Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013. With RBAC we can decide what administrators and users can do in an exchange organization.
Microsoft Exchange Server 2013 has several built-in management role groups. These are:
- Organization Management
- View-only Organization Management
- Recipient Management
- UM Management
- Help Desk
- Hygiene Management
- Compliance Management
- Records Management
- Discovery Management
- Public Folder Management
- Server Management
- Delegated Setup
Let’s discuss these roles one by one.
Organization Management– Administrators that are members of the Organization Management role group have administrative access to the entire Exchange 2013 organization and can perform almost any task on any Exchange 2013 object. This is a very powerful role. The member of this management group can impact the entire exchange organization so this role needs to be assigned very carefully and only to limited number of administrators.
View-only Organization Management – Administrators who are members of the View-Only Organization Management role group can view the properties of any object in the Exchange organization.This role is equivalent to the Exchange View-Only Administrators role in Microsoft Exchange Server 2007
Recipient Management – Administrators who are members of the Recipient Management role group have administrative access to create or modify recipients like mailbox, contacts, room mailbox etc in the Exchange 2013 organization.
UM Management – Administrators who are members of the UM Management role group can manage features in the Exchange organization such as Unified Messaging (UM) service configuration.
Help Desk – Users who are members of the Help Desk role group can perform limited recipient management of Exchange 2013 recipients. The Help Desk role group, by default, enables members to view and modify the Outlook Web App options of any user in the organization. These options might include modifying the user’s display name, address, phone number, and so on.
Hygiene Management – Users who are members of the Hygiene Management role group can configure the anti-spam and anti-malware features of Exchange 2013. Third-party programs that integrate with Exchange 2013 can add service accounts to this role group to grant those programs access to the commands required to retrieve and configure the Exchange configuration.
Compliance Management – Users who are members of the Compliance Management role group can configure and manage Exchange compliance configuration in accordance with their policies like retention policies.
Records Management – Users who are members of the Records Management role group can configure compliance features like transport rules. Transport rules can be used to identify the data leakage.
Discovery Management – Administrators or users who are members of the Discovery Management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.
Public Folder Management – Administrators who are members of the Public Folder Management role group can manage public folders on servers running Exchange 2013.
Server Management – Administrators who are members of this role group can configure server-specific configuration of transport client access, and mailbox features such as database copies, certificates, transport queues and Send connectors, virtual directories, and client access protocols.
Delegated Setup – Administrators who are members of the Delegated Setup role group can deploy servers running Exchange 2013 that have been previously provisioned by a member of the Organization Management role group. Members of the Delegated Setup role group can only deploy Exchange 2013 servers. They can’t manage the server after it’s been deployed. To manage a server after it’s been deployed, a user must be a member of the Server Management role group.