权限Permissions

摘要: 了解基于角色访问 Exchange Server 2016 中的控件。Summary: Learn about Role Based Access Control in Exchange Server 2016.

Microsoft Exchange Server 2016 包括一个大型的根据基于角色的访问控制 (RBAC) 权限模型预定义的权限集,使用它可轻松便捷地向管理员和用户授予权限。你可以使用 Exchange 2016 中的权限功能,以便快速设置并运行新组织。Microsoft Exchange Server 2016 includes a large set of predefined permissions, based on the Role Based Access Control (RBAC) permissions model, which you can use right away to easily grant permissions to your administrators and users. You can use the permissions features in Exchange 2016 so that you can get your new organization up and running quickly.

基于角色的权限Role-based permissions

在 Exchange 2016,向管理员和用户授予的权限基于管理角色。一个角色定义一的组管理员或用户可以执行的任务。例如,管理角色的名为Mail Recipients定义某人可以在一组邮箱、 联系人和通讯组执行的任务。时角色分配给管理员或用户时,此人便授予该角色所提供的权限。In Exchange 2016, the permissions that you grant to administrators and users are based on management roles. A role defines the set of tasks that an administrator or user can perform. For example, a management role called Mail Recipients defines the tasks that someone can perform on a set of mailboxes, contacts, and distribution groups. When a role is assigned to an administrator or user, that person is granted the permissions provided by the role.

角色分为两种类型,即管理角色和最终用户角色:There are two types of roles, administrative roles and end-user roles:

  • 管理角色: 这些角色包含可分配给管理员或专家用户使用管理 Exchange 组织,如收件人、 服务器或数据库的一部分的角色组的权限。Administrative roles: These roles contain permissions that can be assigned to administrators or specialist users using role groups that manage a part of the Exchange organization, such as recipients, servers, or databases.

  • 最终用户角色: 分配使用角色分配策略,这些角色,使用户能够管理他们所拥有自己邮箱和通讯组的方面。最终用户角色开头前缀MyEnd-user roles: These roles, assigned using role assignment policies, enable users to manage aspects of their own mailbox and distribution groups that they own. End-user roles begin with the prefix My.

角色通过向已分配角色的用户提供 cmdlet 来授予管理员和用户执行任务的权限。由于 Exchange 管理中心 (EAC) 和 Exchange 命令行管理程序 使用 cmdlet 管理 Exchange,因此授予对 cmdlet 的访问权限将给予管理员或用户在每个 Exchange 管理界面中执行任务的权限。Roles give permissions to perform tasks to administrators and users by making cmdlets available to those who are assigned the roles. Because the Exchange Administration Center (EAC) and the Exchange Management Shell use cmdlets to manage Exchange, granting access to a cmdlet gives the administrator or user permission to perform the task in each of the Exchange management interfaces.

角色组和角色分配策略Role groups and role assignment policies

虽然角色授予在 Exchange 2016 中执行任务的权限,但需要简便的方式将这些权限分配给管理员和用户。Exchange 2016 为您提供以下方式帮助实现此目标:Roles grant permissions to perform tasks in Exchange 2016, but you need an easy way to assign them to administrators and users. Exchange 2016 provides you with the following to help you do that:

  • 角色组: 角色组,您可以向管理员和专家用户授予权限。Role groups: Role groups enable you to grant permissions to administrators and specialist users.

  • 角色分配策略: 角色分配策略可以授予最终用户能够更改他们所拥有自己邮箱或通讯组的设置的权限。Role assignment policies: Role assignment policies enable you to grant permissions to end users to change settings on their own mailbox or distribution groups that they own.

有关角色组和角色分配策略的详细信息,请参阅以下各部分。For more information about role groups and role assignment policies, see the following sections.

