Understanding Administrator Roles

Document created by user.oxriBaJeN4 Employee on Sep 15, 2015Last modified by user.oxriBaJeN4 Employee on Apr 2, 2019
Version 49Show Document
  • View in full screen mode

Administrator roles are a collection of permissions that control access to Administration Console functionality. Each role determines the depth of access and can be used to control the tasks performed.



Role Types



Role types are used to control access rights to Administration Console functionality. Each role has a security permission assignment based on one of the permissions in the table below. 



Administrators can control the Administration Console menu items that other administrators can access. Typically read or write access is enabled.


Administrators can control the Administration Console menu items that other administrators can access, included functionality with the protected content (e.g. viewing email content, exporting email, smart tag assignment). Protected roles have a Protected Icon icon located to the left of the "View Role" button.


Administrators have access to the Role Editor, where they can control the management of roles and administrators. The options are:

Cannot Manage RolesAccess to the Roles tab is disabled.
Manage Application RolesAdministrators can modify access for other administrators. The exception is if the application areas are marked as protected with the "Protected Roles" permission.
Protected Roles

Administrators can modify access to protected application areas (e.g. archive email content, exporting messages, managing message retention).


Default Roles



Logged_In_As.pngAn administrator role is displayed in the top right side of the screen next to the Administrator’s email address. The following default roles are available:


RoleSecurity PermissionsRole Description
Partner AdministratorCan manage application roles.Has full privileges for Partner Administrators, including delegate mailbox access, but excludes protected permissions. See the Managing Partner Administrators page for full details.
Super AdministratorCan manage application roles.Has full privileges to all account options, including the content view of all email, delegate mailbox access, and the assignment of protected permissions (e.g. the assignment of content view rights to others).
Full AdministratorCan manage application roles.Has high-level administrator privileges, including the content view of all messages, delegate mailbox access, message exports, and the creation / approval of retention adjustments.
Basic AdministratorCan manage application roles.Has full administrator account privileges, without access to any protected permissions.
Help Desk AdministratorCannot manage roles.Has access to common help desk tasks (e.g. message tracking, read-only access to policy management, service connections, and user settings).
Gateway AdministratorCan manage application roles.Has read access to common gateway functionality (e.g. policy management, message tracking, service connections, and user settings).
Discovery OfficerCannot manage roles.Has access to common eDiscovery features (e.g. archive search with content view, messages exports, and the creation or approval of retention adjustments).
ReviewerCannot manage roles.Has access to the eDiscovery Review application as a reviewer, where discovery cases can be reviewed for relevance and privilege.
Synchronization Engine AdministratorCannot manage roles.Has access to Mimecast Synchronization Engine functionality when managing sites.


Managing Super Administrators



Only a Basic Administrator role is added when your account is created, but you can have one or more users with the Super Administrator role. This role has additional security measures, with the role's management (e.g. address changes, password resets) only being able to be performed by Mimecast Support.


If a user requires a Super Administrator, Full Administrator, or Discovery Officer role, the following steps must be followed:

  1. Send an email to support@mimecast.com. This request must:
    • Be written on your company letterhead.
    • Be signed by a Director or higher in your organization.
    • Specify their name and position.
    • Clearly state the email address that needs to be added / removed, and / or the password to be reset.
      Click here to download a template that can be used for this purpose.
  2. Once the request has been received, we will perform a series of checks required to confirm the request. If the request cannot be confirmed (i.e. the requester is not listed as an Authorized Account contact) we are unable to proceed until confirmation has been made.
  3. When we have successfully confirmed the request, a change request is issued to the Mimecast Security Team.
  4. Once the new email address has been assigned to the role and / or the password has been reset, a Mimecast Support representative will contact you via telephone.
    For security reasons, this password cannot be sent via email. The administrator must access the Administration Console and change the issued password while Mimecast Support is still on the telephone.

See Also...


3 people found this helpful