Exchange Online 中的權限Permissions in Exchange Online

Office 365 中的 Exchange Online 包含大型的預先定義的權限,您可以輕鬆地授與權限給系統管理員和使用者立即使用角色型存取控制 (RBAC) 權限模型為基礎。您可以使用的權限功能在 Exchange Online,讓您可以快速新組織啟動且正在執行。Exchange Online in Office 365 includes a large set of predefined permissions, based on the Role Based Access Control (RBAC) permissions model, which you can use right away to easily grant permissions to your administrators and users. You can use the permissions features in Exchange Online so that you can get your new organization up and running quickly.

RBAC 也是用於在 Microsoft Exchange Server 的權限模型。充分運用本主題中的連結,請參閱參照 Exchange 伺服器的主題。這些主題中的概念也適用於 Exchange Online。RBAC is also the permissions model that's used in Microsoft Exchange Server. Most of the links in this topic refer to topics that reference Exchange Server. The concepts in those topics also apply to Exchange Online.

不同 Office 365 的權限的相關資訊,請參閱Office 365 中的權限For information about permissions across Office 365, see Permissions in Office 365

注意

有幾項 RBAC 功能和概念屬於進階功能,因此不在本主題討論之列。如果本主題所討論的功能不符合您的需求,而且您想進一步自訂權限模型,請參閱Understanding Role Based Access ControlSeveral RBAC features and concepts aren't discussed in this topic because they're advanced features. If the functionality discussed in this topic doesn't meet your needs, and you want to further customize your permissions model, see Understanding Role Based Access Control.

以角色為基礎的權限Role-based permissions

在 Exchange Online 中,您授與給系統管理員和使用者的權限都是以管理角色為基礎。管理角色定義了系統管理員或使用者所能執行的一組工作。例如,名為 Mail Recipients 的管理角色定義某個人可以對一組信箱、連絡人和通訊群組執行的工作。將管理角色指派給系統管理員或使用者後,該名人員便會獲得此管理角色所提供的權限。In Exchange Online, the permissions that you grant to administrators and users are based on management roles. A management role defines the set of tasks that an administrator or user can perform. For example, a management role called Mail Recipients defines the tasks that someone can perform on a set of mailboxes, contacts, and distribution groups. When a management role is assigned to an administrator or user, that person is granted the permissions provided by the management role.

系統管理角色和使用者角色是兩種管理角色。以下是這兩種類型各自的簡短說明:Administrative roles and end-user roles are the two types of management roles. Following is a brief description of each type:

  • 系統管理角色 您可以使用負責管理 Exchange Online 組織某個部分 (如收件者、規範管理或整合通訊) 的角色群組,將這些角色包含的權限指派給系統管理員或專家使用者。Administrative roles These roles contain permissions that can be assigned to administrators or specialist users using role groups that manage a part of the Exchange Online organization, such as recipients, compliance management, or Unified Messaging.

  • 使用者角色 這些角色是利用角色指派原則來指派,可以讓使用者管理其專屬信箱與擁有之通訊群組的各個層面。使用者角色是以前置詞 My 作為開頭。End-user roles These roles, which are assigned using role assignment policies, enable users to manage aspects of their own mailbox and distribution groups that they own. End-user roles begin with the prefix My.

管理角色授與權限可讓指令程式可用來指派角色的使用者可以執行系統管理員和使用者的工作。Exchange 系統管理中心 (EAC) 和 Exchange 管理命令介面使用 cmdlet 來管理 Exchange Online,因為授與存取權指令程式讓系統管理員或使用者在每個 Exchange Online 管理介面中執行工作的權限。Management roles give permissions to perform tasks to administrators and users by making cmdlets available to those who are assigned the roles. Because the Exchange admin center (EAC) and the Exchange Management Shell use cmdlets to manage Exchange Online, granting access to a cmdlet gives the administrator or user permission to perform the task in each of the Exchange Online management interfaces.

Exchange Online 包含大約 45 種可用來授與權限的角色。如需角色清單,請參閱Built-in Management RolesExchange Online includes approximately 45 roles that you can use to grant permissions. For a list of roles, see Built-in Management Roles.

