In Office 365 Dedicated/ITAR, you discover that you can’t make a particular customization by using Remote PowerShell (RPS). When you try to run a command to customize Role Based Access Control (RBAC) settings, you receive an error message that resembles the following:
You don't have access to create, change or remove the "<>" management role assignment
This issue occurs because the Office 365 Dedicated/ITAR deployment has specific naming requirements when you customize role groups or management roles.
By default, there are 15 baseline role groups that have specific management roles assigned. You may want to change the baseline configuration to create additional limits on the permissions that are granted to administrators and users.
To apply RBAC customization, follow these steps:
Create a new role group, and populate the group. The user who performs these actions must be a member of the SSA-Role Management role group.
Identify the cmdlets that are needed for the new management role, identify candidate baseline management roles that have these cmdlets, and create the new role.
Assign the new management role to the new role group.
Create a custom write scope, and assign the scope to the newly created role group and management role (optional).
The customized role groups must start with "SSA-" as in "SSA-Helpdesk Administrators." A customized management role must start with "SSS_" as in "SSA_Modify Mailbox Permissions." Administrators may encounter errors when they try to assign a management role or custom write scope if the correct naming standards are not used.