Back to blog

Exploring the Security and Compliance Center – Part Three: Permissions

May 19, 2016 by Emma Robinson

This third installment in our blog series explores the permissions area of the new Office 365 Security and Compliance Center. (Read the full blog series here First ImpressionsReportsPermissionsData Loss PreventionData Management and Service AssuranceSearch and Investigation, and Alerts)
No time to read the full blog series now? Download our white paper ‘Getting Started with the Security and Compliance Center’ which includes all the blogs on Office 365 Security and Compliance.
The Permissions area enables you (if you are a global Office 365 admin) to assign permissions which allow other users to perform tasks in the Compliance Center. These tasks might include:

  • Data loss protection
  • Device Management
  • eDiscovery
  • Archiving, auditing and retention in Exchange*

*It is not possible to assign permissions for all features through this portal – any that relate to Exchange use an underlying Exchange Online cmdlet which requires permissions through the Exchange admin center.
Individuals who are given permissions are only able to perform the task(s) that they are explicitly granted access to. In order to access the Security and Compliance Center itself, you have to be an Office 365 global administrator, or assigned membership to one or more Security and Compliance role groups.
Roles and Role Groups
This is how Microsoft defines roles and role groups for the center:
‘A role grants permissions to do a set of tasks; for example, the Case Management role lets people work with eDiscovery cases.
A role group is a set of roles that lets people perform their job across the Security & Compliance Center; for example, the Compliance Administrator role group includes the roles for Case Management, Content Search, and Organization Configuration (plus others) because someone who’s a compliance admin will need the permissions for those tasks to do their job.
The Security & Compliance Center includes default role groups for the most common tasks and functions that you’ll need to assign people to. We recommend simply adding people (individual users or groups) as members to the default role groups.’
These different options provide admins with the choice when assigning permissions, enabling them to grant the access that users need, whilst ensuring that the user is only able to view the data they need to do the task or job required.
It is important to note that role group memberships are not shared between Exchange Online and the Security and Compliance Center. More details on role groups and access to the center can be found here.
Once inside the permissions section, there are a number of default role groups listed: Compliance Administrator, eDiscovery Manager, Organization Management, Reviewer, Service Assurance User, Supervisory Review.
We will go through each of these areas individually and explore which permissions are available in which role groups.
The Compliance Administrator Role Group members are able to manage the compliance tasks listed above, and within the group there are a number of different roles. For example, if an individual in your organisation needs to deal with compliance search only, then they can be assigned this role only, not full membership to the group.
Compliance Administrator
Electronic or eDiscovery is the term used for identifying, preserving and providing electronic information which can be used as evidence in legal cases or investigations. It is a very powerful tool, and due to its potential to expose sensitive information, permissions for eDiscovery need to be controlled and assigned carefully.
Like all areas of the permissions section, this area is a role group, split into roles, however eDiscovery is also structured into cases (the specific incidents being investigated). This adds an extra layer of protection to the contents as it means that permissions can be split as below – into ‘managers’ and ‘administrators’.
eDiscovery Manager
The Reviewer is a role group that is part of eDiscovery. There is only one role available and it has a limited set of analysis features in Office 365 Advanced eDiscovery. Members of this group are able to see the specific documents that are assigned to them. Members can’t create, open, or manage an eDiscovery case.

Organization Management members are able to control permissions for the other features of the Security and Compliance center, including management of data loss prevention, reports, preservation and device management settings. All global Office 365 Admins are automatically added to this role group. As you can see by the list of role, this group assigns permissions to many other aspects of the default role groups, such as case management, service assurance view and compliance search.
Organization Management
Members of the Service Assurance User group can access the service assurance section of the Security and Compliance Center. This area contains reports and documents that outline Microsoft’s security practices for stored Office 365 customer data. It also contains independent audit reports on Office 365.
Service Assurance User
In the Supervisory Review role group members can create and manage the policies that dictate which communications are subject to review in an organisation. By creating a supervisory review policy, you can gather certain employee communications for examination by internal or external review. These can be set up using the advice in this TechNet article.
Supervisory Review
The Permissions area also offers the option to create a new role group and add roles and members. This allows you to customise and combine different roles. Microsoft advise using the default list provided, but if you had a unique set of requirements – for example if you had a number of users who needed (for whatever reason) to use a combination of compliance search, eDiscovery reviewer, and service assurance view, you could create a role group formed of these elements rather than adding users to different roles in each group.
new role group
It is likely that this area will develop as the Security and Compliance Center evolves – it seems unlikely that the current permissions comprise of all compliance aspects across Office 365. Why not log in and explore the permissions options in your environment?
Want to read all of the blog series in one handy document? Why not download our white paper which covers all areas of the Office 365 Security and Compliance Center?
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.