注意

某些管理角色可能只適用於內部部署的 Exchange Server 安裝,不適用於 Exchange Online。Some management roles many be available only to on-premises Exchange Server installations and won't be available in Exchange Online.

角色群組和指派原則Role groups and role assignment policies

管理角色可授與在 Exchange Online 中執行工作的權限,但是您還需要一種可將角色指派給系統管理員和使用者的簡易方式。Exchange Online 提供下列項目來協助您指派角色:Management roles grant permissions to perform tasks in Exchange Online, but you need an easy way to assign them to administrators and users. Exchange Online provides you with the following to help you make assignments:

  • 角色群組 角色群組可讓您授與權限給系統管理員和專家使用者。Role groups Role groups enable you to grant permissions to administrators and specialist users.

  • 角色指派原則 角色指派原則可讓您授與使用者在其專屬信箱或所擁有之通訊群組上變更設定的權限。Role assignment policies Role assignment policies enable you to grant permissions to end users to change settings on their own mailbox or distribution groups that they own.

以下幾節提供有關角色群組和角色指派原則的詳細資訊。The following sections provide more information about role groups and role assignment policies.

角色群組Role groups

您必須為負責管理 Exchange Online 的每個系統管理員指派至少一個或更多個角色。系統管理員可以具有多個角色,因為他們可以在 Exchange Online 中執行跨越多個領域的職責。例如,某個系統管理員可能同時負責管理 Exchange Online 組織中的收件者和整合通訊功能。在這種情況下,您可能會為這個系統管理員指派 Mail RecipientsUnified Messaging 兩種角色。Every administrator who manages Exchange Online must be assigned at least one or more roles. Administrators might have more than one role because they may perform job functions that span multiple areas in Exchange Online. For example, one administrator might manage both recipients and Unified Messaging features in the Exchange Online organization. In this case, that administrator might be assigned both the Mail Recipients and Unified Messaging roles.

Exchange Online 中包含角色群組,讓您更輕鬆地將多種角色指派給系統管理員。將角色指派至角色群組後,此角色群組的所有成員便會獲得由該角色所授與的權限。這可讓您同時將多個角色指派給多位角色群組成員。角色群組通常包含範圍較大的管理領域,例如收件者管理。此外,角色群組只能與系統管理員角色搭配使用,不能用於使用者角色。角色群組成員可以是 Exchange Online 使用者和其他角色群組。To make it easier to assign multiple roles to an administrator, Exchange Online includes role groups. When a role is assigned to a role group, the permissions granted by the role are granted to all the members of the role group. This enables you to assign many roles to many role group members at once. Role groups typically encompass broader management areas, such as recipient management. They're used only with administrative roles, and not end-user roles. Role group members can be Exchange Online users and other role groups.

注意

您可以直接將角色指派給使用者,不需使用角色群組。不過,這種角色指派方式屬於進階程序,不在本主題討論之列。建議您使用角色群組來管理權限。It's possible to assign a role directly to a user without using a role group. However, that method of role assignment is an advanced procedure and isn't covered in this topic. We recommend that you use role groups to manage permissions.

下圖顯示使用者、角色群組和角色之間的關係。The following figure shows the relationship between users, role groups, and roles.

角色、角色群組和角色群組成員Roles, role groups, and role group members

角色、角色群組和成員關係

Exchange Online 包含幾個內建角色群組,分別提供管理 Exchange Online 中特定領域的權限。某些角色群組可能會與其他角色群組重疊。下表列出每個角色群組,並描述其用法。Exchange Online includes several built-in role groups, each one providing permissions to manage specific areas in Exchange Online. Some role groups may overlap with other role groups. The following table lists each role group with a description of its use.

