權限Permissions

摘要: 了解角色型存取控制 Exchange Server 2016 中的。Summary: Learn about Role Based Access Control in Exchange Server 2016.

Microsoft Exchange Server 2016 包含大型,預先定義的權限,您可以輕鬆地授與權限給系統管理員和使用者立即使用角色型存取控制 (RBAC) 權限模型為基礎。您可以使用的權限功能 Exchange 2016,讓您可以取得新的組織設定且快速地執行。Microsoft Exchange Server 2016 includes a large set of predefined permissions, based on the Role Based Access Control (RBAC) permissions model, which you can use right away to easily grant permissions to your administrators and users. You can use the permissions features in Exchange 2016 so that you can get your new organization up and running quickly.

以角色為基礎的權限Role-based permissions

在 [Exchange 2016、 您授與系統管理員和使用者的權限根據管理角色。角色定義的系統管理員或使用者可以執行的工作。例如,管理角色呼叫Mail Recipients定義某人可在一組的信箱、 連絡人和通訊群組執行的工作。角色指派給系統管理員或使用者,當該名人員會授與角色所提供的權限。In Exchange 2016, the permissions that you grant to administrators and users are based on management roles. A role defines the set of tasks that an administrator or user can perform. For example, a management role called Mail Recipients defines the tasks that someone can perform on a set of mailboxes, contacts, and distribution groups. When a role is assigned to an administrator or user, that person is granted the permissions provided by the role.

角色可分成系統管理角色和使用者角色兩種類型:There are two types of roles, administrative roles and end-user roles:

  • 系統管理角色: 這些角色包含可以指派給系統管理員或專家使用者使用管理組件的 Exchange 組織,例如收件者、 伺服器或資料庫的角色群組的權限。Administrative roles: These roles contain permissions that can be assigned to administrators or specialist users using role groups that manage a part of the Exchange organization, such as recipients, servers, or databases.

  • 使用者角色: 這些角色指派利用角色指派原則,讓使用者管理其所擁有自己信箱和通訊群組的層面。使用者角色的開頭的字首MyEnd-user roles: These roles, assigned using role assignment policies, enable users to manage aspects of their own mailbox and distribution groups that they own. End-user roles begin with the prefix My.

角色授與權限可讓指令程式可用來指派角色的使用者可以執行系統管理員和使用者的工作。Exchange 系統管理中心 (EAC) 和 Exchange 管理命令介面使用 cmdlet 來管理 Exchange,因為授與存取權指令程式讓系統管理員或使用者在每個 Exchange 管理介面中執行工作的權限。Roles give permissions to perform tasks to administrators and users by making cmdlets available to those who are assigned the roles. Because the Exchange Administration Center (EAC) and the Exchange Management Shell use cmdlets to manage Exchange, granting access to a cmdlet gives the administrator or user permission to perform the task in each of the Exchange management interfaces.

角色群組和指派原則Role groups and role assignment policies

角色授與權限來執行 Exchange 2016、 工作,但您必須將它們指派給系統管理員和使用者輕鬆。Exchange 2016 可提供下列 cmdlet 以協助您執行的動作:Roles grant permissions to perform tasks in Exchange 2016, but you need an easy way to assign them to administrators and users. Exchange 2016 provides you with the following to help you do that:

  • 角色群組: 角色群組可讓您授與權限給系統管理員和專家使用者。Role groups: Role groups enable you to grant permissions to administrators and specialist users.

  • 角色指派原則: 角色指派原則可讓您授與權限給使用者在其所擁有其專屬信箱或通訊群組上變更設定。Role assignment policies: Role assignment policies enable you to grant permissions to end users to change settings on their own mailbox or distribution groups that they own.

如需角色群組和角色指派原則的詳細資訊,請參閱下列各節。For more information about role groups and role assignment policies, see the following sections.

角色群組Role groups

管理 Exchange 2016 每一管理員必須要指派給至少一個或多個角色。因為它們可能會執行 Exchange 中跨越多個區域的工作功能系統管理員可能會有一個以上的角色。例如,一位管理員可能會管理收件者與 Exchange 伺服器。在此例中,系統管理員可能會指派兩者Mail RecipientsExchange Servers角色。Every administrator that manages Exchange 2016 needs to be assigned at least one or more roles. Administrators might have more than one role because they may perform job functions that span multiple areas in Exchange. For example, one administrator might manage both recipients and Exchange servers. In this case, that administrator might be assigned both the Mail Recipients and Exchange Servers roles.

若要讓您輕鬆將多個角色指派給系統管理員,Exchange 2016 包含角色群組。角色群組是特殊萬用安全性群組 (Usg) 使用 Exchange 2016 可以包含 Active Directory 使用者、 Usg,與其他角色群組。當角色指派給角色群組時、 角色授與的權限會授與的角色群組所有成員。這可讓您一次將許多角色指派給許多角色群組成員。角色群組通常包含更廣泛的管理方面,例如收件者管理。它們只適用於系統管理角色、 使用者角色無法用。To make it easier to assign multiple roles to an administrator, Exchange 2016 includes role groups. Role groups are special universal security groups (USGs) used by Exchange 2016 that can contain Active Directory users, USGs, and other role groups. When a role is assigned to a role group, the permissions granted by the role are granted to all the members of the role group. This enables you to assign many roles to many role group members at once. Role groups typically encompass broader management areas, such as recipient management. They're used only with administrative roles, and not end-user roles.

注意

很可能角色直接指派給使用者或 USG 而不需使用角色群組。但角色指派該方法是進階的程序並不本主題所述。我們建議您使用角色群組管理的權限。It's possible to assign a role directly to a user or USG without using a role group. However, that method of role assignment is an advanced procedure and isn't covered in this topic. We recommend that you use role groups to manage permissions.

下圖顯示使用者、角色群組和角色之間的關係。The following figure shows the relationship between users, role groups, and roles.

角色、角色群組和角色群組成員Roles, role groups, and role group members

角色、角色群組和成員關係

Exchange 2016 包含數個內建角色群組、 每個提供管理 Exchange 2016 特定區域的權限。部分的角色群組可能會重疊與其他人。下表列出每個角色具有群組用途的描述。如果您想要查看指派給每個角色群組的角色,按一下 [」 角色群組 」] 欄中的角色群組的名稱,然後開啟 [」 管理角色指派到此角色群組 」 一節。Exchange 2016 includes several built-in role groups, each one providing permissions to manage specific areas in Exchange 2016. Some role groups may overlap with others. The following table lists each role group with a description of its use. If you want to see the roles assigned to each role group, click the name of the role group in the "Role group" column, and then open the "Management Roles Assigned to This Role Group" section.

重要

如果系統管理員是一個以上的角色群組的成員,Exchange 2016 授與系統管理員權限的所有角色群組他就是成員所提供。If an administrator is a member of more than one role group, Exchange 2016 grants the administrator all of the permissions provided by the role groups he or she is a member of.

