Udostępnij za pośrednictwem


Security Group Creation and Membership role

Applies to: Exchange Server 2013

The Security Group Creation and Membership management role enables administrators to create and manage universal security groups (USGs) and their memberships in an organization.

If your organization maintains a Role Based Access Control (RBAC) split permissions model where USG creation and management is performed by a different group other than those who manage servers running Exchange, assign this role to that group.

If your organization enables Active Directory split permissions, all non-delegating management role assignments to this management role were removed. When Active Directory split permissions are enabled, only Active Directory administrators using Active Directory management tools can create new security principals such as users and security groups.

For more information, see Understanding split permissions.

Default management role assignments

This role has role assignments to one or more role assignees. The following table indicates whether the role assignment is regular or delegating, and also indicates the management scopes applied to each assignment. The following list describes each column:

  • Regular assignment: Regular role assignments enable the role assignee to access the permissions provided by the management role entries on this role.
  • Delegating assignment: Delegating role assignments give the role assignee the ability to assign this role to role groups, users, or USGs.
  • Recipient read scope: The recipient read scope determines what recipient objects the role assignee is allowed to read from Active Directory.
  • Recipient write scope: The recipient write scope determines what recipient objects the role assignee is allowed to modify in Active Directory.
  • Configuration read scope: The configuration read scope determines what configuration and server objects the role assignee is allowed to read from Active Directory.
  • Configuration write scope: The configuration write scope determines what organizational and server objects the role assignee is allowed to modify in Active Directory.

Default management role assignments for this role

Role group Regular assignment Delegating assignment Recipient read scope Recipient write scope Configuration read scope Configuration write scope
Organization Management X X Organization Organization OrganizationConfig OrganizationConfig