role Scopes.

  1. In the EMC, navigate to Toolbox in the console tree.

  2. In the work pane, double-click Role Based Access Control (RBAC) User Editor to open the user editor in the Exchange Control Panel (ECP).

  3. Provide credentials in the Domain\user name and Password fields for an account that has the permissions needed to open the user editor in the ECP. Click Sign in.

  4. Click the Administrator Roles tab.

  5. Select the role group you want to add one or more roles to, and then click Details.

  6. In the Roles section, click Add.

  7. Select one or more roles to add to the role group, and then click OK.

  8. Click Save to save the changes to the role group.

Use the Shell to create a role assignment with no scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

You can create a role assignment with no scope between a role and a role group. When you do this, the implicit read and implicit write scopes of the role apply.

Use the following syntax to assign a role without any scope to a role group. A role assignment name is created automatically if you don't specify one.

New-ManagementRoleAssignment -SecurityGroup <role group name> -Role <role name>

This example assigns the Transport Rules management role to the Seattle Compliance role group.

New-ManagementRoleAssignment -SecurityGroup "Seattle Compliance" -Role "Transport Rules"

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Use the Shell to create a role assignment with a predefined scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

If a predefined scope meets your business requirements, you can apply that scope to the role assignment rather than create a new one. For a list of predefined scopes and their descriptions, see Understanding Management Role Scopes.

For more information about role assignments, see Understanding Management Role Assignments.

Use the following syntax to assign a role to a role group with a predefined scope. A role assignment name is created automatically if you don't specify one.

New-ManagementRoleAssignment -SecurityGroup <role group name> -Role <role name> -RecipientRelativeWriteScope < MyGAL | MyDistributionGroups | Organization | Self >

This example assigns the Message Tracking role to the Enterprise Support role group and applies the Organization predefined scope.

New-ManagementRoleAssignment -SecurityGroup "Enterprise Support" -Role "Message Tracking" -RecipientRelativeWriteScope Organization

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Use the Shell to create a role assignment with a recipient filter-based scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

If you created a recipient filter-based scope, you need to include the scope in the command used to assign the role to a role group by using the CustomRecipientWriteScope parameter.

You can also include a configuration write scope when you create a role assignment that has a recipient write scope.

For more information about role assignments and scopes, see the following topics:

Use the following syntax to assign a role to a role group with a recipient filter-based scope. A role assignment name is created automatically if you don't specify one.

New-ManagementRoleAssignment -SecurityGroup <role group name> -Role <role name> -CustomRecipientWriteScope <role scope name>

This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle Recipients scope.

New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Admins" -Role "Message Tracking" -CustomRecipientWriteScope "Seattle Recipients"

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Use the Shell to create a role assignment with a configuration scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

If you created a server or database configuration filter or list-based scope, you need to include the scope in the command used to assign the role to a role group by using the CustomConfigWriteScope parameter.

You can also include a recipient write scope when you create a role assignment that has a configuration write scope.

For more information about role assignments and management scopes, see the following topics:

Use the following syntax to assign a role to a role group with a configuration scope. A role assignment name is created automatically if you don't specify one.

New-ManagementRoleAssignment -SecurityGroup <role group name> -Role <role name> -CustomConfigWriteScope <role scope name>

This example assigns the Databases role to the Seattle Server Admins role group and applies the Seattle Servers scope.

New-ManagementRoleAssignment -SecurityGroup "Seattle Server Admins" -Role "Databases" -CustomConfigWriteScope "Seattle Servers"

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Use the Shell to create a role assignment with an OU scope

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

If you want to scope a role's write scope to an OU, you can specify the OU in the RecipientOrganizationalUnitScope parameter directly.

For more information about role assignments and management scopes, see the following topics:

Use the following command to assign a role to a role group and restrict the write scope of a role to a specific OU. A role assignment name is created automatically if you don't specify one.

New-ManagementRoleAssignment -SecurityGroup <role group name> -Role <role name> -RecipientOrganizationalUnitScope <OU>

This example assigns the Mail Recipients role to the Seattle Recipient Admins role group and scopes the assignment to the Sales\Users OU in the Contoso.com domain.

New-ManagementRoleAssignment -SecurityGroup "Seattle Recipient Admins" -Role "Mail Recipients" -RecipientOrganizationalUnitScope contoso.com/sales/users

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Other Tasks

After you add a role to a role group, you may also want to:

 © 2010 Microsoft Corporation. All rights reserved.