Shield Admin Access

Description

In this article, we'll delve into the access levels available for the Superuser and Administrator roles within Shield Control and highlight the exclusive control that remains with the end user. Shield's zero-trust model ensures that end users have full authority over who is trusted to reach their Inbox while still giving partners access to provide essential support and guidance.

Admin Access

Providing Admin Access

Admin access can be set at the Parent Organization level - the first Organization a partner onboards to Shield - or at each Organization underneath the Parent Organization.

Any admin access set at the Parent Organization will filter to all Organizations underneath the Parent Organization. This does not include veto permission at this time.

If a user requires different levels of access for different domains, the Admin Access for the user must be added to those Organizations rather than at the Parent Organization.

NOTE: Admin access in Shield is completely separate from Managers in the Mailprotector Console, and any settings in the Console will not be imported to Shield.

Login to Shield

Each user signs in with their Microsoft 365 credentials. Once in Shield, those with Admin Access can toggle from the end user to their admin access (Control Mode). There are no separate logins for end user and admin in Shield; access for each is toggled through Control Mode.

 

Toggle Admin Access

Enable Control Mode in the upper-right corner when signing in to Shield as an end user. This changes your experience to the Admin Access level you are granted for your Organization(s). To return to End User Access, toggle Control Mode to the off position, and you will be brought to the End User Access screen.

Control_Mode.png

 

Admin Access Levels Defined

Admin Access is set per Shield User via Manage Access (below). There are four Admin Access levels in Shield:

  1. Superuser*: Can perform all actions for this Organization and all domains belonging to it. Each user requiring Superuser admin access must be assigned at each Organization's level or at the Parent Organization. Veto review requests can be disabled or enabled per Superuser, per Organization.
  2. Administrator: Can perform all admin access actions for an individual Organization for any user access below the Superuser level. Each user requiring Administrator admin access must be assigned at each Organization's level or at the Parent Organization. Veto review requests can be disabled or enabled per Administrator, per Organization.
  3. Advisor: Can review vetoes and search mail flow for an individual Organization. Each user requiring Advisor admin access must be assigned at each Organization's level. Veto review requests can be disabled or enabled per Advisor, per Organization.
  4. Reader: Can view Organization information and search mail flow but cannot perform any actions on behalf of users. Each user requiring Reader admin access must be assigned at each Organization's level.

*The account that activates the Shield Organization is automatically assigned Superuser access. This Superuser can assign additional Superusers and Administrators, Advisors, and Readers. All other admins besides the activating Superuser must be manually added to an Organization unless the admin is already assigned a role at the Parent Organization.

IMPORTANT: Any access granted at the Organization level is applied to all domains within the Organization. If a Shield User should have Admin Access to multiple Organizations, Admin Access must be set for each Shield User requiring Admin Access within each Organization or at the Parent Organization of the Organization. 

 

Admin Access at the Control Level

Screenshot 2024-09-13 at 14.15.50.pngThe following features are accessible to both Superuser and Administrator accounts at the Organization Control level:

  • Find Email with Spotlight
    • Use Spotlight to quickly find emails sent to or from this Organization.
    • Use Search & Rescue to find mail users expected to receive but haven't seen yet.
    • View Recently Sent to see what mail has made its way out of the Organization.
    • View mail Recently held in Jail.
  • Manage Access
    • Superusers can set access for any users.
    • Administrators can set access for anyone below the Superuser level.
    • Both Superusers and Administrators can set Veto access for any users.
  • Adjust Risk Levels
    • Both Superusers and Administrators can set Risk Levels for the Organization and all users.
  • View Groups
    • Both Superusers and Administrators can view the list of Groups configured in Microsoft for the Organization, as well as Sync with Microsoft.
    • Changes to Groups may only be performed in M365 by authorized accounts.
  • View Domains
    • Both Superusers and Administrators can view the list of Domains that are part of the Organization, as well as which domain is considered the Primary domain, and can Sync with Microsoft.
    • Changes to Domains may only be performed in M365 by authorized accounts.
  • View Users
    • Both Superusers and Administrators can view the list of Users in the Organization and Sync with Microsoft.
    • Changes to Name, Primary Email Address, and Alias Addresses may only be performed in M365 by authorized accounts. All Shield-specific Preferences can be changed by both Superusers and Administrators. Within Shield Control, Admin Access allows for changes to Experience Level and Mailbox Mode. Admin Access also allows sending welcome emails.

The following features are also available from the Control page:

  • Veto Messages
    Screenshot 2024-09-13 at 14.13.46.png
    • Both Superusers and Administrators can Veto messages, provided that they have been granted access to do so at the Organization level.

      NOTE: Veto access is not inherited by the Parent organization.

  • View recent activity for the Organization
    Screenshot 2024-09-13 at 14.13.37.png
    • Both Superusers and Administrators can view all Recent Activity logged for the Organization.

 

Admin Permissions at the Shield User Level

As previously mentioned, because of the zero-trust model, partners cannot make all changes for an end user in Shield. The table below highlights which actions a Superuser or Administrator can perform for a Shield User and which actions only the Shield User can take.

 

  Superuser Administrator Shield User
View mail headers
View message body
View message insights, links, files, details, timeline, location
View Lockbox
Lock a message
Unlock a message
View a Single  Trusted/Silenced Sender via Spotlight
View the Entire List of Trusted/Silenced Senders for One User
Trust/Silence Senders
Deliver immediately vs Bundled
Change Bundle delivery times

Veto access is treated differently:

  Superuser of the Organization Administrator of the Organization Shield User
Veto a Jail decision Approve a veto request Approve a veto request Request a veto

 

For assistance with Shield Admin Access, please contact the Partner Success Team.

Updated

Was this article helpful?

0 out of 0 found this helpful