But what if you want to restrict your external helpdesk even further, so that the actions they take on the rest of your users are limited as well? A database list scope enables you to create a scope that applies only to the databases you specify in a list.
If you have pre-Exchange SP1 servers in your organization, see the Database scopes and previous versions of Exchange section later in this topic. The implicit read scope on Custom config writescope roles continue to apply and the resulting custom scope must not exceed the boundaries of the implicit read scope.
For more information about how to add a management role assignment with a predefined relative scope, see Add a role to a user or USG.
They're called relative scopes because they're relative to the role assignee to which the associated role assignment is assigned.
When you add a recipient filter scope to a role assignment, specify the name of the recipient scope in the CustomRecipientWriteScope parameter on the New-ManagementRoleAssignment if you're creating a new role assignment, or the Set-ManagementRoleAssignment cmdlet if you're updating an existing role assignment.
Disclaimer Limiting access to Executive Mailboxes in Exchange Online In my last blog postI wrote about how the new workload specific role feature in Office grants too much administrative ability when you simply want to restrict access to VIP mailboxes. By default, a custom scope enables a role assignee to access a set of objects that match the scopes you define.
For detailed syntax and parameter information, see New-ManagementScope. Exclusive scope Any scope that you create with the Custom config writescope cmdlet can be designated as an exclusive scope.
Also, this group of administrators should only be allowed to manage the Contoso employees located in the Seattle office. For more information about filter syntax and for a full list of filterable recipient properties on recipients, see Understanding management role scope filters.
Recipient filter scopes Recipient filter scopes enable you to control which recipient objects role assignees can manage by evaluating one or more properties on a recipient object against a value that you specify in a filter statement.
If Organization is present in the role's recipient read scope, roles can view any recipient object across the Exchange organization. Predefined relative scopes provide an easy way for you to more closely match the needs of your business without having to create custom scopes manually.
We can see that Write Scope is an option and can either select a custom policy more on that later or provide an OU. For more information about exclusive scopes, see Understanding exclusive scopes. Server and database lists can be defined by specifying each server and database you want to include in their respective scopes.
Database filter configuration scope Database filter-based configuration scopes are created by using the DatabaseRestrictionFilter parameter on the New-ManagementScope cmdlet. For example, you might want to target a specific organizational unit OUa specific type of recipient, or both.
If you want to create an exclusive scope, include the Exclusive switch along with the RecipientRestrictionFilter parameter. Custom scopes Custom scopes are needed when neither the implicit write scope nor the predefined relative scopes meet the needs of your business. Lets look at options for limiting permissions even further.Custom write scopes, give us a really powerful method to configure effective permissions.
By continuing to browse this site, you agree to this use. Learn more. You can create custom management scopes using the New-ManagementScope cmdlet and can view a list of existing scopes using the Get-ManagementScope cmdlet.
If you choose not to specify an OU, predefined scope, or custom scope, the implicit write scope of the role applies to the role assignment.
When you add a new role assignment, you can specify a built-in or custom role that was created using the New-ManagementRole cmdlet and specify an organizational unit (OU) or predefined or custom management scope to restrict the assignment.
Or, the role's implicit configuration write scope must contain the database to be managed, or contain the server where the database is located, and the role assignment can't have a custom write scope. Jun 21, · The CustomConfigWriteScope parameter specifies the existing configuration scope to associate with this management role assignment.
The CustomRecipientWriteScope parameter specifies the existing recipient-based management scope to associate with this management role assignment.Download