In Exchange Server 2003 and
Exchange Server 2007, the Exchange Administrator has the possibility to
perform some "Delegation of Control." This way it is possible to grant
other users or security groups more privileges in the Exchange
organization, allowing them to perform some administrative tasks as
well.
In Exchange Server 2010 this has changed into a Role
Based Access model, where users can be added to predefined Role Groups.
When a user or a security group is added to such a Role Group they
automatically inherit the security rights assigned to it. The following
Role Groups are available:
To give a user additional permissions on the Exchange
Organization, you really do just need to add the user to the
appropriate Role Group. This can be achieved using the:
Exchange Management Console – the RBAC Editor
can be found in the tools section, but when selected you're redirected
to the Exchange Control Panel
Exchange Management Shell
Exchange Control Panel.
To add a user to the Recipient Management Role group in the Exchange Management Shell, enter the following command:
To add a user to the Recipient Management Role Group using the Exchange Control Panel, open the ECP and select "My Organization" in the "Select what to manage"
drop-down box. Click the Administrator Roles tab, and double-click the
"Recipient Management" Role Group, then click Add and select the user.
One of the major benefits of
using Role Based Access Control is that it is possible to give very
granular permissions to users or security groups. Although this was
possible in Exchange Server 2007 as well, you had to work with ACLs to
get the same results, and the downside of changing ACLs is that it can
give unwanted results due to unexpected restrictions.