內建角色群組Built-in role groups

角色群組Role group 描述Description
公司管理員 ( TenantAdmins_ <唯一值>)Company Administrators ( TenantAdmins_ <unique value>)
公司管理員角色群組是方式繫結在一起的全域管理員 Office 365 角色特殊角色群組和組織管理角色 Exchange Online 角色群組。公司管理員角色群組沒有任何角色指派給它。不過,它會為組織管理角色群組的成員並繼承該角色群組所提供的權限。The Company Administrators role group is a special role group that ties together the Global administrators Office 365 role and the Organization Management Role Exchange Online role group. The Company Administrators role group doesn't have any roles assigned to it. However, it's a member of the Organization Management role group and inherits the permission provided by that role group.
此角色群組無法在 Exchange Online 中管理。您可以新增到此角色群組的成員將使用者新增至全域管理員 Office 365 角色。This role group can't be managed in Exchange Online. You can add members to this role group by adding users to the Global administrator Office 365 role.
探索管理Discovery Management
系統管理員或使用者所屬探索管理角色群組可在 Exchange Online 組織符合特定準則的資料執行搜尋的信箱和也可以設定法律保留在信箱上。Administrators or users who are members of the Discovery Management role group can perform searches of mailboxes in the Exchange Online organization for data that meets specific criteria and can also configure legal holds on mailboxes.
服務台Help Desk
Help Desk 角色群組中,根據預設,可讓成員能檢視並修改組織中任何使用者的 Microsoft Outlook Web App 選項。這些選項可能包括修改使用者的顯示名稱、 地址和電話號碼。它們不包含在 Outlook Web App 選項,例如或修改之信箱的大小設定為信箱位於信箱資料庫中的選項。The Help Desk role group, by default, enables members to view and modify the Microsoft Outlook Web App options of any user in the organization. These options might include modifying the user's display name, address, and phone number. They don't include options that aren't available in Outlook Web App options, such as modifying the size of a mailbox or configuring the mailbox database on which a mailbox is located.
服務台管理員 ( HelpdeskAdmins_ <唯一值>)Help Desk Administrators ( HelpdeskAdmins_ <unique value>)
Help Desk Administrators 角色群組沒有任何角色指派給它。不過,它 View-Only Organization Management 角色群組的成員,且繼承該角色群組所提供的權限。The Help Desk Administrators role group doesn't have any roles assigned to it. However, it's a member of the View-Only Organization Management role group and inherits the permissions provided by that role group.
此角色群組無法在 Exchange Online 中管理。您可以新增到此角色群組的成員將使用者新增至密碼 Office 365 系統管理員角色。This role group can't be managed in Exchange Online. You can add members to this role group by adding users to the Password administrator Office 365 role.
組織管理Organization Management
身為組織管理角色群組成員的系統管理員具有管理權限整個 Exchange Online 組織,例如可以執行對任何 Exchange Online 的物件,某些例外,幾乎任何工作Discovery Management角色。Administrators who are members of the Organization Management role group have administrative access to the entire Exchange Online organization and can perform almost any task against any Exchange Online object, with some exceptions, such as the Discovery Management role.
> [!IMPORTANT]> 由於組織管理角色群組是功能強大的角色,只有執行可能影響整個 Exchange Online 組織的組織層級管理工作的使用者應此角色群組的成員。> [!IMPORTANT]> Because the Organization Management role group is a powerful role, only users that perform organizational-level administrative tasks that can potentially impact the entire Exchange Online organization should be members of this role group.
收件者管理Recipient Management
身為收件者管理角色群組成員的系統管理員已建立或修改 Exchange Online 組織內的 Exchange Online 收件者的系統管理存取。Administrators who are members of the Recipient Management role group have administrative access to create or modify Exchange Online recipients within the Exchange Online organization.
記錄管理Records Management
屬於 記錄管理 角色群組成員的使用者可以設定符合性功能,例如保留原則標記、訊息分類和傳輸規則。Users who are members of the Records Management role group can configure compliance features, such as retention policy tags, message classifications, and transport rules.
UM 管理UM Management
屬於 UM Management 角色群組成員的系統管理員可以管理信箱、 UM 提示及 UM 自動語音應答組態的 UM 內容例如 Exchange Online 組織中的功能。Administrators who are members of the UM Management role group can manage features in the Exchange Online organization such as UM properties on mailboxes, UM prompts, and UM auto attendant configuration.
僅限檢視組織管理View-Only Organization Management
檢視僅組織管理角色群組成員的系統管理員可以在 Exchange Online 組織中檢視任何物件的屬性。Administrators who are members of the View Only Organization Management role group can view the properties of any object in the Exchange Online organization.

如果您任職於只有幾個系統管理員的小型組織,可能只需要將這些系統管理員新增到 組織管理 角色群組,而且可能永遠不需要使用其他角色群組。如果您是在大型組織工作,則可能會有系統管理員負責執行管理 Exchange Online 的特定工作,例如收件者或全組織的整合通訊組態。在這種情況下,您可以將某個系統管理員新增到 收件者管理 角色群組,然後再將另一個系統管理員新增到 UM Management 角色群組。如此這些系統管理員就可以管理其特定 exExchangeOnline 領域,但是沒有權限可以管理不屬於他們所負責的領域。If you work in a small organization that has only a few administrators, you might need to add those administrators to the Organization Management role group only, and you may never need to use the other role groups. If you work in a larger organization, you might have administrators who perform specific tasks administering Exchange Online, such as recipient or organization-wide Unified Messaging configuration. In those cases, you might add one administrator to the Recipient Management role group, and another administrator to the UM Management role group. Those administrators can then manage their specific areas of exExchangeOnline, but they won't have permissions to manage areas they're not responsible for.

如果 Exchange Online 中的內建角色群組與您的系統管理員職責不符,您可以建立角色群組並新增角色到這些群組。如需詳細資訊,請參閱本主題稍後的使用角色群組If the built-in role groups in Exchange Online don't match the job function of your administrators, you can create role groups and add roles to them. For more information, see Work with role groups later in this topic.

角色指派原則Role assignment policies

Exchange Online 提供角色指派原則,使您能夠控制使用者可對他們的專屬信箱和擁有的通訊群組進行哪些設定。這些設定包括使用者的顯示名稱、連絡資訊、語音信箱設定,以及通訊群組成員資格。Exchange Online provides role assignment policies so that you can control what settings your users can configure on their own mailboxes and on distribution groups they own. These settings include their display name, contact information, voice mail settings, and distribution group membership.

您的 Exchange Online 組織可以有多個角色指派原則,以針對組織中不同的使用者類型,提供不同等級的權限。依據使用者信箱相關聯的角色指派原則而定,有些使用者可以變更其地址或建立通訊群組,但有些使用者卻不行。角色指派原則會直接新增至信箱,而且每個信箱一次只能與一個角色指派原則相關聯。Your Exchange Online organization can have multiple role assignment policies that provide different levels of permissions for the different types of users in your organizations. Some users can be allowed to change their address or create distribution groups, while others can't, depending on the role assignment policy associated with their mailbox. Role assignment policies are added directly to mailboxes, and each mailbox can only be associated with one role assignment policy at a time.

在組織的角色指派原則中,有一個會被標示為預設的原則。如果在建立新信箱時沒有明確指派特定的角色指派原則,這些新信箱就會與預設的角色指派原則產生關聯。預設的角色指派原則應該包含多數信箱所應套用的權限。Of the role assignment policies in your organization, one is marked as default. The default role assignment policy is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're created. The default role assignment policy should contain the permissions that should be applied to the majority of your mailboxes.

權限是透過使用者角色來新增到角色指派原則。使用者角色以 My 開頭,而且它們授與給使用者的權限,只能讓他們管理自己的信箱或他們所擁有的通訊群組;使用者角色不能用來管理其他任何信箱。此外,您只能將使用者角色指派到角色指派原則。Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant permissions for users to manage only their mailbox or distribution groups they own. They can't be used to manage any other mailbox. Only end-user roles can be assigned to role assignment policies.

