Federated Administration allows organizations to manage several Mimecast accounts from a Master account as well as Group accounts. This optional functionality is available for both Advanced Account Administration and Federated Account Administration.
Enabling Federated Administration
To enable Federated Administration, which is disabled by default, several steps must be completed:
- Mimecast support must enable the option on the Master account. The Federated Administration Domain must be specified, and only addresses belonging to this domain will be allowed to use the Federated Administration functionality. This domain should be a non route-able email domain as the Master itself does not process any mailflow. Examples would be masterdomain.companydomain.com or federatedadministrationdomain.companydomain.com
- Once enabled, four new Roles are made available on the Master account: Partner Administrator, Basic Administrator, Helpdesk Administrator and Gateway Administrator. Mimecast support will allocate the appointed administrators into the appropriate Roles.
- The nested Group or Mail Processing accounts must have the permission enabled by a Super Administrator or a Partner Administrator. Mimecast support will enable it on the appropriate Group accounts and can assist with enabling it on Mail Processing accounts as well if need be.
Federated Administration Roles
Federated Administrators only have control over their specific nested accounts. This is useful when an organization wants to ensure that an administrator can control a specific account or several accounts, without having access to all accounts for the entire organization.
By default, only the Master Administrator Role is available on the Master account. The attributes of the Master Administrator are:
- Management of the Hierarchy of the Advanced Account Administration or Federated Account Administration setup.
- Addition of Internal Domains for an Advanced Account Administration setup.
- Linking of the Internal Domains to the suitable Mail Processing accounts within an Advanced Account Administration setup.
- Import of users for the Master account.
- Can define email security policies when Policy Inheritance has been enabled by Mimecast support.
- Takes no email-security-related actions (e.g. quarantine management, etc.).
- No visibility of firm-specific configuration besides the overall Account Settings of the accounts that are part of the Advanced Account Administration or Federated Account Administration setup.
- No visibility of mail flow for any account that is part of the Advanced Account Administration or Federated Account Administration setup.
- Excluded from Federation functionality.
When Federated Administration has been enabled on the Master account by Mimecast support, four new Roles are made available on the Master:
- Partner Administrator
- Basic Administrator
- Helpdesk Administrator
- Gateway Administrator
These Roles will be inheritable by the nested Group and/or Mail Processing accounts of the Master account that have Federated Administration enabled under the Administration | Account | Account Settings as well. When Federated Content View has been enabled by Mimecast support too, another three additional roles are made available:
- Super Administrator
- Full Administrator
- Discovery Officer
Note: Custom Roles are not supported for Federation purposes.
A Federated Administrator will automatically have the same permissions on the nested accounts that are overseen by the account they has been set up on, but can be granted a more specific Role as well. For example: The organization appoints an external agency to manage their Mimecast accounts. The agency has 3 different administrators, and these are allocated to specific nested Group and Mail Processing accounts for different regions.
Manage Federated Administrators
An option called Manage Federated Administrators is made available in the Administration | Account | Roles section of the nested accounts (Group and/or Mail Processing), which can be used to add/remove Federated Administrators that should not have any permissions on the Master account itself. The Roles available for Federated Administrators are Partner Administrator, Basic Administrator, Helpdesk Administrator and Gateway Administrator. Manage Federated Administrators can be configured by Super Administrators and Partner Administrators.
To switch to nested accounts, the Federated Administrator has to use the Federated Administrator Access option that is available within the Administration | Account | Roles section of the Master, Group and/or Mail Processing accounts.
On the Master account an additional option for Federated Content View can also be enabled by Mimecast support. When enabled, the Super Administrator, Full Administrator and Discovery Administrator Roles become available on the Master. This automatically results in the same Roles becoming available for Manage Federated Administrators on the Group and Mail Processing accounts. On these accounts, they can only be selected by the Super Administrators.
Note: The Master Administrator Role itself is not eligible for Federation.
Federated Administrator Access
Once the Basic Administrator has been allocated on the Master account, and with Federated Administration being enabled on the Group and/or Mail Processing accounts, the Basic Administrator can access the nested accounts by first logging into the Master account, then navigating to Administration | Account | Roles:
A new button at the top of the page, Federated Administrators Access, is used to access the nested accounts:
Click the Switch to Account button for the relevant account.
To navigate back to the Master account or to another account, navigate to Administration | Account | Roles on the nested account, and click the Federated Administrator Access button once again to switch to the appropriate account.
Group Accounts and Mail Processing Accounts
These nested accounts are controlled by the Master Account.
In order to enable Federated Administration, the appropriate checkbox must be selected within Administration | Account | Account Settings:
In effect, this allows the account to opt-in to Federated Administration and can be enabled by Super Administrators or Partner Administrators.
Note: Mimecast support will enable the option for the Group accounts.
View the full article for more information on Policy Inheritance.