4 Replies Latest reply: May 14, 2013 6:31 PM by air1 RSS



      The delegation of administrative rights in SaaS e-mail protection seems odd, and I wanted to see if anyone can confirm or deny the problem.


      1. In SaaS Security Centre for virus protection, the concept of delegation is simple. A Group Administrator can administer the computers assigned to their Group. They cannot see any other computers.
      2. In the McAfee Control Console for e-mail protection, the top of the hierarchy in the console is a Customer. There is a level above (Partner) but the Customer is not aware of this.
      3. Within a Customer, it is possible to delegate to a "Domain". However the Domain Administrator cannot administer the domain. They can not create users in the domain, or create groups, or policies. In fact they only seem to be able to administer the domain _name_, by setting an alias and a mail server to which mail for the domain can be sent.
      4. Although the domain administrator is not in fact an administrator of the domain, they can only see users in their domain, and administer Allow/Deny lists or quarantine only for the domain.
      5. The Customer can also delegate "Groups". A Group Administrator can administer a group, can only see their group, can set a policy for their group. However a Group Administrator: CANNOT administer the users in their group; CAN see all users in any group


      I can understand this protocol, but it would be better if there was a level of administration below the level of customer. Since a mail domain is either redirected to McAfee or not, for all users, then it would make sense to have a domain administrator who caould manage all aspects of the domain (including user accounts, mail servers, policies etc. AND have no visibility of other domains.


      Have I missed something?

      Is there a different product that can do this?

        • 1. Re: Delegation
          Brad McGarr

          Greetings Air1,


          I think there might be some confusion of the different roles.


          You may want to refer to the following KB article:


          https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&inc=3948 6&caller=~%2fFindAnswers.aspx%3ftxtCriteria%3duser+roles%26sSessionid%3d


          The domain administrator role has the majority of access needed to manage a domain under an account:



          Domain Administrator Role -


          Domain Level Permissions:


          • Edit existing user accounts allow & deny list
          • Edit existing user accounts quarantine
          • Configure Email Protection Setup

          o         Add change mail servers/ disaster recovery configuration/ user creation mode

          • Manage Quarantine for all domains
          • Generate Email & Web Protection reports
          • Can view information only for the logged in primary domain. Example: The customer has two primary domains, the Domain Admin logs in with a login ID to one of those primary domains; they can only see the information relevant to that primary domain.


          The Group Administrator was not designed to include user-management rights, only the ability to edit policies assigned to that group, e.g. a Domain or Customer Administrator must first assign a user to a group, and from that point the Group Administrator can affect the policies they have ownership of.


          Let me know if you have any other questions.

          • 2. Re: Delegation

            My question / comment is based on that article.

            • The domain administrator cannot administer users in their domain. They cannot add users or delete users. They cannot administer policies applying to users in their domain. They are not really "domain" administrators; more like "mail" administrators.
            • The group administrator can administer policies for their group. They cannot administer the e-mail (quarantine, allow / deny). This is understable, because some aspects of mail will be administered at the level of the domain. However, they can see all users in all domains and groups.

            So whereas a domain administrator is only aware of their own domain, but cannot fully manage it, the group administrator has visibility of all users in all domains, but cannot fully manage them. As far as I can tell, only a Customer Administrator can fully manage ANY subset of the users, whether in a group, a domain or any other subset; but they can also manage ALL subsets.


            What is needed is a genuine domain administrator, who can administer all aspects of mail for their domain and not see any other domain.


            Unless I have misunderstood something, which was the reason for my question.

            • 3. Re: Delegation
              Brad McGarr

              Correct, the different administrator types are limited in what they can and cannot do, and the only role with all of the customer level actions are Customer Administrators. Domain Administrators were designed to manage the Email Domain, and group administrators were designed to only edit the policies their group owns. While a group administrator can see users and see what groups they are subscribed to, they cannot make changes.


              Essentially the Group Administrator was created to allow, for example, the Manager of a department to adjust their own email protection policies independently to avoid placing those burdens on a help desk. Simulaneously each of the other roles were designed to focus on limited areas, with the Customer Administrator having the highest level of access. As far as I understand, part of the reason user account creation is limited to Customer Administrators and the Directory Integration service is because the Customer Administrator will typically be an individual with knowledge of how many user-licenses there are.


              I'm going to send up an enhancement request for your desired changes to the Domain Administrator role (which will be described as having full customer administrator access except limited to a single domain on an account). All requests are reviewed by our Product Management team for feasibility but is not assured to be implemented.


              Thanks for your suggestions!

              • 4. Re: Delegation

                Thanks Brad, that is constructive. I appreciate that different customers have different needs, and the current delegation may suit some customers perfectly well.

                I have come at it from SaaS endpoint protection, so it is a problem not to have the same type of delegation. It would be fine if group administrators could not see users outside their group. Then a delegate could be either a domain administrator, or a group administrator, or both.