Description
Admin Access
Providing Admin Access
Admin access can be set at the Parent Organization level - the first Organization a partner onboards to Shield - or at each Organization underneath the Parent Organization.
Any admin access set at the Parent Organization will filter to all Organizations underneath the Parent Organization. This does not include veto permission at this time.
If a user requires different levels of access for different domains, the Admin Access for the user must be added to those Organizations rather than at the Parent Organization.
NOTE: Admin access in Shield is completely separate from Managers in the Mailprotector Console, and any settings in the Console will not be imported to Shield.
Login to Shield
Each user signs in with their Microsoft 365 credentials. Once in Shield, those with Admin Access can toggle from the end user to their admin access (Control Mode). There are no separate logins for end user and admin in Shield; access for each is toggled through Control Mode.
Toggle Admin Access
Enable Control Mode in the upper-right corner when signing in to Shield as an end user. This changes your experience to the Admin Access level you are granted for your Organization(s). To return to End User Access, toggle Control Mode to the off position, and you will be brought to the End User Access screen.
Admin Access Levels Defined
Admin Access is set per Shield User via Manage Access (below). There are four Admin Access levels in Shield:
- Superuser*: Can perform all actions for this Organization and all domains belonging to it. Each user requiring Superuser admin access must be assigned at each Organization's level or at the Parent Organization. Veto review requests can be disabled or enabled per Superuser, per Organization.
- Administrator: Can perform all admin access actions for an individual Organization for any user access below the Superuser level. Each user requiring Administrator admin access must be assigned at each Organization's level or at the Parent Organization. Veto review requests can be disabled or enabled per Administrator, per Organization.
- Advisor: Can review vetoes and search mail flow for an individual Organization. Each user requiring Advisor admin access must be assigned at each Organization's level. Veto review requests can be disabled or enabled per Advisor, per Organization.
- Reader: Can view Organization information and search mail flow but cannot perform any actions on behalf of users. Each user requiring Reader admin access must be assigned at each Organization's level.
*The account that activates the Shield Organization is automatically assigned Superuser access. This Superuser can assign additional Superusers and Administrators, Advisors, and Readers. All other admins besides the activating Superuser must be manually added to an Organization unless the admin is already assigned a role at the Parent Organization.
IMPORTANT: Any access granted at the Organization level is applied to all domains within the Organization. If a Shield User should have Admin Access to multiple Organizations, Admin Access must be set for each Shield User requiring Admin Access within each Organization or at the Parent Organization of the Organization.
Admin Access at the Control Level
The following features are accessible to both Superuser and Administrator accounts at the Organization Control level:
-
Find Email with Spotlight
- Use Spotlight to quickly find emails sent to or from this Organization.
- Use Search & Rescue to find mail users expected to receive but haven't seen yet.
- View Recently Sent to see what mail has made its way out of the Organization.
- View mail Recently held in Jail.
-
Manage Access
- Superusers can set access for any users.
- Administrators can set access for anyone below the Superuser level.
- Both Superusers and Administrators can set Veto access for any users.
-
Adjust Risk Levels
- Both Superusers and Administrators can set Risk Levels for the Organization and all users.
-
View Groups
- Both Superusers and Administrators can view the list of Groups configured in Microsoft for the Organization, as well as Sync with Microsoft.
- Changes to Groups may only be performed in M365 by authorized accounts.
-
View Domains
- Both Superusers and Administrators can view the list of Domains that are part of the Organization, as well as which domain is considered the Primary domain, and can Sync with Microsoft.
- Changes to Domains may only be performed in M365 by authorized accounts.
-
View Users
- Both Superusers and Administrators can view the list of Users in the Organization and Sync with Microsoft.
- Changes to Name, Primary Email Address, and Alias Addresses may only be performed in M365 by authorized accounts. All Shield-specific Preferences can be changed by both Superusers and Administrators. Within Shield Control, Admin Access allows for changes to Experience Level and Mailbox Mode. Admin Access also allows sending welcome emails.
The following features are also available from the Control page:
-
Veto Messages
-
-
Both Superusers and Administrators can Veto messages, provided that they have been granted access to do so at the Organization level.
NOTE: Veto access is not inherited by the Parent organization.
-
Both Superusers and Administrators can Veto messages, provided that they have been granted access to do so at the Organization level.
-
View recent activity for the Organization
- Both Superusers and Administrators can view all Recent Activity logged for the Organization.
Admin Permissions at the Shield User Level
As previously mentioned, because of the zero-trust model, partners cannot make all changes for an end user in Shield. The table below highlights which actions a Superuser or Administrator can perform for a Shield User and which actions only the Shield User can take.
Superuser | Administrator | Shield User | |
View mail headers | ✅ | ✅ | ✅ |
View message body | ❌ | ❌ | ✅ |
View message insights, links, files, details, timeline, location | ✅ | ✅ | ✅ |
View Lockbox | ✅ | ✅ | ✅ |
Lock a message | ❌ | ❌ | ✅ |
Unlock a message | ❌ | ❌ | ✅ |
View a Single Trusted/Silenced Sender via Spotlight | ✅ | ✅ | ✅ |
View the Entire List of Trusted/Silenced Senders for One User | ❌ | ❌ | ✅ |
Trust/Silence Senders | ✅ | ✅ | ✅ |
Deliver immediately vs Bundled | ❌ | ❌ | ✅ |
Change Bundle delivery times | ❌ | ❌ | ✅ |
Veto access is treated differently:
Superuser of the Organization | Administrator of the Organization | Shield User | |
Veto a Jail decision | Approve a veto request | Approve a veto request | Request a veto |
For assistance with Shield Admin Access, please contact the Partner Success Team.
Updated