角色组Role groups

管理 Exchange 2016 每个管理员需要至少一个或多个角色分配。管理员可能具有多个角色,因为它们可能执行在 Exchange 跨越多个区域的作业函数。例如,一名管理员可能管理收件人和 Exchange 服务器。在这种情况下,该管理员可能同时分配Mail RecipientsExchange Servers角色。Every administrator that manages Exchange 2016 needs to be assigned at least one or more roles. Administrators might have more than one role because they may perform job functions that span multiple areas in Exchange. For example, one administrator might manage both recipients and Exchange servers. In this case, that administrator might be assigned both the Mail Recipients and Exchange Servers roles.

为了能够更轻松地为管理员分配多个角色,Exchange 2016 包含了角色组。角色组是 Exchange 2016 使用的特殊通用安全组 (USG),可以包含 Active Directory 用户、USG 及其他角色组。将一个角色分配给角色组时,会将该角色授予的权限授予该角色组的所有成员。这使你可以一次将许多角色分配给许多角色组成员。角色组通常覆盖更广泛的管理区域,如收件人管理。角色组只能与管理角色一起使用,而不能与最终用户角色一起使用。To make it easier to assign multiple roles to an administrator, Exchange 2016 includes role groups. Role groups are special universal security groups (USGs) used by Exchange 2016 that can contain Active Directory users, USGs, and other role groups. When a role is assigned to a role group, the permissions granted by the role are granted to all the members of the role group. This enables you to assign many roles to many role group members at once. Role groups typically encompass broader management areas, such as recipient management. They're used only with administrative roles, and not end-user roles.

备注

可以在不使用角色组的情况下将角色直接分配给用户或 USG。但是,这种角色分配方法是一个高级过程,本主题将不做介绍。建议你使用角色组来管理权限。It's possible to assign a role directly to a user or USG without using a role group. However, that method of role assignment is an advanced procedure and isn't covered in this topic. We recommend that you use role groups to manage permissions.

下图显示了用户、角色组和角色之间的关系。The following figure shows the relationship between users, role groups, and roles.

角色、角色组和角色组成员Roles, role groups, and role group members

角色、角色组和成员关系

Exchange 2016 包括若干内置角色组,每个角色组都提供管理 Exchange 2016 中特定区域的权限。某些角色组可能与其他角色组重叠。下表列出了每个角色组及其使用说明。如果要查看分配给每个角色组的角色,请单击"角色组"列的角色组名称,然后打开"分配给此角色组的管理角色"部分。Exchange 2016 includes several built-in role groups, each one providing permissions to manage specific areas in Exchange 2016. Some role groups may overlap with others. The following table lists each role group with a description of its use. If you want to see the roles assigned to each role group, click the name of the role group in the "Role group" column, and then open the "Management Roles Assigned to This Role Group" section.

重要

如果某个管理员为多个角色组的成员,则 Exchange 2016 授予该管理员其所属的角色组提供的所有权限。If an administrator is a member of more than one role group, Exchange 2016 grants the administrator all of the permissions provided by the role groups he or she is a member of.

内置的角色组Built-in role groups

角色组Role group 描述Description
Organization ManagementOrganization Management
Organization Management 角色组成员的管理员拥有对整个 Exchange 2016 组织管理访问权限,可执行针对任何 Exchange 2016 对象,但有一些例外,几乎所有任务如Discovery Management角色。Administrators who are members of the Organization Management role group have administrative access to the entire Exchange 2016 organization and can perform almost any task against any Exchange 2016 object, with some exceptions, such as the Discovery Management role.
重要说明: 由于组织管理角色组是一个强大的角色,只有用户或 Usg 的执行可以可能会影响整个 Exchange 组织的组织级别管理任务都应为此角色组的成员。Important: Because the Organization Management role group is a powerful role, only users or USGs that perform organizational-level administrative tasks that can potentially impact the entire Exchange organization should be members of this role group.
View-Only Organization ManagementView-Only Organization Management
属于 仅查看组织管理 角色组成员的管理员可以查看 Exchange 组织中任何对象的属性。Administrators who are members of the View Only Organization Management role group can view the properties of any object in the Exchange organization.
Recipient ManagementRecipient Management
属于 收件人管理 角色组成员的管理员拥有在 Exchange 2016 组织中创建或修改 Exchange 2016 收件人的管理访问权限。Administrators who are members of the Recipient Management role group have administrative access to create or modify Exchange 2016 recipients within the Exchange 2016 organization.
UM ManagementUM Management
如果管理员是"UM 管理"角色组中的成员,则他可以管理 Exchange 组织中的功能,例如统一消息 (UM) 服务配置、邮箱上的 UM 属性、UM 提示和 UM 自动助理配置。Administrators who are members of the UM Management role group can manage features in the Exchange organization such as Unified Messaging (UM) service configuration, UM properties on mailboxes, UM prompts, and UM auto attendant configuration.
Help DeskHelp Desk
Help Desk 角色组中,默认情况下,使成员能够查看和修改组织中的任何用户的 Microsoft Office Outlook Web App 选项。这些选项可能包括修改用户的显示名称、 地址和电话号码。它们不包括在 Outlook Web App 选项,如修改邮箱的大小或配置邮箱所在的邮箱数据库中不可用的选项。The Help Desk role group, by default, enables members to view and modify the Microsoft Office Outlook Web App options of any user in the organization. These options might include modifying the user's display name, address, and phone number. They don't include options that aren't available in Outlook Web App options, such as modifying the size of a mailbox or configuring the mailbox database on which a mailbox is located.
Hygiene ManagementHygiene Management
清洁管理角色组成员的管理员可以配置 Exchange 2016 的防病毒和反垃圾邮件功能。与 Exchange 2016 集成的第三方程序可以将服务帐户添加到该角色组授予对检索和配置 Exchange 配置所需的 cmdlet 这些程序访问权限。Administrators who are members of the Hygiene Management role group can configure the antivirus and antispam features of Exchange 2016. Third-party programs that integrate with Exchange 2016 can add service accounts to this role group to grant those programs access to the cmdlets required to retrieve and configure the Exchange configuration.
Records ManagementRecords Management
属于 记录管理 角色组成员的用户可以配置遵从性功能(如保留策略标记、邮件分类和传输规则)。Users who are members of the Records Management role group can configure compliance features, such as retention policy tags, message classifications, and transport rules.
Discovery ManagementDiscovery Management
作为 发现管理 角色组成员的管理员或用户可以在 Exchange 组织中的邮箱中搜索满足特定条件的数据,还可以在邮箱上配置合法保留。Administrators or users who are members of the Discovery Management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria and can also configure legal holds on mailboxes.
Public Folder ManagementPublic Folder Management
属于公用文件夹管理角色组成员的管理员可以管理运行 Exchange 2016 的服务器上的公用文件夹。Administrators who are members of the Public Folder Management role group can manage public folders on servers running Exchange 2016.
Server ManagementServer Management
属于"服务器管理"角色组成员的管理员可以配置诸如数据库副本、证书、传输队列和发送连接器、虚拟目录和客户端访问协议这样的传输、统一消息、客户端访问和邮箱功能的特定于服务器的配置。Administrators who are members of the Server Management role group can configure server-specific configuration of transport, Unified Messaging, client access, and mailbox features such as database copies, certificates, transport queues and Send connectors, virtual directories, and client access protocols.
Delegated SetupDelegated Setup
作为"委派安装"角色组成员的管理员可以部署正在运行 Exchange 2016 且以前由 组织管理 角色组成员设置的服务器。Administrators who are members of the Delegated Setup role group can deploy servers running Exchange 2016 that have been previously provisioned by a member of the Organization Management role group.
Compliance ManagementCompliance Management
属于合规管理角色组的用户可根据其组织策略配置和管理 Exchange 合规性设置。Users who are members of the Compliance Management role group can configure and manage Exchange compliance settings in accordance with their organization's policy.

如果你在只有少数几个管理员的小型组织工作,那么可能只会使用"组织管理"角色组,并且不会使用其他角色组。如果你在较大型的组织工作,可能会由执行特定任务的管理员管理 Exchange,如收件人或服务器管理。在这些情况下,可能要将某个管理员添加到 收件人管理 角色组,并将另一个管理员添加到"服务器管理"角色组。然后,这些管理员可以管理特定的 Exchange 2016 区域,但没有权限管理他们职责外的区域。If you work in a small organization that has only a few administrators, you might only ever use the Organization Management role group, and none of the others. If you work in a larger organization, you might have administrators who perform specific tasks administering Exchange, such as recipient or server management. In those cases, you might add one administrator to the Recipient Management role group, and another administrator to the Server Management role group. Those administrators can then manage their specific areas of Exchange 2016 but won't have permissions to manage areas they're not responsible for.

如果找不到与管理员需要执行的作业适合的内置角色组,则可以创建角色组并向其中添加角色。有关详细信息,请参阅本主题后面的使用角色组If you can't find a built-in role group that fits the jobs your administrators need to do, you can create role groups and add roles to them. For more information, see Work with role groups later in this topic.

角色分配策略Role assignment policies

Exchange 2016 提供了角色分配策略,以便控制用户可以在其自己的邮箱及其拥有的通讯组上配置哪些设置。这些设置包括其显示名称、联系人信息、语音邮件设置和通讯组成员身份。Exchange 2016 provides role assignment policies so that you can control what settings your users can configure on their own mailboxes and on distribution groups they own. These settings include their display name, contact information, voice mail settings, and distribution group membership.

Exchange 2016 组织可以有多个角色分配策略,以便为组织中不同类型的用户提供不同级别的权限。某些用户有权更改其地址或创建通讯组,另一些用户则不能,全都取决于与其邮箱相关联的角色分配策略。角色分配策略直接添加到邮箱,且每个邮箱一次只能与一个角色分配策略相关联。Your Exchange 2016 organization can have multiple role assignment policies that provide different levels of permissions for the different types of users in your organizations. Some users can be allowed to change their address or create distribution groups, while others can't. It all depends on the role assignment policy associated with their mailbox. Role assignment policies are added directly to mailboxes, and each mailbox can only be associated with one role assignment policy at a time.

对于组织中的角色分配策略,其中一个将被标记为默认策略。默认角色分配策略将与创建时未明确分配特定角色分配策略的新邮箱相关联。默认角色分配策略应包含适用于大多数邮箱的权限。Of the role assignment policies in your organization, one is marked as default. The default role assignment policy is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're created. The default role assignment policy should contain the permissions that should be applied to the majority of your mailboxes.

权限被添加到使用最终用户角色的角色分配策略。最终用户角色开头My,并授予供用户管理只有其邮箱或通讯组他们所拥有的权限。他们不能用于管理任何其他邮箱。仅最终用户角色可分配给角色分配策略。Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant permissions for users to manage only their mailbox or distribution groups they own. They can't be used to manage any other mailbox. Only end-user roles can be assigned to role assignment policies.

将最终用户角色分配给角色分配策略后,与该角色分配策略相关联的所有邮箱都将获得该角色授予的权限。这使您可以在不配置各个邮箱的情况下添加或删除用户组的权限。下图显示了:When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role assignment policy receive the permissions granted by the role. This enables you to add or remove permissions to sets of users without having to configure individual mailboxes. The following figure shows:

  • 将最终用户角色分配给角色分配策略。角色分配策略可以共享相同的最终用户角色。End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-user roles.

  • 角色分配策略与邮箱相关联。每个邮箱只能与一个角色分配策略相关联。Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role assignment policy.

  • 邮箱与角色分配策略相关联之后,最终用户角色会应用于该邮箱。将向该邮箱的用户授予此类角色授予的权限。After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox. The permissions granted by the roles are granted to the user of the mailbox.

    角色、角色分配策略和邮箱Roles, role assignment policies, and mailboxes

角色、角色分配策略、邮箱关系

默认角色分配策略角色分配策略包括在 Exchange 2016 中。顾名思义,它是默认角色分配策略。如果要更改该角色分配策略提供的权限或创建角色分配策略,请参阅本主题后面的使用角色分配策略The Default Role Assignment Policy role assignment policy is included with Exchange 2016. As the name implies, it's the default role assignment policy. If you want to change the permissions provided by this role assignment policy, or if you want to create role assignment policies, see Work with role assignment policies later in this topic.

使用角色组Work with role groups

若要管理您在 Exchange 2016 使用角色组的权限,我们建议您使用 Exchange 管理员中心 (EAC)。当您使用 EAC 管理角色组时,可以添加和删除角色和成员,创建角色组和复制角色组中的,只需单击几下鼠标。EAC 提供简单的对话框,例如新角色组对话框中,显示在下图中,才能执行这些任务。To manage your permissions using role groups in Exchange 2016, we recommend that you use the Exchange admin center (EAC). When you use the EAC to manage role groups, you can add and remove roles and members, create role groups, and copy role groups with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the new role group dialog box, shown in the following figure, to perform these tasks.

EAC 中的"新建角色组"对话框New role group dialog box in the EAC

EAC 中的'新建角色组'对话框

如果 Exchange 2016 中提供的角色组没有你所需的权限,则可以使用 EAC 创建角色组并添加具有所需权限的角色。对于新建的角色组,需执行以下操作:If none of the role groups included with Exchange 2016 have the permissions you need, you can use the EAC to create a role group and add the roles that have the permissions you need. For your new role group, you'll need to:

  1. 为角色组选择名称。Choose a name for your role group.

  2. 选择要添加到角色组的角色。Select the roles you want to add to the role group.

  3. 向角色组中添加成员。Add members to the role group.

  4. 保存角色组。Save the role group.

创建角色组后,可以像管理其他任何角色组一样对其进行管理。After you create the role group, you manage it like any other role group.

如果某个现有角色组具有部分你需要的权限但并非全部,则可以复制该角色组,然后对其进行更改以创建一个角色组。复制现有角色组可让你对其进行更改,而不影响原始角色组。复制角色组过程中,可以添加新的名称和说明,向新角色组中添加角色和删除新角色组中的角色,以及添加新成员。创建或复制角色组时,使用上图所示的同一对话框。If there's an existing role group that has some, but not all, of the permissions you need, you can copy it and then make changes to create a role group. Copying an existing role group lets you make changes to it without affecting the original role group. As part of copying the role group, you can add a new name and description, add and remove roles to and from the new role group, and add new members. When you create or copy a role group, you use the same dialog box that's shown in the preceding figure.

也可以修改现有角色组。使用与上图类似的 EAC 对话框,可以同时向现有角色组中添加角色和成员,以及从其中删除角色和成员。通过向角色组中添加角色和从其中删除角色,可以为该角色组的成员启用和禁用管理功能。Existing role groups can also be modified. You can add and remove roles from existing role groups, and add and remove members from it at the same time, using an EAC dialog box similar to the one in the preceding figure. By adding and removing roles to and from role groups, you turn on and off administrative features for members of that role group.

备注

尽管可以更改分配给内置角色组的角色,但建议您复制内置角色组、修改角色组副本,然后将成员添加到角色组副本。Although you can change which roles are assigned to built-in role groups, we recommend that you copy built-in role groups, modify the role group copy, and then add members to the role group copy.

使用角色分配策略Work with role assignment policies

若要管理您授予最终用户能够在 Exchange 2016 管理自己的邮箱的权限,我们建议您使用 EAC。当您使用 EAC 管理最终用户的权限时,可以添加角色、 角色中删除和只需单击几下鼠标创建角色分配策略。EAC 提供简单的对话框,例如角色分配策略对话框中,显示在下图中,才能执行这些任务。To manage the permissions that you grant end users to manage their own mailbox in Exchange 2016, we recommend that you use the EAC. When you use the EAC to manage end-user permissions, you can add roles, remove roles, and create role assignment policies with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the role assignment policy dialog box, shown in the following figure, to perform these tasks.

