Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
530 Views 4 Replies Latest reply: May 14, 2013 6:31 PM by air1 RSS
air1 Newcomer 3 posts since
May 13, 2013
Currently Being Moderated

May 13, 2013 12:51 PM

Delegation

The delegation of administrative rights in SaaS e-mail protection seems odd, and I wanted to see if anyone can confirm or deny the problem.

 

  1. In SaaS Security Centre for virus protection, the concept of delegation is simple. A Group Administrator can administer the computers assigned to their Group. They cannot see any other computers.
  2. In the McAfee Control Console for e-mail protection, the top of the hierarchy in the console is a Customer. There is a level above (Partner) but the Customer is not aware of this.
  3. Within a Customer, it is possible to delegate to a "Domain". However the Domain Administrator cannot administer the domain. They can not create users in the domain, or create groups, or policies. In fact they only seem to be able to administer the domain _name_, by setting an alias and a mail server to which mail for the domain can be sent.
  4. Although the domain administrator is not in fact an administrator of the domain, they can only see users in their domain, and administer Allow/Deny lists or quarantine only for the domain.
  5. The Customer can also delegate "Groups". A Group Administrator can administer a group, can only see their group, can set a policy for their group. However a Group Administrator: CANNOT administer the users in their group; CAN see all users in any group

 

I can understand this protocol, but it would be better if there was a level of administration below the level of customer. Since a mail domain is either redirected to McAfee or not, for all users, then it would make sense to have a domain administrator who caould manage all aspects of the domain (including user accounts, mail servers, policies etc. AND have no visibility of other domains.

 

Have I missed something?

Is there a different product that can do this?

  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    1. May 13, 2013 1:08 PM (in response to air1)
    Re: Delegation

    Greetings Air1,

     

    I think there might be some confusion of the different roles.

     

    You may want to refer to the following KB article:

     

    https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&inc=3948 6&caller=~%2fFindAnswers.aspx%3ftxtCriteria%3duser+roles%26sSessionid%3d

     

    The domain administrator role has the majority of access needed to manage a domain under an account:

     

     

    Domain Administrator Role -

     

    Domain Level Permissions:

     

    • Edit existing user accounts allow & deny list
    • Edit existing user accounts quarantine
    • Configure Email Protection Setup

    o         Add change mail servers/ disaster recovery configuration/ user creation mode

    • Manage Quarantine for all domains
    • Generate Email & Web Protection reports
    • Can view information only for the logged in primary domain. Example: The customer has two primary domains, the Domain Admin logs in with a login ID to one of those primary domains; they can only see the information relevant to that primary domain.

     

    The Group Administrator was not designed to include user-management rights, only the ability to edit policies assigned to that group, e.g. a Domain or Customer Administrator must first assign a user to a group, and from that point the Group Administrator can affect the policies they have ownership of.

     

    Let me know if you have any other questions.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    3. May 14, 2013 10:28 AM (in response to air1)
    Re: Delegation

    Correct, the different administrator types are limited in what they can and cannot do, and the only role with all of the customer level actions are Customer Administrators. Domain Administrators were designed to manage the Email Domain, and group administrators were designed to only edit the policies their group owns. While a group administrator can see users and see what groups they are subscribed to, they cannot make changes.

     

    Essentially the Group Administrator was created to allow, for example, the Manager of a department to adjust their own email protection policies independently to avoid placing those burdens on a help desk. Simulaneously each of the other roles were designed to focus on limited areas, with the Customer Administrator having the highest level of access. As far as I understand, part of the reason user account creation is limited to Customer Administrators and the Directory Integration service is because the Customer Administrator will typically be an individual with knowledge of how many user-licenses there are.

     

    I'm going to send up an enhancement request for your desired changes to the Domain Administrator role (which will be described as having full customer administrator access except limited to a single domain on an account). All requests are reviewed by our Product Management team for feasibility but is not assured to be implemented.

     

    Thanks for your suggestions!


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points