Understanding Administrator Roles

Document created by user.oxriBaJeN4 Employee on Sep 15, 2015Last modified by user.oxriBaJeN4 Employee on Aug 23, 2017
Version 43Show Document
  • View in full screen mode

Administrator roles are a collection of permissions that allow administrators access to Administration Console functionality. Each role determines the depth of access, and can be used to control the tasks that can be performed by an administrator.



Role Permissions



The following role permissions are available:


ApplicationAdministrators have access to menu options in the Administration Console. Typically read or write access is enabled.

Administrators can perform protected tasks (e.g. viewing message content, exporting messages, assigning permissions to view Smart Tags).


Administrators have access to the Role Editor, where they can control the management of roles and administrators. The options are:


Cannot Manage RolesAdministrators do not see the Roles tab displayed in the Administrator Console.
Manage Application RolesAdministrators can modify access to the Administrator Console tabs for other administrators. The exception is if the application areas is marked as protected with the "Protected Roles" permission.
Protected Roles

Administrators can modify access to protected application areas (e.g. archive email content, exporting messages, managing message retention).


Default Roles



Logged_In_As.pngAn administrator role is displayed in the top right side of the screen next to the Administrator’s email address. The following default roles are available:


Partner AdministratorThis role has full privileges for Partner Administrators. This includes delegate mailbox access, but excludes protected permissions. See the Managing Partner Administrators page for full details.
Super AdministratorThis role has full privileges to all account options. This includes the content view of all email, delegate mailbox access, and the assignment of protected permissions (e.g. the assignment of content view rights to others).
Full AdministratorThis role has high level administrator privileges. This includes the content view of all messages, delegate mailbox access, message exports, and the creation / approval of retention adjustments.
Basic AdministratorThis role has full administrator account privileges, without access to any protected permissions.
Help Desk AdministratorThis role has access to common help desk tasks (e.g. track and trace, read only access to policy management, service connections, and user settings).
Gateway AdministratorThis role has read access to common gateway functionality (e.g. policy management, track and trace, service connections, and user settings).
Discovery OfficerThis role has access to common eDiscovery features (e.g. archive search with content view, messages exports, and the creation or approval of retention adjustments).
Synchronization Engine AdministratorThis role has access to Mimecast Synchronization Engine functionality when managing sites.


Managing Super Administrators



Only a Basic Administrator role is added when your Mimecast account is created, but it can have one or more users with the Super Administrator role. This role has the ability to assign protected permissions to other administrator roles. This includes content view access, assigning retention permissions (used to purge emails from the archive) and other permissions. This role has additional security measures, with the role's management (e.g. address changes, password resets) only being able to be performed by the Mimecast Security Team.


If a user requires a Super Administrator, Full Administrator, Delivery Officer, or Synchronization Engine Officer role, the following steps must be followed:

  1. Send an email to support@mimecast.com. This request must:
    • Be written on your company letterhead.
    • Be signed by a Director or higher in your organization.
    • Specify their name and position.
    • Clearly state the email address that needs to be added / removed and / or the password to be reset.
      Click here to download a template that can be used for this purpose.
  2. Once the request has been received, Mimecast Support will perform a series of checks that are required to confirm the request. If the request cannot be confirmed (i.e. the requester is not listed as an Account contact) Mimecast will be unable to proceed until confirmation has been made.
  3. When Mimecast Support has successfully confirmed the request, a change request will be issued to the Mimecast Security Team.
  4. Once the new email address has been assigned to the role and / or the password has been reset, a Mimecast Support representative will contact you via telephone.
    For security reasons, this password cannot be sent via email. The administrator must access the Administration Console and change the issued password while Mimecast Support is still on the telephone.

See Also...


3 people found this helpful