內建角色群組Built-in role groups

角色群組Role group 描述Description
Organization ManagementOrganization Management
身為組織管理角色群組成員的系統管理員具有管理權限整個 Exchange 2016 組織,例如可以執行對任何 Exchange 2016 物件,某些例外,幾乎任何工作Discovery Management角色。Administrators who are members of the Organization Management role group have administrative access to the entire Exchange 2016 organization and can perform almost any task against any Exchange 2016 object, with some exceptions, such as the Discovery Management role.
重要: 「 組織管理角色群組是功能強大的角色,因為只有使用者或 Usg 執行可能影響整個 Exchange 組織的組織層級管理工作應該是此角色群組的成員。Important: Because the Organization Management role group is a powerful role, only users or USGs that perform organizational-level administrative tasks that can potentially impact the entire Exchange organization should be members of this role group.
View-Only Organization ManagementView-Only Organization Management
身為檢視僅組織管理角色群組成員的系統管理員可以檢視 Exchange 組織中的任何物件的屬性。Administrators who are members of the View Only Organization Management role group can view the properties of any object in the Exchange organization.
Recipient ManagementRecipient Management
身為收件者管理角色群組成員的系統管理員已建立或修改 Exchange 2016 Exchange 2016 組織內的收件者的系統管理存取。Administrators who are members of the Recipient Management role group have administrative access to create or modify Exchange 2016 recipients within the Exchange 2016 organization.
UM ManagementUM Management
屬於 UM Management 角色群組成員的系統管理員可以管理整合通訊 (UM) 服務設定、 信箱、 UM 提示及 UM 自動語音應答組態的 UM 內容如 Exchange 組織中的功能。Administrators who are members of the UM Management role group can manage features in the Exchange organization such as Unified Messaging (UM) service configuration, UM properties on mailboxes, UM prompts, and UM auto attendant configuration.
Help DeskHelp Desk
Help Desk 角色群組中,根據預設,可讓成員能檢視並修改組織中任何使用者的 Microsoft Office Outlook Web App 選項。這些選項可能包括修改使用者的顯示名稱、 地址和電話號碼。它們不包含在 Outlook Web App 選項,例如或修改之信箱的大小設定為信箱位於信箱資料庫中的選項。The Help Desk role group, by default, enables members to view and modify the Microsoft Office Outlook Web App options of any user in the organization. These options might include modifying the user's display name, address, and phone number. They don't include options that aren't available in Outlook Web App options, such as modifying the size of a mailbox or configuring the mailbox database on which a mailbox is located.
Hygiene ManagementHygiene Management
身為檢疫管理角色群組成員的系統管理員可以設定 Exchange 2016 防毒以及防垃圾郵件功能。與 Exchange 2016 整合的協力廠商程式可以將服務帳戶新增至這些 cmdlet 來擷取並設定 Exchange 設定所需的程式存取權授與此角色群組。Administrators who are members of the Hygiene Management role group can configure the antivirus and antispam features of Exchange 2016. Third-party programs that integrate with Exchange 2016 can add service accounts to this role group to grant those programs access to the cmdlets required to retrieve and configure the Exchange configuration.
Records ManagementRecords Management
記錄管理角色群組成員的使用者可以設定符合性功能,例如保留原則標記、 訊息分類和傳輸規則。Users who are members of the Records Management role group can configure compliance features, such as retention policy tags, message classifications, and transport rules.
探索管理Discovery Management
系統管理員或使用者所屬探索管理角色群組可符合特定準則的資料的 Exchange 組織中執行搜尋的信箱和也可以設定法律保留在信箱上。Administrators or users who are members of the Discovery Management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria and can also configure legal holds on mailboxes.
公用資料夾管理Public Folder Management
身為公用資料夾管理角色群組成員的系統管理員可以管理執行 Exchange 2016 的伺服器上的公用資料夾。Administrators who are members of the Public Folder Management role group can manage public folders on servers running Exchange 2016.
Server ManagementServer Management
屬於 Server Management 角色群組之成員的系統管理員可以設定伺服器特定的傳輸組態、整合通訊、用戶端存取以及信箱功能,例如資料庫複本、憑證、傳輸佇列及傳送連接器、虛擬目錄以及用戶端存取通訊協定。Administrators who are members of the Server Management role group can configure server-specific configuration of transport, Unified Messaging, client access, and mailbox features such as database copies, certificates, transport queues and Send connectors, virtual directories, and client access protocols.
委派安裝Delegated Setup
身為 「 委派安裝 」 角色群組的成員系統管理員可部署伺服器執行 Exchange 2016 先前已提供由 「 組織管理角色群組的成員。Administrators who are members of the Delegated Setup role group can deploy servers running Exchange 2016 that have been previously provisioned by a member of the Organization Management role group.
Compliance ManagementCompliance Management
屬於規範管理角色群組成員的使用者可按照組織的原則,設定並管理 Exchange 規範設定。Users who are members of the Compliance Management role group can configure and manage Exchange compliance settings in accordance with their organization's policy.

