Security requirements for Microsoft Exchange Server data

For Tivoli® Storage FlashCopy® Manager security, users who are logged on to the Exchange Server must have role-based access control (RBAC) permissions to access mailboxes and to complete mailbox restore tasks.

RBAC permissions are typically set with Exchange Powershell cmdlets in a Microsoft Exchange configuration process. For more information, see Understanding Role Based Access Control .

If you are authorized by the security policy in your organization, add users in the Exchange Organization Management role group or subgroups. Users in the Exchange Organization Management role group or subgroups have sufficient privileges to optimally complete mailbox restore operations. Users who are not in the Exchange Organization Management role group or subgroups might experience slower performance.

In summary, you must define a minimum set of management roles and role scope for the Exchange user.
  • Management roles: "Active Directory Permissions", "Databases", " Disaster Recovery", "Mailbox Import Export", "View-Only Configuration", and "View-Only Recipients".

    To restore an Exchange 2013 public folder mailbox, the Exchange user must also have the Public Folders management role. To restore mail to a Unicode PST file, the Exchange user must have the Mailbox Import Export management role.

    A typical Exchange Powershell cmdlet that sets RBAC permissions is as follows: 
    New-RoleGroup -Name "My Admins" -Roles "Active Directory Permissions", "Databases", 
    "Disaster Recovery", "Mailbox Import Export", "Public Folders", 
    "View-Only Configuration", "View-Only Recipients" -Members operator1

    The preceding example creates a new group, My Admins, with minimum roles to run Tivoli Storage FlashCopy Manager, and assigns user operator1 to this group. The operator1 user can run Tivoli Storage FlashCopy Manager but with limited Exchange privileges, for example, the user cannot create or remove a user mailbox.

  • Management role scope. Ensure that the following Exchange objects are within the management role scope for the user who is logged on to the Exchange Server:
    • The Exchange Server that contains the required data
    • The recovery database that Tivoli Storage FlashCopy Manager creates
    • The database that contains the active mailbox
    • The database that contains the active mailbox of the user who completes the restore operation
  • Verify that the Exchange user is a member of a local Administrator group, and has an active Exchange mailbox in the domain.

    By default, Windows adds the Exchange Organization Administrators group to other security groups, including the local Administrators group. For Exchange users who are not members of the Exchange Organization Management group, you must manually add the user account to the local Administrators group by using the Local Users and Groups tool on the computer of the domain member (select Administrative tools > Computer Management > Local Users and Groups tool). On a domain controller computer that does not have a local Administrators group or Local Users and Groups tool, manually add the user account to the Administrators group in the domain (select Administrative tools > Active Directory Users and Computers tool).