Office 365 Security & Compliance Center: Roles and Permissions

Anastasia, IT Security Researcher at Spin Technology
Anastasia, IT Security Researcher at Spin Technology Sep 23, 2019

The bigger your company grows, the more attention you should pay at configuring Microsoft Office 365 Security and Compliance Center (SCC). This tool exists for keeping a company’s business-critical data safe by limiting access to it. Let’s take a dive into the SCC, its functionality, and configuration.

Office 365 Roles and Permissions

The main principle of SCC is granting data access exclusively to authorized users. Permissions determine the data, which can be accessed by a specific user.

It’s quite easy to understand a role-based system as a division of access. The most basic unit, called permission, grants limited access to specific data.

One or several permissions are a Role. A role is an access required to complete a certain action, such as reviewing a case. Compliance documents or settings can not be viewed or edited without a sufficient role, which prevents data leaks.

Note: roles in the SCC are different from Office 365 administrator roles. The SCC roles are assigned only for managing security and compliance settings. 

Role Group is a set of roles, that includes one or several of them. Some role groups allow their members to perform a wide range of various functions. At the same time, some role groups consist of only one role.

Why are these three things separated? Optimization is the reason. Constantly setting up permissions is time-consuming. Roles and groups enable creating permission sets and adding members to the sets. Although, managing groups is still a manual process.

How to Give Permissions?

  1. Log in to your Office 365 account.
  2. Go to the Admin centers section and find Security & Compliance.
  3. Click Permissions.
  4. You’ll see the list of role groups. Select one to Edit it.
  5. Find Members and Add the user/users you are looking for.
  6. Click OK to confirm the changes.
  7. Save the changes.

To double-check if you’ve done it right, go to Permissions again. Select the role group to view its members. You should see new user/users.

Roles

In a nutshell, a role is a right to complete a certain task in the SCC. The process of assigning roles is giving your company’s employees enough access to data they require for their work. At the same time, a role’s functions are strictly determined, and other data is kept off-limits.

There are many roles related to security management. Each one may be a part of many role groups. Here are some typical O365 Security and Compliance Center roles.

  • Case Management enables sharing access to eDiscovery cases and managing them.
  • RMS Decrypt role allows the decryption of RMS-encrypted emails when exporting search results.
  • Hold role lets the user place mailboxes on hold. To learn about the Hold functions, check the overview of Microsoft backup and recovery policy.
  • Manage Alerts members can monitor and configure the alerts.
  • Review helps users, assigned with this role, to view and analyze O365 data.
  • Search And Purge allows finding Office 365 items and removing them. Often the members neutralize phishing emails or attachments with viruses.

Role Groups 

The bigger your company is, the more customization of your role group list you may need. After all, not every employee of a big company is supposed to have global admin control over all business-critical data.

By default, the SCC has a role group list. It may help you with basic functions and processes. You can delete, copy, and modify the existing groups according to your workflow’s needs.

Comprehending the role groups and their tasks is vital for configuring the SCC correctly. Let’s touch on the common role groups and what tasks their members are assigned to.

  • Compliance Data Administrator is the usual group compliance officers/admins. They oversee devices, data protection, and preservation.
  • Organization Management is a group with wide access to data management. The members determine SC settings and permissions distribution. By default, O365 global admins are appointed to this group.
  • Records Management is required for working with retention.
  • Reviewer users monitor the eDiscovery without deleting, creating, and editing cases.
  • Service Assurance User members can check compliance, privacy, and security of customer data storage.
  • Supervisory Review unites specialists responsible for reviewing policies. The reviewers ensure the security of a company’s communications.

Top 5 SCC Tips

The main goal of configuring the SCC is easier and secure data governance. There is no ideal combination of roles and role groups in the SCC. However, you’ll likely want to configure the Center settings to fit your workflow.

Before you do it, check some basic tips you may find useful while working with the SCC. We hope they’ll save your time and nerves while governing your data.

  1. Edit the default group list carefully. Instead of deleting a default role group, you can copy and edit it. After that, rename the new role group and share the access to it.
  2. Adding too many permissions, related to editing or deleting data, may not be the safest option. Usually, the number of Reviewer or Security reader members is greater than the number of users permitted to change the information.
  3. While assigning the roles, maintain the balance between access and safety. Do not limit users to read-only groups, if changing the data is necessary for their work.
  4. The SCC is updated by Microsoft from time to time, so don’t forget to check the updates.
  5. Several roles (like Hold) are often used to recover deleted items in Office 365. However, there are some limitations to Office 365 recovery. That’s why a backup helps you with data governance optimization. Using backup is definitely faster than manual configuration of roles for data restore.
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again.Learn more about our use of cookies.