The Advanced Account Administration Console enables Administrators to link multiple Mimecast accounts to one overall Master account. Group accounts can be used to create a hierarchy. This is typically used by Administrators of large organizations or organizations that require segregated administration (for regional businesses for instance), or Administrators that require more flexibility regarding Mimecast subscription. In this way, an organization can maintain several Mimecast accounts, and allocate permissions to regional Administrators over those accounts. The Console acts as an overarching view of all these accounts.
Optional functionality includes:
- Policy Inheritance, so that sub-accounts that have opted-in to this functionality will respect Policies of the Master and/or Group accounts.
- Federated Administration, to allow Administrators that belong to the Federated Administration Domain to gain access to nested accounts that have opted-in to this functionality, facilitating administration of multiple accounts from within the same browser window.
These optional features are available for Federated Account Administration as well. Advanced Account Administration also supports Domain sharing across multiple Mimecast accounts.
Logging In to the Administration Console
To log in to the Administration Console:
- Open your web browser and enter the URL (web address) as provided by the Connect team.
- Add your account email address, then click the Next button:
- In the password field, enter your Mimecast Cloud password, or if logging on with Directory service details, enter your Domain (Network) password.The Master Administrator or any Federated Administrator can only logon using a cloud password. Directory passwords are not supported for Master accounts and Federated Administrators.
- Click the Login button. The Administrator Console Dashboard is displayed.
Many of the menu options, and the functionality contained within them, are the same as the standard Administration Console. The following menu options are available in the Master Console:
|Administration | Account||Dashboard||The default landing page for the Master Console, as defined above.|
|Audit Logs||Tracks activity in the Mimecast account.|
|Roles||Manages Administrator permissions for the Console. By default, only the Master Administrator Role is available on the Master console.|
|Account Settings||Control settings for the Mimecast account.|
|Administration | Gateway||Authorized Outbounds||Provides a list of Authorized Outbound IP Addresses used by the Advanced Account Administration setup.|
|Administration | Services||Directory Synchronization||Displays the linked organization's Directory connectors.|
|Journaling||Displays a list of the organization's linked Journal connectors|
|Administration | Directories||Internal Directories||Provides a read-only view of the Internal Domains of the nested accounts as well as the Federated Administration Domain belonging to the Master.|
|Imports||Allows Administrators to import data to Mimecast. Used for creating new addresses for the Federated Administration Domain or to import users into Mail Processing accounts specifying the remoteaccountcode for each address that needs to be added to a Mail Processing account.|
Some differences between the Advanced Account Administration Master Console and the standard Administration Console are detailed below.
Four additional options are available within Administration | Account | Account Settings:
|Enable Policy Inheritance|
Allows Mail Processing nested accounts to consider the Policies configured on Group and/or Master accounts as long as all relevant accounts have this option enabled as well.
Note: This is enabled by Mimecast Support.
|Enable Federated Administration|
Enables additional Roles to allow Federated Administration of Group and Mail Processing nested accounts.
Note: This is enabled by Mimecast Support.
|Enable Federated Content View|
Allows Federated Administrators to have Content View permissions for all nested accounts that have enabled Federated Administration.
Note: This is enabled by Mimecast Support.
|Federated Administration Domain||Specifies the Domain name used for Federated Administration.|
The Accounts | Hierarchy section enables Master Administrators to view and manage the Hierarchy of the Advanced Account Administration setup. For more information, view the Account Structures article.
By default, only the following roles are available on the Master account:
- Master Administrator
- Migration Administrator.
The Master Administrator has the following attributes:
- Management of the Hierarchy of the Advanced Account Administration setup.
- Addition of Internal Domains for the Advanced Account Administration setup.
- Linking of the Internal Domains to the suitable Mail Processing accounts within the Advanced Account Administration setup.
- Import of users for the Mail Processing accounts within the Advanced Account Administration setup by specifying the remoteaccountcode for the addresses.
- Can define email security policies when Policy Inheritance has been enabled by Mimecast support.
- Takes no email-security-related actions (e.g. quarantine management, etc.).
- No visibility of firm-specific configuration besides the overall Account Settings of the accounts that are part of the Advanced Account Administration setup.
- No visibility of mail flow for any account that is part of the Advanced Account Administration setup.
- Excluded from Federation functionality.
The Migration Administrator has the following attributes:
- Read-only access to all sections on the Master account and Read/Write access for Directories | Import.
- Read-only access to all sections on nested accounts (Grouping and Mail Processing) and Read/Write access for Directories | Import.
- Read/Write access to manage "User Home Location" on the Master account.
- Has Permission to trigger "Directory Synchronization" on Master and Mail Processing accounts.
- This role would be eligible for Federation
Outbounds, Directory and Journal Connectors
- The Master account shows all the Authorized Outbound addresses for all the nested accounts.
- Directory Connectors configured on Mail Processing accounts are automatically copied to the Master account.
As nested accounts can run Directory Syncs independently of the Master account, a user address may have been added to the nested account but might not yet be visible on the Master and mail for this user address will not be processed. This will be corrected when the Master account Directory Synchronization takes place. If you have newly created mail enabled objects and cannot wait for automatic synchronziation then you can run a manual Directory Synchronization from the Master account.
Administrators logged on to the Master account can import users to the Master or any nested accounts. A new field is used in the spreadsheet to identify which account to add the user to, titled remoteaccountcode.
Master Administrators can import user addresses directly into Administrator Roles for Mail Processing accounts. Supported Roles are: Basic Administrator, Helpdesk Administrator and Gateway Administrator.
A new field, Allow Address Migration, is used to migrate addresses from one Mail Processing account to another.
View the full article for more information on adding and Managing Internal Domains.
Mail Processing Accounts
Mail Processing accounts are similar to standard Mimecast accounts with a few exceptions.
- Within the Internal Domains, it isn't possible to add new domains as these must be added to the Master account. The Master account will then have to allocate the new Internal Domain to the appropriate Mail Processing account(s).
- Any Authorized Outbounds added to the account will automatically be displayed in the Master account.
- Any Journal Connectors added to the account will automatically be displayed in the Master account.
- Any Directory Connectors will be copied to the Master account.
If importing email addresses using a spreadsheet, these will automatically be learned by the Master account. The Import to Group option is not available. A new field is visible when navigating to Administration | Directories | Imports:
The email address in the Notification Email field is used when addresses could not be saved to the Master account because the same address already exists and is linked to another remoteaccouncode as described earlier in this article.