EAC 中的"角色分配策略"对话框Role assignment policy dialog box in the EAC

EAC 中的'角色分配策略'对话框

Exchange 2016 包括名为"默认角色分配策略"的角色分配策略。通过该角色分配策略,与其关联的邮箱用户可以执行下列操作:Exchange 2016 includes a role assignment policy named Default Role Assignment Policy. This role assignment policy enables users whose mailboxes are associated with it to do the following:

  • 加入或退出允许成员管理其自己的成员身份的通讯组。Join or leave distribution groups that allow members to manage their own membership.

  • 查看并修改自己邮箱中的基本邮箱设置,如收件箱规则、拼写检查行为、垃圾邮件设置和 Microsoft ActiveSync 设备。View and modify basic mailbox settings on their own mailbox, such as Inbox rules, spelling behavior, junk mail settings, and Microsoft ActiveSync devices.

  • 修改他们的联系信息,例如工作地址和电话号码、手机号码和寻呼机号码。Modify their contact information, such as work address and phone number, mobile phone number, and pager number.

  • 创建、修改或查看文本邮件设置。Create, modify, or view text message settings.

  • 查看或修改语音邮件设置。View or modify voice mail settings.

  • 查看和修改其市场应用程序。View and modify their marketplace apps.

  • 创建团队邮箱,并且将它们连接到 Microsoft SharePoint 列表。Create team mailboxes and connect them to Microsoft SharePoint lists.

如果要向"默认角色分配策略"或其他任何角色分配策略中添加权限或删除其中的权限,可以使用 EAC。在 EAC 中打开角色分配策略后,选中要为其分配的角色旁边的复选框或清除要删除的角色旁边的复选框。对角色分配策略所做的更改将应用到与其关联的每个邮箱。If you want to add or remove permissions from the Default Role Assignment Policy or any other role assignment policy, you can use the EAC. When you open the role assignment policy in the EAC, select the check box next to the roles you want to assign to it or clear the check box next to the roles you want to remove. The change you make to the role assignment policy is applied to every mailbox associated with it.

如果要为组织中各种类型的用户分配不同的最终用户权限,可以创建角色分配策略。可以为角色分配策略指定新的名称,然后选择要分配给该角色分配策略的角色。创建角色分配策略后,可以使用 EAC 将其与邮箱相关联。If you want to assign different end-user permissions to the various types of users in your organization, you can create role assignment policies. You can specify a new name for the role assignment policy, and then select the roles you want to assign to the role assignment policy. After you create a role assignment policy, you can associate it with mailboxes using the EAC.

如果要更改默认的角色分配策略,需要使用 Exchange 命令行管理程序。在更改默认角色分配策略时,任何创建时未明确指定角色分配策略的新建邮箱都将与新的默认角色分配策略相关联。选择新的默认角色分配策略时,与现有邮箱关联的角色分配策略不会发生变化。If you want to change which role assignment policy is the default, you needs to use the Exchange Management Shell. When you change the default role assignment policy, any mailboxes that are created will be associated with the new default role assignment policy if one wasn't explicitly specified. The role assignment policy associated with existing mailboxes doesn't change when you select a new default role assignment policy.

注意:Notes:

  • 如果选中具有子角色的角色对应的复选框,则同时还会选中其子角色对应的复选框。如果清除具有子角色的角色对应的复选框,则同时还会清除其子角色对应的复选框。If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If you clear the check box for a role with child roles, the check boxes for the child roles are also cleared.

  • 有关如何创建角色分配策略或更改现有角色分配策略的详细步骤,请参阅下列主题:For detailed steps about how to create role assignment policies or make changes to existing role assignment policies, see the following topics: