This video introduces role-based access control as the way to delegate administrative tasks using built-in and custom role groups from the admin center.
- [Instructor] The larger your organization is the more likely you are to distribute various Exchange and network administration tasks. For example, you may have a help desk technician or a department of technicians that occasionally need to help users update their basic user properties and Outlook on the web. It's important that this technician be able to access these user details to be helpful. It's not important to make them an Exchange administrator and allow them to create new mailboxes or remove rules or modify quotas.
Role-based access control is the feature of Exchange server that allows you to grant limited permissions to a user that needs specific administrative access to Exchange. When I enter the admin center and click on permissions, you can see the roles listed out. And when selected, each one will generate a description off to the right, including a list of what are called management roles. The specific collections of rights and permissions that are assigned to this role group.
For example, there is a help desk admin role group. I'm going to select it and then I'm going to go ahead and maximize the browser, so I can see more of the description off to the right. As I look at this information, I can see that most of it is read only. The user that's assigned to this role group is only going to be able to change the things that a user could change for themselves if they knew how. I'm not going to go through all of these role groups in detail, But there are a couple that I wanted to point out.
The hygiene management role for example is one that might be granted to the user or service account employed by a third-party anti-malware software package, designed to integrated with Exchange server. That would grant the software access to those elements of Exchange without changing other functionality. You can see that there are separate roles for managing recipients and servers. And there is one other that I wanted to point out.
This compliance management role is one that would be assigned to a user responsible for working with attorneys and other compliance organizations as they configure and access audit logs, as well as features and policies to ensure that email is monitored and retained, when necessary. You can create custom role groups, but let me recommend, that before you do, you carefully consider the ones you've already have. This is a pretty good starter list, and their descriptions are always there to remind you of what they're designed to do.
If you do need to create custom roles, be as a descriptive as you can in the names of the roles and consider adding a prefix of the company name, so that you can quickly identify your custom rules. If you do create custom admin role groups, be as a descriptive as you can in the name of the role group and consider adding a prefix that refers to the company name, so you can more easily find your custom role groups in the list.
Also, make sure you add in a good description, to make certain that your new roles are completely understood and properly applied down the road. I don't currently have a need for a custom role group, so I'm going to cancel out of this wizard. And as we continue through the chapter, we're going to take a closer look at how to deploy these roles in our Exchange environment.
- Planning and configuring Active Directory (AD)
- Creating and configuring mailboxes
- Delegating mailboxes
- Mailbox and mailbox folder permissions
- Mail-enabled users
- Send as versus Send on Behalf
- Using public folders
- Managing public folder permissions
- RBAC versus AD split permissions
- Configuring user assignment policies
- Protecting Exchange content
- Message signing and encryption
- Troubleshooting IRM failure