This article contains information on enabling and managing Mimecast Federated Administration, including roles, account settings, importing user addresses, federated access, and hierarchical account management for streamlined control of multiple Mimecast accounts.
Federated Administration allows organizations to manage several Mimecast accounts from one Master account, as well as Group accounts. This optional functionality is available for both Advanced Account Administration and Federated Account Administration.
Enabling Federated Administration
To enable Federated Administration, which is disabled by default, the following steps should be completed:
- Mimecast support must enable the option on the Master account. The Federated Administration Domain must be specified, and only addresses belonging to this domain will be allowed to use the Federated Administration functionality. This domain should be a non-routable email domain, as the Master itself does not process any mail flow. Examples would be: masterdomain.companydomain.com or federatedadministrationdomain.companydomain.com
- Once enabled, four new roles are made available on the Master account: Partner Administrator, Basic Administrator, Helpdesk Administrator, and Gateway Administrator. Mimecast support will allocate the appointed administrators to the appropriate roles.
- The nested Group or Mail Processing accounts must have permission enabled by a Super Administrator or Partner Administrator. Mimecast support will enable it on the appropriate Group accounts and can assist with enabling it on mail-processing accounts as well if needed.
With Federated Administration enabled, the Federated Access button will display in the Mimecast Administration Console, allowing you to quickly access the master account.
Federated Administration Roles
Federated Administrators only have control over their specific nested accounts. This is useful when an organization wants to ensure that an administrator can control a specific account or several accounts, without having access to all accounts for the entire organization.
By default, only the Master Administrator role is available on the Master account. The attributes of the Master Administrator are:
-
-
- Management of the hierarchy of the Advanced Account Administration or Federated Account Administration setup.
- Addition of Internal Domains for an Advanced Account Administration Setup.
- Linking of the Internal Domains to the suitable mail processing accounts within an Advanced Account Administration setup.
- Import of users for the Master account.
- Can define email security policies when Policy Inheritance has been enabled by Mimecast support.
- Takes no email-security-related actions (e.g., quarantine management, etc.).
- No visibility of firm-specific configuration besides the overall Account Settings of the accounts that are part of the Advanced Account Administration or Federated Account Administration setup.
- No visibility of mail flow for any account that is part of the Advanced Account Administration or Federated Account Administration setup.
- Excluded from Federation functionality.
-
When Federated Administration has been enabled on the Master account by Mimecast support, four new roles are made available on the Master:
-
-
- Partner Administrator
- Basic Administrator
- Helpdesk Administrator
- Gateway Administrator
-
These roles will be inheritable by the nested Group and/or Mail Processing accounts of the Master account that have Federated Administration enabled under the Account | Account Settings as well. When Federated Content View has been enabled by Mimecast support too, another three additional roles are made available:
-
-
- Super Administrator
- Full Administrator
- Discovery Officer
-
Custom roles are not supported for Federation purposes.
A Federated Administrator will automatically have the same permissions on the nested accounts that are overseen by the account they've been set up on but can be granted a more specific role as well. For example, the organization appoints an external agency to manage its Mimecast accounts. The agency has three different administrators, and these are allocated to specific nested Groups and Mail Processing accounts for different regions.
Managing Federated Administrators
An option called Manage Federated Administrators is made available in the Account | Roles section of the nested accounts (Group and/or Mail Processing), which can be used to add/remove Federated Administrators that should not have any permissions on the Master account itself.
The roles available for Federated Administrators are Partner Administrator, Basic Administrator, Help Desk Administrator, and Gateway Administrator. Manage Federated Administrators can be configured by Super Administrators and Partner Administrators. The Master Administrator role itself is not eligible for Federation.
On the Master account, an additional option for Federated Content View can also be enabled by Mimecast support. When enabled, the Super Administrator, Full Administrator, and Discovery Administrator roles become available on the Master. This automatically results in the same roles becoming available for Manage Federated Administrators on the Group and Mail Processing accounts. On these accounts, they can only be selected by the Super Administrators.
When viewing a customer account information, it is possible to switch between an AAA or FAA account. When this occurs, the customer account is displayed in a banner at the top of the Administration Console.
Super Administrators on a Federated or Advanced Account Administration role can set/reset their own password, in addition to that of the Master Administrator, other Super Administrators, and those with lower roles.
Federated Access
Once the Federated Administrator has been allocated on the Master account, and with Federated Administration being enabled on the Group and/or Mail Processing accounts, the Federated Administrator can access the nested accounts by using Federated Administrator Access option.
To access Federated Administration:
- Log on to the Master account.
- Click on the Federated Access button. The nested accounts display.
- Click the Switch to Account button for the relevant account.
Alternatively, you can navigate to Account | Roles from any account and click the Federated Access button once again to switch to the appropriate account.
Group Accounts and Mail Processing Accounts
These nested accounts are controlled by the Master Account.
Account Settings
In order to enable Federated Administration, the appropriate checkbox must be selected within Account | Account Settings:
In effect, this allows the account to opt-in to Federated Administration and can be enabled by Super Administrators or Partner Administrators.
Mimecast support will enable the option for the Group accounts.
Importing User Addresses
This allows administrators to import data to Mimecast. This is used to create addresses for the federated administration domain.
To import a user address:
- Log in to the Mimecast Administration Console.
- Click on the Directories | Imports menu item.
- Click on the Choose File button to select your import file.
-
-
- In the Add Notes box, optionally enter a note up to 100 characters. If entering multiple email addresses or domains, this note is associated with all of them.
-
- Click on the Preview Changes button.
- The import file is validated, and a Spreadsheet Information section is displayed. This summarizes the file's contents and the number of user accounts to be created.
- Click on the Save button to complete the user account import.
Comments
Please sign in to leave a comment.