如果您在小型組織中具有只有幾個系統管理員解決問題,您可能只使用組織管理角色群組,並沒有任何其他人。如果您在大型組織中工作時,您可能必須執行管理 Exchange,例如收件者或伺服器管理的特定工作的管理員。在這些情況下,您可能會將一位收件者管理角色群組、 管理員及其他系統管理員新增至伺服器管理角色群組。系統管理員可以然後管理 Exchange 2016 其特定區域但不會有管理它們不是負責的部分權限。If you work in a small organization that has only a few administrators, you might only ever use the Organization Management role group, and none of the others. If you work in a larger organization, you might have administrators who perform specific tasks administering Exchange, such as recipient or server management. In those cases, you might add one administrator to the Recipient Management role group, and another administrator to the Server Management role group. Those administrators can then manage their specific areas of Exchange 2016 but won't have permissions to manage areas they're not responsible for.

如果您找不到內建角色群組適合您的系統管理員必須執行的工作,您可建立角色群組並新增至他們的角色。如需詳細資訊,請參閱本主題稍後的Work with 角色群組If you can't find a built-in role group that fits the jobs your administrators need to do, you can create role groups and add roles to them. For more information, see Work with role groups later in this topic.

角色指派原則Role assignment policies

Exchange 2016 提供角色指派原則,因此您可以控制其所擁有的哪些使用者可以的設定在自己的信箱及通訊群組上。這些設定包括其顯示名稱、 連絡人資訊、 語音信箱設定及通訊群組成員資格。Exchange 2016 provides role assignment policies so that you can control what settings your users can configure on their own mailboxes and on distribution groups they own. These settings include their display name, contact information, voice mail settings, and distribution group membership.

Exchange 2016 組織可以有多個提供不同的權限層級的不同類型的使用者在您組織中的角色指派原則。可允許某些使用者變更其地址或時其他人無法建立通訊群組。所有其取決於他們的信箱相關聯的角色指派原則。角色指派原則新增到信箱,直接及每個信箱只可關聯一個角色指派原則一次。Your Exchange 2016 organization can have multiple role assignment policies that provide different levels of permissions for the different types of users in your organizations. Some users can be allowed to change their address or create distribution groups, while others can't. It all depends on the role assignment policy associated with their mailbox. Role assignment policies are added directly to mailboxes, and each mailbox can only be associated with one role assignment policy at a time.

在組織的角色指派原則中,有一個會被標示為預設的原則。如果在建立新信箱時沒有明確指派特定的角色指派原則,這些新信箱就會與預設的角色指派原則產生關聯。預設的角色指派原則應該包含多數信箱所應套用的權限。Of the role assignment policies in your organization, one is marked as default. The default role assignment policy is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're created. The default role assignment policy should contain the permissions that should be applied to the majority of your mailboxes.

權限會新增至使用使用者角色的角色指派原則。使用者角色的開頭My並授與使用者管理只有其信箱或通訊群組所擁有的權限。他們無法用以管理任何其他信箱。僅限使用者角色可以指派給角色指派原則。Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant permissions for users to manage only their mailbox or distribution groups they own. They can't be used to manage any other mailbox. Only end-user roles can be assigned to role assignment policies.

將使用者角色指派到角色指派原則後,與該角色指派原則相關聯的所有信箱都會取得該角色所授與的權限。因此,您不需要設定個別的信箱,就可以對多組使用者新增或移除權限。下圖顯示:When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role assignment policy receive the permissions granted by the role. This enables you to add or remove permissions to sets of users without having to configure individual mailboxes. The following figure shows:

  • 使用者角色會指派至角色指派原則。角色指派原則可以共用相同的使用者角色。End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-user roles.

  • 角色指派原則會與信箱產生關聯。每個信箱只能與一個角色指派原則相關聯。Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role assignment policy.

  • 在信箱與角色指派原則產生關聯後,使用者角色會套用到該信箱。信箱使用者會獲得角色所授與的權限。After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox. The permissions granted by the roles are granted to the user of the mailbox.

    角色、角色指派原則和信箱Roles, role assignment policies, and mailboxes

角色、角色指派原則關係、信箱關係

預設角色指派原則角色指派原則功能隨附於 Exchange 2016。顧名思義,它會為預設角色指派原則。如果您想要變更此角色指派原則所提供的權限或您想要建立角色指派原則,請參閱Work with 角色指派原則本主題稍後的。The Default Role Assignment Policy role assignment policy is included with Exchange 2016. As the name implies, it's the default role assignment policy. If you want to change the permissions provided by this role assignment policy, or if you want to create role assignment policies, see Work with role assignment policies later in this topic.

使用角色群組Work with role groups

若要管理您 Exchange 2016 使用角色群組的權限,我們建議您使用 Exchange 系統管理中心 (EAC)。當您使用 EAC 來管理角色群組時,您可以新增和移除角色和成員、 建立角色群組並複製角色群組與按幾下滑鼠。EAC 中提供簡單的對話方塊,如圖所示下,若要執行這些工作的 [新增角色群組] 對話方塊。To manage your permissions using role groups in Exchange 2016, we recommend that you use the Exchange admin center (EAC). When you use the EAC to manage role groups, you can add and remove roles and members, create role groups, and copy role groups with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the new role group dialog box, shown in the following figure, to perform these tasks.

EAC 中新增的 [角色群組] 對話方塊New role group dialog box in the EAC

EAC 中的 [新增角色群組] 對話方塊

如果沒有任何一個 Exchange 2016 所含的角色群組具有您所需要的權限,您可以使用 EAC 來建立角色群組並新增您需要的權限的角色。新角色群組,您需要:If none of the role groups included with Exchange 2016 have the permissions you need, you can use the EAC to create a role group and add the roles that have the permissions you need. For your new role group, you'll need to:

  1. 選擇角色群組的名稱。Choose a name for your role group.

  2. 選取要新增到角色群組的角色。Select the roles you want to add to the role group.

  3. 在角色群組中新增成員。Add members to the role group.

  4. 儲存角色群組。Save the role group.

建立角色群組之後,您可以比照其他任何角色群組來管理它。After you create the role group, you manage it like any other role group.

如果現有的角色群組具有一些,但不是全部的您需要的權限,您可以將它複製與然後進行變更建立角色群組。複製現有的角色群組可讓您對其進行變更而不影響原始的角色群組。複製的角色群組的一部分,您可以新增的新名稱和描述、 新增和移除角色與新的角色群組,並新增成員。當您建立或複製角色群組時,您會使用如上圖所示的相同對話方塊。If there's an existing role group that has some, but not all, of the permissions you need, you can copy it and then make changes to create a role group. Copying an existing role group lets you make changes to it without affecting the original role group. As part of copying the role group, you can add a new name and description, add and remove roles to and from the new role group, and add new members. When you create or copy a role group, you use the same dialog box that's shown in the preceding figure.

您也可以修改現有的角色群組。您可以使用與上圖所示對話方塊類似的 EAC 對話方塊,從現有的角色群組新增與移除角色,並同時從該群組新增及移除成員。透過在角色群組中新增及移除角色,您便可開啟與關閉該角色群組成員的系統管理功能。Existing role groups can also be modified. You can add and remove roles from existing role groups, and add and remove members from it at the same time, using an EAC dialog box similar to the one in the preceding figure. By adding and removing roles to and from role groups, you turn on and off administrative features for members of that role group.

注意

雖然您可以變更指派至內建角色群組的角色,我們還是建議您複製內建角色群組、修改角色群組複本,然後再新增成員到角色群組複本。Although you can change which roles are assigned to built-in role groups, we recommend that you copy built-in role groups, modify the role group copy, and then add members to the role group copy.

使用角色指派原則Work with role assignment policies

若要管理的權限授與使用者來管理自己的信箱在 Exchange 2016,我們建議您使用 EAC。當您使用 EAC 來管理使用者權限時,您可以新增角色、 角色中移除和建立角色指派原則按幾下滑鼠。EAC 中提供簡單的對話方塊,如圖所示下,若要執行這些工作的角色指派原則] 對話方塊。To manage the permissions that you grant end users to manage their own mailbox in Exchange 2016, we recommend that you use the EAC. When you use the EAC to manage end-user permissions, you can add roles, remove roles, and create role assignment policies with a few clicks of your mouse. The EAC provides simple dialog boxes, such as the role assignment policy dialog box, shown in the following figure, to perform these tasks.

EAC 中的 [角色指派原則] 對話方塊Role assignment policy dialog box in the EAC

EAC 中的 [角色指派原則] 對話方塊

Exchange 2016 包含名為預設角色指派原則角色指派原則。此角色指派原則可讓的使用者信箱相關聯其執行下列動作:Exchange 2016 includes a role assignment policy named Default Role Assignment Policy. This role assignment policy enables users whose mailboxes are associated with it to do the following:

  • 加入或離開可讓成員自行管理成員資格的通訊群組。Join or leave distribution groups that allow members to manage their own membership.

  • 在自己的信箱上檢視並修改基本的信箱設定,例如收件匣規則、拼字檢查行為和 Microsoft ActiveSync 裝置。View and modify basic mailbox settings on their own mailbox, such as Inbox rules, spelling behavior, junk mail settings, and Microsoft ActiveSync devices.

  • 修改連絡資訊,例如公司地址和電話號碼、行動電話號碼,以及呼叫器號碼。Modify their contact information, such as work address and phone number, mobile phone number, and pager number.

  • 建立、修改或檢視簡訊設定。Create, modify, or view text message settings.

  • 檢視或修改語音信箱設定。View or modify voice mail settings.

  • 檢視和修改市場應用程式。View and modify their marketplace apps.

  • 建立團隊信箱,並且將這些信箱連接到 Microsoft SharePoint 清單。Create team mailboxes and connect them to Microsoft SharePoint lists.

如果您想要新增或移除預設角色指派原則或任何其他角色指派原則的權限,您可以使用 EAC。當您開啟角色指派原則在 EAC 中時,選取您要指派給它或清除核取方塊旁邊您想要移除之角色的角色旁的核取方塊。您對角色指派原則的變更會套用至每個與它相關聯的信箱。If you want to add or remove permissions from the Default Role Assignment Policy or any other role assignment policy, you can use the EAC. When you open the role assignment policy in the EAC, select the check box next to the roles you want to assign to it or clear the check box next to the roles you want to remove. The change you make to the role assignment policy is applied to every mailbox associated with it.

如果您想要指定不同的使用者權限給組織中使用者的各種類型,您可以建立角色指派原則。您可以指定角色指派原則的新名稱,然後選取您要指派給角色指派原則的角色。建立角色指派原則之後,您可以將其關聯使用 EAC 的信箱。If you want to assign different end-user permissions to the various types of users in your organization, you can create role assignment policies. You can specify a new name for the role assignment policy, and then select the roles you want to assign to the role assignment policy. After you create a role assignment policy, you can associate it with mailboxes using the EAC.

如果您想要變更哪些角色指派原則是預設值,您必須使用 Exchange 管理命令介面。當您變更預設角色指派原則時,所建立的任何信箱會與相關聯之新的預設角色指派原則若一個未明確指定。當您選取新的預設角色指派原則時不會變更現有的信箱相關聯的角色指派原則。If you want to change which role assignment policy is the default, you needs to use the Exchange Management Shell. When you change the default role assignment policy, any mailboxes that are created will be associated with the new default role assignment policy if one wasn't explicitly specified. The role assignment policy associated with existing mailboxes doesn't change when you select a new default role assignment policy.

附註Notes:

  • 如果選取含有子角色之角色的核取方塊,也會選取子角色的核取方塊。如果取消選取含有子角色之角色的核取方塊,也會取消選取子角色的核取方塊。If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If you clear the check box for a role with child roles, the check boxes for the child roles are also cleared.

  • 如需如何建立角色指派原則或變更現有角色指派原則的詳細步驟,請參閱下列主題:For detailed steps about how to create role assignment policies or make changes to existing role assignment policies, see the following topics: