Role Assignment Policies in Exchange Online
Applies to: Office 365 for enterprises, Live@edu
A role assignment policy is a collection of one or more end-user management roles that enable users to manage the settings of their accounts and for distribution groups. A management role, also called an RBAC role or simply role, is part of the role based access control (RBAC) permissions model. They specify the Windows PowerShell cmdlets, scripts, and other special permissions that let users perform specific self-management tasks.
The combination of all roles assigned to a role assignment policy defines everything that users can configure and manage in regards to their account, their Outlook Web App Options, groups that they own, and the ability to join or leave a group.
In the cloud-based service a default role assignment policy is part of the mailbox plan that is assigned to users when their mailbox is created. There are several ways you can use role assignment policies to assign permissions to users:
- Change the end-user roles assigned to the default role assignment policy. The change affects all existing mailboxes that have the role assignment policy assigned.
- Create a new custom role assignment policy, and set it as the default.
Note When you replace the existing default role assignment policy with a new one, the mailboxes that are assigned the old default role assignment policy aren't automatically updated. If you want to update the existing mailboxes, you must manually assign the new default role assignment policy to them. - Create a custom role assignment policy, and assign it directly to users' mailboxes. You can assign it to existing users, or assign it when you create new users.
Note In Microsoft Live@edu organizations, you can't create or delete role assignment policies, you can't replace the default role assignment policy that's associated with the mailbox plan, and you can't assign a role assignment policy directly to a user. Instead, you assign a mailbox plan to the mailbox, and the role assignment policy that's associated with the mailbox plan is assigned to the user. For more information, see Mailbox Plans.
To view the role assignment policies for your organization, in the Exchange Control Panel, select Manage My Organization > Roles & Auditing > User Roles. For more information, see User Roles Tab.
When do you use role assignment policies?
You use role assignment policies to assign specific groups of users the capability to perform specific self-management tasks by adjusting the account-specific settings that each group can manage.
For example, say you want to prevent regular staff from changing their display name, but you want to let managers change theirs. To do this, you associate the default recipient access policy with the mailboxes of the staff and a custom recipient access policy with the managers' mailboxes. Then you configure the custom role assignment policy to let the managers change their display names, and you configure the default role assignment policy associated with the staff mailboxes to prevent them from changing theirs.
Note In Live@edu organizations, the example works in a similar way. However, instead of assigning different role assignment policies to users, you assign different mailbox plans to users. You still need to configure the recipient access policies in the mailbox plans.
Role assignment policies
In most cloud-based organizations, there is only one built-in role assignment policy named Default Role Assignment Policy. By default, this build-in role assignment policy is assigned to all mailbox plans.
In Live@edu organizations, there are two built-in role assignment policies: RoleAssignmentPolicy-DefaultMailboxPlan and RoleAssignmentPolicy-GalDisabledMailboxPlan. The names of the role assignment policies correspond to the names of the associated mailbox plans.
Let's look at the end-user management roles assigned by default to each role.
Note In Live@edu organizations, the role names used in the role assignment policy correspond to the mailbox plain that contains the role assignment policy. For example, there are two MyDistributionGroups roles: MyDistributionGroups_DefaultMailboxPlan and MyDistributionGroups_GalDisabledMailboxPlan.
Role | What users can do | Assigned to the Default Role Assignment Policy? | Assigned to the Live@edu RoleAssignmentPolicy-DefaultMailboxPlan? | To the Live@edu RoleAssignmentPolicyGalDisabledMailboxPlan? |
---|---|---|---|---|
MyBaseOptions |
Required for users to access Outlook Web App > Options from their own mailbox. |
Yes |
Yes |
Yes |
MyContactInformation |
Edit their address and telephone number in the shared address book in Outlook Web App > Options > Account >My Account. The MyContactInformation has the following child roles:
If you think the MyContactInformation role gives users too much power, you can remove the role from the role assignment policy, and assign one or more of the child roles. For more information, see Change a Role Assignment Policy. |
Yes |
Yes |
Yes |
MyDistributionGroupMembership |
Join or leave existing distribution groups in Outlook Web App > Options > Groups. |
Yes |
Yes |
No |
MyDistributionGroups |
Create new distribution groups, delete groups they own, modify groups they own, and manage group membership for groups they own in Outlook Web App > Options > Groups. |
Yes |
Yes |
No |
MyMailSubscriptions |
Create POP, IMAP or Hotmail subscriptions to external mailboxes in Outlook Web App > Options > Account > Connected Accounts. |
Yes |
Yes |
Yes |
MyProfileInformation |
Edit their first name, middle initial, last name, and display name in the shared address book in Outlook Web App > Options > Account > My Account. The MyProfileInformation has the following child roles:
If you think the MyProfileInformation role gives users too much power, you can remove the role from the role assignment policy, and assign one of the child roles. For more information, see Change a Role Assignment Policy. |
Yes |
Yes |
Yes |
MyRetentionPolicies |
Manage their retention policies in Outlook Web App > Options > Organize E-mail > Retention Policies. Note This feature isn't available to all organizations. |
Yes |
Yes |
Yes |
MyTextMessaging |
Configure their text messaging settings in Outlook Web App > Phone > Text Messaging. Note This feature isn't available to all organizations. |
Yes |
Yes |
Yes |
MyVoiceMail |
Update their voice mail settings in Outlook Web App > Options > Phone > Voice Mail. Note This feature isn't available to all organizations. |
Yes |
Yes |
Yes |