Applies to: Exchange Server 2013, Exchange Online
Topic Last Modified: 2012-10-14
The permissions required to configure messaging policy and compliance vary depending on the procedure being performed or the cmdlet you want to run. For more information about messaging policy and compliance, see Messaging Policy and Compliance.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
- In the table below, find the feature that is most related to
the procedure you want to perform or the cmdlet you want to
run.
- Next, look at the permissions required for the feature. You
must be assigned one of those role groups, an equivalent custom
role group, or an equivalent management role. You can also click on
a role group to see its management roles. If a feature lists more
than one role group, you only need to be assigned one of the role
groups to use the feature. For more information about role groups
and management roles, see Understanding Role Based
Access Control.
- Now, run the Get-ManagementRoleAssignment cmdlet to look
at the role groups or management roles assigned to you to see if
you have the permissions that are necessary to manage the
feature.
Note:You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate Role Assignments.
| Note: |
|---|
| Some features that you want to manage might exist on Edge Transport servers. To manage features on Edge Transport servers, you need to become a member of the Local Administrators group on the Edge Transport server you want to manage. Edge Transport servers don't use Role Based Access Control (RBAC). Features that can be managed on Edge Transport servers have Edge Transport Local Administrator in the "Permissions required" column in the table below. |
Messaging policy and compliance permissions
You can use the features in the following table to configure messaging policy and compliance features. The role groups that are required to configure each feature are listed.
Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information, see View-Only Organization Management.
| Feature | Permissions required | ||
|---|---|---|---|
|
Data loss prevention (DLP) |
|||
|
Delete mailbox content (using the Search-Mailbox cmdlet with the DeleteContent switch) |
|
||
|
Discovery mailboxes - Create |
|||
|
Journaling |
|||
|
Mailbox audit logging |
|||
|
Message classifications |
|||
|
Messaging records management |
|||
|
In-Place eDiscovery |
|
||
|
In-Place Hold |
|
||
|
In-Place Archive |
|||
|
In-Place Archive – Test connectivity |
|||
|
Information Rights Management (IRM) configuration |
|||
|
Retention policies – Apply |
|||
|
Retention policies - Create |
See the entry for Messaging Records Management |
||
|
Transport rules |
Important: