Tenant Administrators and Tenants
By now you probably know that when you create a new tenant organization, there are a few RBAC roles being created and there are also a few role groups created out of the box. You may also see some assignments being created by default.
So, by default, it creates the following,
[PS] C:\> Get-RoleGroup -Organization AlpineSkiHouse | select Name
View-Only Organization Management
If you supply the administrator password by supplying -AdministratorPassword when creating a new organization (Exchange Server 2010 SP1 Beta Hosting Deployment - First Look), it will automatically create an administrator account and it will automatically make this account a role group member of all the role groups above except for Discovery Management.
Now, it is important to note that each tenant Organization can actually have their own management roles, their own management role assignment and role groups. This is possible because in Hosting Deployment, every tenant have their own configuration unit in Active Directory. Also, because they are in their own segregated organization, the scope stays in that too.
Here are all the canned management roles created when you create a new organization,
[PS] C:\> Get-ManagementRole -Organization AlpineSkiHouse
Audit Logs AuditLogs
Distribution Groups DistributionGroups
Legal Hold LegalHold
Mail Recipient Creation MailRecipientCreation
Mail Recipients MailRecipients
Mail Tips MailTips
Mailbox Import Export MailboxImportExport
Mailbox Search MailboxSearch
Message Tracking MessageTracking
Move Mailboxes MoveMailboxes
Organization Client Access OrganizationClientAccess
Organization Configuration OrganizationConfiguration
Organization Transport Settings OrganizationTransportSettings
Recipient Policies RecipientPolicies
Remote and Accepted Domains RemoteAndAcceptedDomains
Reset Password ResetPassword
Retention Management RetentionManagement
Role Management RoleManagement
Security Group Creation and Membership SecurityGroupCreationAndMembership
Transport Rules TransportRules
User Options UserOptions
View-Only Audit Logs ViewOnlyAuditLogs
View-Only Configuration ViewOnlyConfiguration
View-Only Recipients ViewOnlyRecipients
There isn't any big surprise here. Most of them are pretty standard. There are a few roles I would like to highlight though. They are all those that starts with My* such as MyBaseOptions, MyContactInformation, MyAddressInformation, MyMobileInformation, MyPersonalInformation, MyDistributionGroupMembership, MyDistributionGroups, MyDisplayName and etc. These roles has the recipient read and write scope of SELF and they are primarily being used to assign permissions to the mailbox as in your Service Plan. I will talk a little bit more about this in my next post and will go in a little bit more to talk about the inter dependencies of the service plans, mail plans and also the Role Assignment Policy.
Management Roles Assignment
There are a list of assignments, depending on how you configure your Service Plans. If you look at your service plan, you will find that in the Organization section, you define what kind of roles will the tenant administrator have. It will then assign the Organization Management role group to those roles. As for those permissions set in the mailbox plan, it will depend on the Role Assignment Policy as it will be applicable according to mailbox plan.
To take a look at the assignment, just execute [PS] C:\> Get-ManagementRoleAssignment -Organization AlpineSkiHouse