Skip to main content
Version: 7.2

Role assignment

Only user with "Manage users and roles" permissions can assign roles to users, edit role assignments and manage access to certain contentACCESS objects for second users on his own tenant. Otherwise the pages and options related to these settings (Roles and Users pages, and “manage access to“ option on the respective pages) are not available for the logged on user in Central Administration.

The **logged on user's own permissions define, which roles this user will be able to assign, and which role assignments he will be able to edit.
**

info

Note: In case that the logged on administrator has specific permissions on schedulers, repository items, jobs and/or to view the archive, he cannot assign roles containing these permissions for second users. E.g. If the logged user has specific permission to Edit job, then he cannot assign a role which contains Edit job permission.

The logged on user must have equivalent or more permissions on the tenant than the role to be assigned for the second user includes. E.g. if the logged on user has only “Edit all” repository items permission assigned on tenant “X”, but he is not allowed to delete these repository items, then he is not allowed to assign a role for a second user with “Delete all” repository items permissions on this X tenant.

Or if the logged on user is tenant administrator on tenant “Y”, but cannot view the archive mailboxes on his tenant (View mailboxes- not allowed), then he cannot assign a role (and also cannot edit a role assignment) containing permissions to view the archive mailboxes of this tenant.

The administrator can assign a role:

  • For a newly created/invited user in the Create/Invite user dialog directly

create-invite-user-dialog-3-1

  • for an already existing contentACCESS user using the given user’s “Assign role” context menu option

assign-role-option-3-1

role-assignment-dialog-3-1

info

Important: If you are assigning a role containing both specific permissions and Manage tenant “All allowed” permissions and you have selected one specific tenant in the Role assignment/Create /invite user dialog, then every tenant will automatically get the Manage all tenants permission as it is defined in the role itself, and then you will be redirected to the Assign specific permissions page. If “All tenants” is selected in one of the above mentioned dialogs, then Manage all tenants permissions are assigned, but the user is not redirected to the Assign specific permissions page. These specific permissions can be assigned later using the user’s “Edit role assignment” context menu option.