When enabled by Mimecast Support on the master account, the Administration | Gateway | Policies and Administration | Directories | Groups menus are available on both the master and group accounts. This allows master and group administrators, to configure policies that will automatically be inherited by accounts nested underneath them. However, this only occurs if the nested accounts also have the Administration | Directories | Groups menu enabled. If it isn't, it can be enabled by Super Administrators and Partner Administrators on the nested accounts, provided it is enabled on the master account.
Group administrators are only supported via Federated Administration.
This feature is always disabled by default.
Policy Inheritance Exceptions
The list below shows the policies that are not inheritable. Configured inheritable policies on the master and / or group accounts will not display on the nested mail processing accounts:
Inheritable policies can be configured with all specificity options, up to Address Groups. If groups are used, only Mimecast groups can be referenced. Active Directory groups cannot.
Enabling Policy Inheritance
As Master accounts are not mail-enabled, any notification settings on inherited policies will not be applied and no notifications will be sent out. This includes when checkboxes are selected to notify specified entities or groups.
To enable policy inheritance on nested accounts, it must first be enabled on the master account. You can identify whether it is enabled by selecting the Administration | Account | Account Settings menu item on the master account.
With the master account option set, the Administration | Gateway | Policies menu item is available, and inheritable policies on the master and group accounts include an Enforcement option in the "Validity" section. When selected, this increases the specificity of the policy so that it is applied instead of a more specific policy configured on the nested Mail Processing account(s).
The Administration | Directories | Groups menu item will now be available.
Group and Mail Processing Accounts
To enable policy inheritance on a group or mail processing account:
- Select the Administration | Account | Account Settings menu item.
- Ensure the Enable Policy Inheritance option is selected.
In effect, this allows the account to opt-in to policy inheritance, which can be enabled by super administrators or partner administrators. Mimecast Support will enable the option for the group accounts.
Once policy inheritance is enabled on the master account, the options are available on the nested group and mail processing accounts. With the option enabled, all inheritable policies are available on the master / group accounts irrespective of the services subscribed to by the nested mail processing accounts. For example, Targeted Threat Protection policies will be available on the master / group accounts, even if the mail processing account doesn’t subscribe to this. While processing email for the mail processing account, only those inheritable policies will be inherited that match the subscription of that account.
Policy specificity refers to the application of a policy to matching email flow. More information about this is available in the Policy Specificity article. For policy inheritance, the rules around specificity are enhanced. When emails are processed, the following logic is followed:
- All the appropriate policies from the mail processing account are collected first.
- The Administration | Account | Account Settings are checked to verify if policy inheritance is enabled.
- When enabled, the policies from the parent of the nested account are collected.
- The parent of this nested account is checked to verify if policy inheritance is enabled.
- If this is the case, the policies from the parent account are also collected.
- This process continues until the policies from the master account have been collected, provided that policy inheritance has been enabled for all accounts within the setup.
The “Override” option under validity works at an account level only. To override polices lower down the hierarchy, use the “Enforcement” option from the master or grouping account.
Once all the Policies have been collected, they are evaluated for specificity. As expected, the most specific policy will be applied. In the case of a clash, the policy higher up in the hierarchy is favored. A clash between two identical policies in the same account results in one of them being applied at random.
Email receipt and delivery views can still be used to determine which policies were applied. Inherited policies will display the account code of the group or master account that holds the inheritable policy between rounded brackets:
Other Policy Differences
Another change is the difference in notification options between the account types, as shown below: