Description
In this article, we'll explore the access levels available for the Superuser and Administrator roles within Shield Control and highlight the exclusive control that remains with the end user. Shield's zero-trust model ensures that end users have full authority over who is trusted to reach their Inbox while allowing partners to provide essential support and guidance.
Admin Access
Providing Admin Access
Admin access can be set at the Parent Organization level - the first Organization a partner onboards to Shield - or at each Organization underneath the Parent Organization.
Any admin access set at the Parent Organization will filter to all Organizations underneath the Parent Organization. This does not include veto permission.
If a user requires different access levels for different domains, the user's Admin Access must be added to those Organizations rather than at the Parent Organization.
Admin access in Shield is completely separate from Managers in the Mailprotector Console, and any settings in the Console will not be imported to Shield.
Login to Shield
Each user signs in with their Microsoft 365 credentials. Once in Shield, those with Admin Access can toggle from the end user to their admin access (Control Mode). There are no separate logins for the end user and admin in Shield; access for each is toggled through Control Mode.
Toggle Admin Access
Enable Control Mode in the upper-right corner when signing in to Shield as an end user. This changes your experience to the Admin Access level you are granted for your Organization(s). To return to End User Access, toggle Control Mode to the off position, and you will be brought to the End User Access screen.
Admin Access Levels Defined
Admin Access is set per Shield User via Manage Access (below). There are four Admin Access levels in Shield:
- Superuser*: Can perform all actions for this Organization and all domains belonging to it. Each user requiring Superuser admin access must be assigned at each Organization's level or at the Parent Organization. Veto review requests can be disabled or enabled per Superuser, per Organization.
- Administrator: Can perform all admin access actions for an individual Organization for any user access below the Superuser level. Each user requiring Administrator admin access must be assigned at each Organization's level or at the Parent Organization. Veto review requests can be disabled or enabled per Administrator, per Organization.
- Advisor: Can review vetoes and search mail flow for an individual Organization. Each user requiring Advisor admin access must be assigned at each Organization's level. Veto review requests can be disabled or enabled per Advisor, per Organization.
- Reader: Can view Organization information and search mail flow but cannot perform any actions on behalf of users. Each user requiring Reader admin access must be assigned at each Organization's level.
*The account that activates the Shield Organization is automatically assigned Superuser access. This Superuser can assign additional Superusers and Administrators, Advisors, and Readers. All other admins besides the activating Superuser must be manually added to an Organization unless the admin is already assigned a role at the Parent Organization.
Any access granted at the Organization level is applied to all domains within the Organization. If a Shield User should have Admin Access to multiple Organizations, Admin Access must be set for each Shield User requiring Admin Access within each Organization or at the Parent Organization of the customer Organization. Veto access is an exception and must be set at each Organization level, regardless of its settings at the Parent Organization.
Admin Access at the Control Level
The following features are accessible to both Superuser and Administrator accounts at the Organization Control level:
-
Find Email with Spotlight
- Use Spotlight to quickly find emails sent to or from this Organization.
- Use Search & Rescue to find mail users expected to receive but haven't seen yet.
- View Recently Sent to see what mail has made its way out of the Organization.
- View mail Recently held in Jail.
-
Add or Remove Products
- Both Superusers and Administrators can add or remove products for users.
-
Manage Access to This Organization
- Superusers can set access for any user.
- Administrators can set access for anyone below the Superuser level.
- Both Superusers and Administrators can set Veto access for any user.
-
Manage Request Notifications
- Both Superusers and Administrators can manage request notifications.
-
Adjust Risk Levels
- Superusers and Administrators can set Risk Levels for the Organization and all users.
-
Manage Trusted Regions
- Superusers and Administrators can set Trusted Regions for the Organization.
-
View Health
- Both Superusers and Administrators can view the onboarding status of each user.
-
Configure Bracket
- Both Superusers and Administrators can configure Bracket for the Organization.
-
View Users
- Superusers and Administrators can view the list of Users in the Organization and Sync with Microsoft.
- Changes to Name, Primary Email Address, and Alias Addresses may only be performed in M365 by authorized accounts. Both Superusers and Administrators can change all Shield-specific preferences. Within Shield Control, Admin Access allows for changes to Experience Level and Mailbox Mode and for sending welcome emails.
-
View Groups
- Both Superusers and Administrators can view the list of Groups configured in Microsoft for the Organization and Sync with Microsoft.
- Changes to Groups may only be performed in M365 by authorized accounts.
-
View Domains
- Both Superusers and Administrators can view the list of Domains that are part of the Organization, which domain is considered the Primary domain, and can Sync with Microsoft.
- Changes to Domains may only be performed in M365 by authorized accounts.
-
Configure Preferences
- Both Superusers and Administrators can configure preferences for the Organization.
The following features are also available from the Control page:
-
Veto Messages
-
-
Superusers and Administrators can Veto messages, provided they have been granted access at the Organization level.
Veto access is not inherited from the Parent organization.
-
Superusers and Administrators can Veto messages, provided they have been granted access at the Organization level.
-
View recent activity for the Organization
- Both Superusers and Administrators can view all Recent Activity logged for the Organization.
Admin Permissions at the Shield User Level
As previously mentioned, because of the zero-trust model, partners cannot make all changes for an end user in Shield. The table below highlights which actions a Superuser or Administrator can perform for a Shield User and which actions only the Shield User can take.
| Superuser | Administrator | Shield User | |
| View mail headers | ✅ | ✅ | ✅ |
| View User mailbox message body | ❌ | ❌ | ✅ |
| View Shared mailbox message body | ✅ | ✅ | ✅ |
| View message insights, links, files, details, timeline, location | ✅ | ✅ | ✅ |
| View Lockbox | ✅ | ✅ | ✅ |
| Lock a message | ❌ | ❌ | ✅ |
| Unlock a message | ❌ | ❌ | ✅ |
| View a Single Trusted/Silenced Sender via Spotlight | ✅ | ✅ | ✅ |
| View the Entire List of Trusted/Silenced Senders for One User | ❌ | ❌ | ✅ |
| Trust/Silence Senders | ✅ | ✅ | ✅ |
| Deliver immediately vs Bundled | ✅ | ✅ | ✅ |
| Silence to Jail, Junk, Archive, Trash | ✅ | ✅ | ✅ |
| Change Bundle delivery times | ❌ | ❌ | ✅ |
Veto access is treated differently:
| Superuser of the Organization | Administrator of the Organization | Shield User | |
| Veto a Jail decision | Approve a veto request | Approve a veto request | Request a veto |
Getting Help
For assistance with Shield Admin Access, please contact the Partner Success Team.
Updated