將使用者角色指派到角色指派原則後,與該角色指派原則相關聯的所有信箱都會取得該角色所授與的權限。因此,您不需要設定個別的信箱,就可以對多組使用者新增或移除權限。下圖顯示:When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role assignment policy receive the permissions granted by the role. This enables you to add or remove permissions to sets of users without having to configure individual mailboxes. The following figure shows:

  • 使用者角色會指派至角色指派原則。角色指派原則可以共用相同的使用者角色。End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-user roles.

  • 角色指派原則會與信箱產生關聯。每個信箱只能與一個角色指派原則相關聯。Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role assignment policy.

  • 在信箱與角色指派原則產生關聯後,使用者角色會套用到該信箱。信箱使用者會獲得角色所授與的權限。After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox. The permissions granted by the roles are granted to the user of the mailbox.

    角色、角色指派原則和信箱Roles, role assignment policies, and mailboxes

角色、角色指派原則關係、信箱關係

「預設角色指派原則角色」指派原則包含在 Exchange Online 中。顧名思義,這是預設角色指派原則。如果您要變更這個角色指派原則所提供的權限,或是想建立角色指派原則,請參閱本主題稍後的使用角色指派原則The Default Role Assignment Policy role assignment policy is included with Exchange Online. As the name implies, it's the default role assignment policy. If you want to change the permissions provided by this role assignment policy, or if you want to create role assignment policies, see Work with role assignment policies later in this topic.

Exchange Online 中的 Office 365 權限Office 365 permissions in Exchange Online

在 Office 365 中建立使用者時,您可以選擇是否要將各種系統管理角色 (如全域管理員、服務管理員、密碼管理員等) 指派給使用者。某些 Office 365 角色 (並非所有角色) 授與使用者 Exchange Online 的系統管理權限。When you create a user in Office 365, you can choose whether to assign various administrative roles, such as Global administrator, Service administrator, Password administrator, and so on, to the user. Some, but not all, Office 365 roles grant the user administrative permissions in Exchange Online.

注意

系統會自動將全域管理員 Office 365 角色指派給用來建立 Office 365 租用戶的使用者。The user that was used to create your Office 365 tenant is automatically assigned to the Global administrator Office 365 role.

下表列出 Office 365 角色和角色對應的 Exchange Online 角色群組。The following table lists the Office 365 roles and the Exchange Online role group they correspond to.

Office 365 角色Office 365 role Exchange Online 角色群組Exchange Online role group
全域管理員Global administrator
組織管理Organization Management
請注意: 全域管理員角色和組織管理角色群組所繫結在一起使用的特殊的公司管理員角色群組。公司管理員角色群組受管理的內部 Exchange Online 會利用且無法直接修改。Note: The Global administrator role and the Organization Management role group are tied together using a special Company Administrator role group. The Company Administrator role group is managed internally by Exchange Online and can't be modified directly.
計費管理員Billing administrator
沒有對應的 Exchange Online 角色群組。No corresponding Exchange Online role group.
密碼管理員Password administrator
服務台管理員Help Desk administrator.
服務管理員Service administrator
沒有對應的 Exchange Online 角色群組。No corresponding Exchange Online role group.
使用者管理管理員User management administrator
沒有對應的 Exchange Online 角色群組。No corresponding Exchange Online role group.

如需 Exchange Online 角色群組的說明,請參閱角色群組中的「內建角色群組」表格。For a description of the Exchange Online role groups, see the table "Built-in role groups" in Role groups.

當您將使用者新增至全域管理員或密碼管理員 Office 365 角色時,會分別將各 Exchange Online 角色群組提供的權限授與使用者。其他 Office 365 角色沒有對應的 Exchange Online 角色群組,因此不會授與 Exchange Online 的系統管理權限。如需將 Office 365 角色指派給使用者的詳細資訊,請參閱指派管理員角色When you add a user to either the Global administrator or Password administrator Office 365 roles, the user is granted the rights provided by the respective Exchange Online role group. Other Office 365 roles don't have a corresponding Exchange Online role group and won't grant administrative permissions in Exchange Online. For more information about assigning an Office 365 role to a user, see Assigning admin roles.

您不需要將使用者新增至 Office 365 角色即可對其授與 Exchange Online 的系統管理權限。將使用者新增為 Exchange Online 角色群組的成員即可達到此目的。當您將使用者直接新增至 Exchange Online 角色群組時,他們會收到該角色群組在 Exchange Online 中授與的權限。然而這並不會將其他 Office 365 元件的任何權限授與使用者。他們只會擁有 Exchange Online 的系統管理權限。除了公司管理員和服務台管理員角色群組之外,您還可以將使用者新增至角色群組中「內建角色群組表格」列示的任何角色群組。如需將使用者直接新增至 Exchange Online 角色群組的詳細資訊,請參閱使用角色群組Users can be granted administrative rights in Exchange Online without adding them to Office 365 roles. This is done by adding the user as a member of an Exchange Online role group. When a user is added directly to an Exchange Online role group, they'll receive the permissions granted by that role group in Exchange Online. However, they won't be granted any permissions to other Office 365 components. They'll have administrative permissions only in Exchange Online. Users can be added to any of the role groups listed in the "Built-in role groups table" in Role groups with the exception of the Company Administrator and Help Desk Administrators role groups. For more information about adding a user directly to an Exchange Online role group, see Work with role groups.

使用角色群組Work with role groups

若要管理您 Exchange 中使用角色群組的權限線上,我們建議您使用 EAC。當您使用 EAC 來管理角色群組時,您可以新增和移除角色和成員、 建立角色群組並複製角色群組與按幾下滑鼠。EAC 中提供簡單的對話方塊,如圖所示下,若要執行這些工作的 [新增角色群組] 對話方塊。To manage your permissions using role groups in Exchange Online, we recommend that you use the EAC. When you use the EAC to manage role groups, you can add and remove roles and members, create role groups, and copy role groups with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the new role group dialog box, shown in the following figure, to perform these tasks.

EAC 中新增的 [角色群組] 對話方塊New role group dialog box in the EAC

EAC 中的 [新增角色群組] 對話方塊

Exchange Online 包含將權限區分為特定系統管理區域的多個角色群組。如果這些現有的角色群組提供了系統管理員在管理您的 Exchange Online 組織時所需要的權限,您只需要將系統管理員新增為適當角色群組的成員。在您將系統管理員新增至角色群組之後,他們就可以管理與該角色群組相關的功能。若要新增或移除角色群組的成員,請在 EAC 中開啟角色群組,然後再於成員資格清單中新增或移除成員。如需內建角色群組的清單,請參閱角色群組中的「內建角色群組」表格。Exchange Online includes several role groups that separate permissions into specific administrative areas. If these existing role groups provide the permissions your administrators need to manage your Exchange Online organization, you need only add your administrators as members of the appropriate role groups. After you add administrators to a role group, they can administer the features that relate to that role group. To add or remove members to or from a role group, open the role group in the EAC, and then add or remove members from the membership list. For a list of built-in role groups, see the table "Built-in role groups" in Role groups.

重要

如果系統管理員是多個角色群組的成員,Exchange Online 會將系統管理員所屬角色群組提供的所有權限,授與給系統管理員。If an administrator is a member of more than one role group, Exchange Online grants the administrator all of the permissions provided by the role groups he or she is a member of.

如果 Exchange Online 隨附的角色群組沒有任何一個具有您需要的權限,您可以使用 EAC 來建立角色群組,並新增擁有您所需權限的角色。針對新的角色群組,您會:If none of the role groups included with Exchange Online have the permissions you need, you can use the EAC to create a role group and add the roles that have the permissions you need. For your new role group, you will:

  1. 選擇角色群組的名稱。Choose a name for your role group.

  2. 選取要新增到角色群組的角色。Select the roles you want to add to the role group.

  3. 在角色群組中新增成員。Add members to the role group.

  4. 儲存角色群組。Save the role group.

建立角色群組之後,您可以比照其他任何角色群組來管理它。After you create the role group, you manage it like any other role group.

如果現有的角色群組具有您需要的部分權限 (而非所有權限),您可以複製該群組,然後透過變更的方式來建立角色群組。您可以複製現有的角色群組並進行變更,而不會影響原始的角色群組。在複製角色群組的過程中,您可以加入新的名稱和描述、在新的角色群組中新增及移除角色,並新增成員。建立或複製角色群組時,您會使用上圖中所顯示的同一個對話方塊。If there's an existing role group that has some, but not all, of the permissions you need, you can copy it and then make changes to create a role group. You can copy an existing role group and make changes to it, without affecting the original role group. As part of copying the role group, you can add a new name and description, add and remove roles to and from the new role group, and add new members. When you create or copy a role group, you use the same dialog box that's shown in the preceding figure.

您也可以修改現有的角色群組。您可以使用與上圖所示對話方塊類似的 EAC 對話方塊,從現有的角色群組新增與移除角色,並同時從該群組新增及移除成員。透過在角色群組中新增及移除角色,您便可開啟與關閉該角色群組成員的系統管理功能。Existing role groups can also be modified. You can add and remove roles from existing role groups, and add and remove members from it at the same time, using an EAC dialog box similar to the one in the preceding figure. By adding and removing roles to and from role groups, you turn on and off administrative features for members of that role group.

注意

雖然您可以變更指派至內建角色群組的角色,我們還是建議您複製內建角色群組、修改角色群組複本,然後再新增成員到角色群組複本。 > 您不能複製或變更公司管理員和服務台管理員角色群組。Although you can change which roles are assigned to built-in role groups, we recommend that you copy built-in role groups, modify the role group copy, and then add members to the role group copy. > The Company Administrator and Help Desk administrator role groups can't be copied or changed.

以角色為基礎的權限Role-based permissions

使用角色指派原則Work with role assignment policies

若要管理的權限授與使用者管理自己的信箱在 Exchange Online,我們建議您使用 EAC。當您使用 EAC 來管理使用者權限時,您可以新增角色、 角色中移除和建立角色指派原則按幾下滑鼠。EAC 中提供簡單的對話方塊,如圖所示下,若要執行這些工作的角色指派原則] 對話方塊。To manage the permissions that you grant end users to manage their own mailbox in Exchange Online, we recommend that you use the EAC. When you use the EAC to manage end-user permissions, you can add roles, remove roles, and create role assignment policies with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the role assignment policy dialog box, shown in the following figure, to perform these tasks.

EAC 中的 [角色指派原則] 對話方塊Role assignment policy dialog box in the EAC

EAC 中的 [角色指派原則] 對話方塊

Exchange Online 包含一個名為「預設角色指派原則」的角色指派原則。這個角色指派原則可以讓其相關聯信箱的使用者執行下列動作:Exchange Online includes a role assignment policy named Default Role Assignment Policy. This role assignment policy enables users whose mailboxes are associated with it to do the following:

  • 加入或離開可讓成員自行管理成員資格的通訊群組。Join or leave distribution groups that allow members to manage their own membership.

  • 在自己的信箱上檢視並修改基本的信箱設定,例如收件匣規則、拼字檢查行為和 Microsoft ActiveSync 裝置。View and modify basic mailbox settings on their own mailbox, such as Inbox rules, spelling behavior, junk mail settings, and Microsoft ActiveSync devices.

  • 修改連絡資訊,例如公司地址和電話號碼、行動電話號碼,以及呼叫器號碼。Modify their contact information, such as work address and phone number, mobile phone number, and pager number.

  • 建立、修改或檢視簡訊設定。Create, modify, or view text message settings.

  • 檢視或修改語音信箱設定。View or modify voice mail settings.

  • 檢視和修改市場應用程式。View and modify their marketplace apps.

  • 建立團隊信箱,並且將這些信箱連接到 Microsoft SharePoint 清單。Create team mailboxes and connect them to Microsoft SharePoint lists.

  • 建立、修改或檢視電子郵件訂閱設定,如郵件格式和通訊協定預設值。Create, modify, or view email subscription settings, such as message format and protocol defaults.

如果要從「預設角色指派原則」或其他任何角色指派原則新增或移除權限,您可以使用 EAC。使用的對話方塊與上圖所示的對話方塊類似。當您在 EAC 中開啟角色指派原則時,請選取要指派至該原則的角色旁的核取方塊,或清除想要移除的角色旁的核取方塊。您對角色指派原則所做的變更將會套用到與它相關聯的每一個信箱。If you want to add or remove permissions from the Default Role Assignment Policy or any other role assignment policy, you can use the EAC. The dialog box you use is similar to the one in the preceding figure. When you open the role assignment policy in the EAC, select the check box next to the roles you want to assign to it or clear the check box next to the roles you want to remove. The change you make to the role assignment policy is applied to every mailbox associated with it.

如果要指派不同的使用者權限給組織中各種類型的使用者,您可以建立角色指派原則。建立角色指派原則時,您會看到與上圖類似的對話方塊。您可以為角色指派原則指定新名稱,然後再選取要指派至角色指派原則的角色。建立角色指派原則後,您可以使用 EAC 讓它與信箱產生關聯。If you want to assign different end-user permissions to the various types of users in your organization, you can create role assignment policies. When you create a role assignment policy, you see a dialog box similar to the one in the preceding figure. You can specify a new name for the role assignment policy, and then select the roles you want to assign to the role assignment policy. After you create a role assignment policy, you can associate it with mailboxes using the EAC.

如果您想要變更哪些角色指派原則是預設值,您必須使用 Exchange 管理命令介面。當您變更預設角色指派原則時,所建立的任何信箱會與相關聯之新的預設角色指派原則若一個未明確指定。當您選取新的預設角色指派原則時不會變更現有的信箱相關聯的角色指派原則。If you want to change which role assignment policy is the default, you must use the Exchange Management Shell. When you change the default role assignment policy, any mailboxes that are created will be associated with the new default role assignment policy if one wasn't explicitly specified. The role assignment policy associated with existing mailboxes doesn't change when you select a new default role assignment policy.

注意

如果選取含有子角色之角色的核取方塊,也會選取子角色的核取方塊。如果取消選取含有子角色之角色的核取方塊,也會取消選取子角色的核取方塊。If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If you clear the check box for a role with child roles, the check boxes for the child roles are also cleared.

權限文件Permissions documentation

下表包含主題的連結,這些主題有助於您瞭解和管理 Exchange Online 中的權限。The following table contains links to topics that will help you learn about and manage permissions in Exchange Online.

主題Topic 描述Description
了解角色型存取控制Understanding Role Based Access Control
了解每個元件組成 RBAC 和角色群組和管理角色不足時您可以建立進階權限模型。Learn about each of the components that make up RBAC and how you can create advanced permissions models if role groups and management roles aren't enough.
管理角色群組Manage Role Groups
設定 Exchange Online 系統管理員和專家使用者使用角色群組的權限。Configure permissions for Exchange Online administrators and specialist users using role groups.
管理角色群組成員Manage Role Group Members
將成員新增到與角色群組。新增和移除成員若要從角色群組,由您設定誰能夠管理 Exchange Online 的功能。Add members to and from role groups. By adding and removing members to and from role groups, you configure who's able to administer Exchange Online features.
管理角色指派原則Manage Role Assignment Policies
利用角色指派原則設定使用者能存取的信箱功能,以及變更要當作預設指派原則的角色指派原則。Configure which features end-users have access to on their mailboxes using role assignment policies, and change which role assignment policy is the default assignment policy.
變更在信箱上的指派原則Change the Assignment Policy on a Mailbox
設定哪些角色指派原則套用於一個或多個信箱。Configure which role assignment policy is applied to one or more mailboxes.
檢視有效的權限View Effective Permissions
檢視哪些人擁有管理 Exchange Online 的功能權限。View who has permissions to administer Exchange Online features.
Exchange Online 中的功能權限Feature permissions in Exchange Online
深入了解管理 Exchange Online 的功能和服務所需的權限。Learn more about the permissions required to manage Exchange Online features and services.