Applies to: Exchange Server 2013
Topic Last Modified: 2012-10-03
Management role assignments can assign a management role to a user or universal security group (USG). By assigning a role to a user or USG, you enable those users to perform tasks dependent on cmdlets or scripts and their parameters defined on the management role.
If you want to assign roles to a management role group or a management role assignment policy, see the following topics:
If you want to add members to a role group or assign a role assignment policy to an end user, see the following topics:
For more information, see Understanding Role Based Access Control.
Looking for other management tasks related to roles? Check out Advanced Permissions.
What do you need to know before you begin?
- Estimated time to complete each procedure: 5 minutes
- You need to be assigned permissions before you can perform this
procedure or procedures. To see what permissions you need, see the
"Role assignments" entry in the Role Management
Permissions topic.
- You must use the Shell to perform these procedures.
- Although you can assign roles directly to users and USGs, the
recommended method of granting permissions to administrators and
end users is to use management role groups and management role
assignment policies. When you use role groups and assignment
policies, you simplify your permissions model.
- Role assignments are additive. This means that all the roles
are added together when they're evaluated. If two roles are
assigned to a user and one role contains a cmdlet but the other
doesn't, the cmdlet will still be available to the user.
By default, role assignments don't grant the ability to assign roles to other users. To enable a user to assign roles to other users or USGs, see Delegate Role Assignments.
- If you create an assignment with a scope, the scope overrides
the role's implicit write scope. However, the role's implicit read
scope still applies. The new scope can't return objects outside of
the role's implicit read scope. For more information, see Understanding Management
Role Scopes.
- All the procedures in this topic use the SecurityGroup
parameter to assign roles to a USG. If you want to assign the role
to a specific user, use the User parameter instead of the
SecurityGroup parameter. All other syntax for each command
is the same.
- For information about keyboard shortcuts that may apply to the
procedures in this topic, see Keyboard Shortcuts in
the Exchange Admin Center.
 Tip: |
|---|
| Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection |
What do you want to do?
Create a role assignment with no scope
You can create a role assignment with no scope. When you do this, the implicit read and implicit write scopes of the role apply.
Use the following syntax to assign a role to a USG without any scope.
 Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <USG> -Role <role name> |
|
This example assigns the Exchange Servers role to the SeattleAdmins USG.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name "Exchange Servers_SeattleAdmins" -SecurityGroup SeattleAdmins -Role "Exchange Servers" |
|
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Create a role assignment with a predefined relative scope
If a predefined relative scope meets your business requirements, you can apply that scope to the role assignment rather than create a custom scope. For a list of predefined scopes and their descriptions, see Understanding Management Role Scopes.
Use the following syntax to assign a role to a USG with a predefined scope.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup < USG> -Role <role name> -RecipientRelativeWriteScope < MyDistributionGroups | Organization | Self > |
|
This example assigns the Exchange Servers role to the SeattleAdmins USG and applies the Organization predefined scope.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name "Exchange Servers_SeattleAdmins" -SecurityGroup SeattleAdmins -Role "Exchange Servers" -RecipientRelativeWriteScope Organization |
|
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Create a role assignment with a recipient filter-based scope
If you created a recipient filter-based scope and want to use it with a role assignment, you need to include the scope in the command used to assign the role to a USG by using the CustomRecipientWriteScope parameter. If you use the CustomRecipientWriteScope parameter, you can't use the RecipientOrganizationalUnitScope parameter.
Before you can add a scope to a role assignment, you need to create one. For more information, see Create a Regular or Exclusive Scope.
Use the following syntax to assign a role to a USG with a recipient filter-based scope.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup < USG> -Role <role name> -CustomRecipientWriteScope <role scope name> |
|
This example assigns the Mail Recipients role to the Seattle Recipient Admins USG and applies the Seattle Recipients scope.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name "Mail Recipients_Seattle Recipient Admins" -SecurityGroup "Seattle Recipient Admins" -Role "Mail Recipients" -CustomRecipientWriteScope "Seattle Recipients" |
|
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Create a role assignment with a server or database filter or list-based configuration scope
If you created a server or database filter or list-based configuration scope and want to use it with a role assignment, you need to include the scope in the command used to assign the role to a USG by using the CustomConfigWriteScope parameter.
Before you can add a scope to a role assignment, you need to create one. For more information, see Create a Regular or Exclusive Scope.
Use the following syntax to assign a role to a USG with a configuration scope.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <USG> -Role <role name> -CustomConfigWriteScope <role scope name> |
|
This example assigns the Exchange Servers role to the MailboxAdmins USG and applies the Mailbox Servers scope.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name "Exchange Servers_MailboxAdmins" -SecurityGroup MailboxAdmins -Role "Exchange Servers" -CustomConfigWriteScope "Mailbox Servers" |
|
The preceding example shows how to add a role assignment with a server configuration scope. The syntax to add a database configuration scope is the same. You specify the name of a database scope instead of a server scope.
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Create a role assignment with an OU scope
If you want to scope a role's write scope to an organizational unit (OU), you can specify the OU in the RecipientOrganizationalUnitScope parameter directly. If you use the RecipientOrganizationalUnitScope parameter, you can't use the CustomRecipientWriteScope parameter.
Use the following syntax to assign a role to a USG and restrict the write scope of a role to a specific OU.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <USG> -Role <role name> -RecipientOrganizationalUnitScope <OU> |
|
This example assigns the Mail Recipients role to the SalesRecipientAdmins USG and scopes the assignment to the sales/users OU in the contoso.com domain.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name "Mail Recipients_SalesRecipientAdmins" -SecurityGroup SalesRecipientAdmins -Role "Mail Recipients" -RecipientOrganizationalUnitScope contoso.com/sales/users |
|
For detailed syntax and parameter information, see New-ManagementRoleAssignment.
Create a role assignment with an exclusive recipient or configuration scope
To create an exclusive role assignment with an exclusive recipient or configuration scope, the same procedures provided in the Create a role assignment with a recipient filter-based scope and Create a role assignment with a server or database filter or list-based configuration scope sections can be used. The only difference is that when you create a role assignment with an exclusive scope, you must specify the following exclusive parameters depending on whether you're using an exclusive recipient scope or an exclusive configuration scope:
- Exclusive recipient scopes Use the
ExclusiveRecipientWriteScope parameter instead of the
CustomRecipientWriteScope parameter.
- Exclusive configuration scopes Use the
ExclusiveConfigWriteScope parameter instead of the
CustomConfigWriteScope parameter.
When you perform this procedure, the role assignees assigned the role can perform actions against the objects included in the exclusive scope. For more information about exclusive scopes, see Understanding Exclusive Scopes.
You can't create a role assignment with both exclusive and regular scopes.
This example assigns the Mail Recipients role to the Protected User Admins USG and applies the Protected Users exclusive scope.
| Copy Code |
|
|---|---|
New-ManagementRoleAssignment -Name "Mail Recipients_Protected User Admins" -SecurityGroup "Protected User Admins" -Role "Mail Recipients" -ExclusiveRecipientWriteScope "Protected Users" |
|
For detailed syntax and parameter information, see New-ManagementRoleAssignment.