Advanced and Federated Accounts - Advanced Account Administration Differences

Updated
This article contains information on advanced and federated account administration in Mimecast, detailing differences in account settings, roles, menu items, and import processes for master and nested accounts.

Master Accounts

Menu Items

If Advanced Account Administration is being used on your account, the Mimecast Administration Console menu items are the same, but the functionality covered below differs from a standard Mimecast account:

Menu Item Sub Menu Description
Account Dashboard Displays the dashboard for the master account.
Audit Logs Tracks activity in the master account.
Roles By default, only the Master Administrator role is available.
Account Settings Controls the settings for the master account.
Hierarchy Enables master administrators to view and manage the hierarchy of the advanced account administration setup. See Advanced / Federated Account Administration - Account Structures.
Gateway Authorized Outbounds Displays a list of authorized out- bound IP addresses used by the Advanced Account Administration setup.
Services Directory Synchronization Displays the linked organization's directory connectors.
Journaling Displays a list of the organization's linked journal connectors.
Directories Internal Directories Provides a read only view of the nested account's internal domains, as well as the federated administration domain belonging to the master account. The ability is also provided to:
  • Unlink a domain via a right click menu item. See Configuring Internal Domain / Subdomains.
  • Delete a domain on a master account with no mail processing accounts (advanced account administration accounts only).
Directories Imports Allows administrators to import data to Mimecast. For example:
  • Creating addresses for the federated administration domain.
  • Importing users into mail processing accounts, specifying the remoteaccountcode for each address.

Account Settings

In your Mimecast Account Settings, the following additional options are available:

Feature Description
Enable Policy Inheritance Allows mail processing nested accounts to consider the policies configured on group / master accounts, if all relevant accounts have this option enabled. This option can only be enabled by Mimecast Support.
Enable Federated Administration

Enables additional roles to allow federated administration of group / mail processing nested accounts.

This option can only be enabled by Mimecast Support.
Enable Federated Content View Allows federated administrators to have content view permissions for all nested accounts that have enabled federated administration. This option can only be enabled by Mimecast Support.
Federated Administration Domain Specifies the domain name used for federated administration.

Roles

By default, only the following roles are available on the master account:

  • Master Administrator.
  • Migration Administrator.
  • Partner Administrator.
  • Partner Portal Administrator.
  • Super Administrator.
  • Full Administrator.
  • Basic Administrator.
  • Help Desk Administrator.
  • Gateway Administrator.
  • Discovery Officer.

You must have a Super Administrator role to access group accounts from the master account. Using an account with a Master Administrator role doesn't grant you inherited rights, so you are unable to be granted federated access.

Master Administrator

The master administrator role can:

  • Manage the Advanced Account Administration hierarchy.
  • Add internal domains.
  • Link internal domains to mail processing accounts.
  • Import mail processing account users by specifying the remoteaccountcode for the addresses.
  • Define email security policies where policy Inheritance is enabled.

The master administrator role can't:

  • Perform email security related actions (e.g. quarantine management).
  • Configure settings apart from Account Settings for the accounts that are part of the AdvancedAccount Administration setup.
  • See mail flow for any account that is part of the Advanced Account Administration setup.
  • Configure federation functionality.

​​​​​To add a Master Administrator:

Master administrator email addresses must use a format of "user@yourdomain.master". Adding a user to the Administration Console under this domain format requires a spreadsheet import. To create a suitable spreadsheet, see the Importing Users via a Spreadsheet page and then follow the steps below: 

  1. Log in to the Administration Console.
  2. Navigate to Directories | Imports.
  3. Upload your spreadsheet and Save the changes to complete the user upload. 
  4. Navigate to Administration | Account | Roles. 
  5. Select the Master Administrator role.
  6. Click Add User to Role
  7. Search for the imported user.
  8. Select the check box next to the user's entry. 
  9. Click Add Selected Users
  10. The user will now have the role of Master Administrator.

Migration Administrator

The Migration Administrator has the following attributes:

  • Read only access to all sections on the Master account and read / write access to the Directories | Import menu item.
  • Read only access to all sections on nested accounts (e.g. grouping and mail processing).
  • Read / write access to the Directories | Import menu item.
  • Read / write access to manage "User Home Location" on the master account.
  • Has permission to trigger "Directory Synchronization" on the master and all mail processing accounts.
  • This role would be eligible for federation.

Outbound, Directory, and Journal Connectors

  • The master account shows all the nested account's authorized outbound addresses.
  • Directory connectors configured on mail processing accounts are automatically copied to the master account.

Nested accounts can run directory synchronizations independently of the master account. As a result a user address may have been added to the nested account, but not be visible on the master account. When this happens,mail for this user address is not processed. This is corrected when the master account's directory synchronization takes place. If you've newly created mail enabled objects and cannot wait for automatic synchronziation, run a manual directory synchronization from the master account.

Imports

Advanced Account Administration Differences_1

Administrators logged on to the master account can import users to the master or any nested account. A remoteaccountcode field is used in the spreadsheet to identify which account to add the user to. Additionally an Allow Address Migration field can be used to migrate addresses from one Mail Processing account to another.

Master Administrators can import user addresses directly into administrator roles for mail processing accounts. Supported roles are:

  • Basic Administrator.
  • Help Desk Administrator.
  • Gateway Administrator.

Mail Processing Accounts

Mail processing accounts are similar to standard Mimecast accounts with a few exceptions.

  • Within the internal domains, it isn't possible to add new domains. These must be added to the master account. The master account allocates the new domain to the appropriate mail processing account(s).
  • Any authorized outbounds added to the account automatically display in the master account.
  • Any journal connectors added to the account automatically display in the master account.
  • Any directory connectors are copied to the master account.

Imports

When importing, mail processing accounts have the following differences:

  • If importing email addresses using a spreadsheet, these are automatically learned by the Master account.
  • The Import to Group option is not available.

Advanced Account Administration Differences_2

  • A Notification Email field is available in the Directories | Imports menu item. This is used to notify a user when a  ddresses can’t be saved to the master account, because the same address already exists that is linked to another remoteaccountcode as described above.

See Also..

Related to

Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.