This article contains information on Mimecast administrator roles, their permissions, and default role types, including Super Administrator, Partner Administrator, Full Administrator, and others, with details on access levels, protected permissions, and role management.
The Mimecast administrator roles are a collection of permissions that control access to Mimecast Administration Console functionality. Each role determines the depth of access and can be used to control the tasks performed.
Role Types
Role types are used to control access rights to Mimecast Administration Console functionality. Each role has a security permission assignment based on one of the permissions in the table below.
| Permission | Description |
| Application | Administrators can control the Administration Console menu items that other administrators can access. Typically, read or write access is enabled. |
| Protected |
Super Administrators can control the
Mimecast Administration Console menu items other administrators
can access, including functionality with the protected content
(e.g., viewing email content, exporting email, smart tag assignment).
Protected roles have an
|
| Security |
Administrators have access to the Role Editor, where they can manage roles and administrators. The options are:
|
Default Roles
An administrator role is displayed in the top right side of the screen next to the administrator's email address. For example:
The following default roles are available:
| Role | Application | Role Description |
| Super Administrator | Can manage Application roles and Protected roles. |
Has full privileges to all account options, including the content view of all emails, delegate mailbox access, and the assignment of protected permissions (e.g., the assignment of content view). This administration role is protected, which means that you cannot edit the role or change the privileges assigned. Note: The Super Administrator has the privilege or right to elevate other administrators below the Super Administrator role. |
| Partner Administrator | Can manage Application roles. |
Has full privileges for Partner Administrators, including delegate mailbox access, but excludes protected permissions. See the Managing Partner Administrators page for full details. This administration role is protected, which means that you cannot edit the role or change the privileges assigned. Note: The Partner Administrator role is only applicable to Mimecast MSP Partners. |
| Full Administrator | Can manage Application roles. |
Has high-level administrator privileges, including the content view of all messages, delegate mailbox access, message exports, and the creation/approval of retention adjustments. This administration role is protected, which means that you cannot edit the role or change the privileges assigned. |
| Basic Administrator | Can manage Application roles. |
A primary administrator account with rights to create other Basic Administrator accounts but with no access to protected permissions. Note: Basic Adminstrators have access to the content of an email, but only if the email is being held. |
| Help Desk Administrator | Cannot manage roles. | Has access to common help desk tasks (e.g., message tracking, read-only access to policy management, service connections, and user settings). |
| Gateway Administrator | Can manage Application roles. |
Has read access to common gateway functionality (e.g., policy
management,
message tracking, service connections, and user settings) and
rights
to create other administrator accounts without protected permissions. Does not include Human Risk Command Center access, shielding email Administrators from potentially sensitive Human Risk data. |
| HRCC Administrator | Cannot manage roles. |
Allows read and edit access to
Human Risk Command Center
and
Human Risk Command Center data. This role also allows read-only access to the Mimecast Administration Console Dashboard, Groups, and AD Groups data. |
| Security Awareness Administrator | Cannot manage roles. |
Allows read and edit access to
Awareness Training / Engage,
the Human Risk Command Center
and
Human Risk Command Center data. This role also allows read-only access to the Mimecast Administration Console Dashboard, Groups, and AD Groups data, read and edit access to Stationery Layouts data, and read-only access to other Stationery data (Templates, Images, Actions, Microsites, Broadcasts, Reports, Performance and Branding). |
| Discovery Officer | Cannot manage roles. |
Has access to common eDiscovery features (e.g., archive search with content view, messages exports, and the creation or approval of retention adjustments). Cannot manage gateway policies. This administration role is protected, which means that you cannot edit the role or change the privileges assigned. |
| Reviewer | Cannot manage roles. |
Has access to the eDiscovery Review
application as a reviewer, where discovery cases can be reviewed
for relevance and privilege. This administration role is protected, which means that you cannot edit the role or change the privileges assigned. |
| Synchronization Engine Administrator | Can manage Mimecast Synchronization Engine sites. | Has access to perform all tasks related to managing any Mimecast Synchronization Engine site. |
Only a Basic Administrator role is added when your account is created, but you can have one or more users with Protected Content Permissions, e.g., Super Administrators, Full Administrators, and Discovery Officers. These roles have additional security measures, with the roles' management (e.g., address changes and password resets) only being performed by Mimecast Support. For full details on becoming one of these Administrators, please see the Protected Content Administrators article.
See Also...
Comments
Please sign in to leave a comment.