Access Management in the EAS Portal
This manual explains the service-independent Access Management feature in the Enterprise Administration Services Portal (EAS). The configuration parameters for Access Management are located in multiple areas in the portal and have varying effects on EAS users‘ administration rights.
For detailed descriptions of the individual services and their functions, please refer to the administrator manuals for each service.
What is Access Management?
The Access Management function enables you to assign specific restrictions to the administrator rights that have been assigned to individual users in EAS. For example, access to sensitive monitoring data can be limited by hierarchy, country, department, etc., and you have the flexibility to assign user configuration rights, or admin rights for user digests and customer domains. You can map complex organizational structures and restrict access to configuration parameters in the profiles and domains that you have configured yourself.
Access Management menu
You can reach Access Management in the main EAS navigation below the User Management tab.
There you will see an overview of all existing mappings of EAS users to their respective configuration objects within EAS (see EAS objects below), as well as the access right under which these mappings are located. EAS objects may also be individual domains which can you can manage within the Retarus Email Security framework as well as individual profiles in the same service.
Only a limited number of objects and users are displayed in the overview table. When you click on the table, a detailed view of the rights configuration is displayed.
Rows that have an assigned access right but still don’t have an EAS object can be deleted. However, if you want to delete an access right that has already been mapped to an EAS object, you first have to undo the mapping of the EAS object to the EAS user. This configuration can made in the respective service configuration menu (see Assigning access rights to users).
You can use the Edit option to rename an existing access right. The existing right remains and a renamed copy without any mappings is created.
With the assistance of the Details option, you’ll receive a complete overview of EAS object and user assignments for the selected access right.
Assigning access rights to users
When new EAS users are created or existing ones are modified, you have the option of configuring additional restrictions with the assistance of Access Management, regardless of the user’s security level.
The settings that determine access management for users are located under the User Management tab (then click on Email to access them).
As soon as this option has been configured for one EAS administrator, Access Management has automatically been activated for all administrators. Using this access, EAS administrators can assign special access rights to EAS users who currently possess a Customer Staff security level. These restricted EAS users are not authorized to manage Access Management themselves, which ensures that they do not assign themselves unauthorized rights.
Individual access rights are assigned by entering the initial letter or a name fragment in the text field next to the Assigned access rights field. A complete list of available rights will be displayed. Click on the respective right that you want to add to the list. Multiple selections are possible.
If you want the user to have access to all existing rights and any that will be created in the future, leave the Assigned access rights field empty, which allows each user access to all EAS objects. Alternatively, you can utilize a wildcard (*). For example, to grant an admin access to all access rights that begin with DE.: you would enter DE*, and the admin would have access to all current and future rights that begin with DE. EAS users for whom the Use Access Management field is set to Yes can also view and manage their access rights here.
Service settings
To set up access rights for individual EAS objects, you have to select them in each configuration interface.
You can do this by clicking on Administration - Email Services - Service configuration - Profiles and then on an existing profile in the profiles overview table.
EAS objects can be domains as well as profiles.
To assign an access right to an EAS object, simply select it from the drop-down menu (see above). Each EAS object can only be assigned a single access right. As soon as you have selected an access right, the change is saved and becomes visible in the Access Management menu.
Hands-on examples
A Retarus Email Security customer has multiple domains and has grouped their internal email recipients in various profiles.
This is how the general service settings are managed for the sample.de and http://sample.com domains. Because the Marketing Department and (for users) the sample.de and http://sample.com domains exist, users in this department are grouped under a common profile. The same applies to the Management profile.
These settings are managed by two different employees in the company’s internal IT Department. Both administrators have complete EAS access. However, each should only manage portions of the email security of Sample Company Inc.
Admin1 is tasked with receiving the Marketing Department’s configurations. In contrast, Admin2 is responsible for the management and general settings of the sample.de and http://sample.com domains. To accomplish this, access rights that clearly define which right applies to what must be configured.
Access right: PROFILE.MARKETING
The PROFILE.MARKETING access right is assigned to EAS user Admin1 in the User Management menu and applied to the Marketing all EAS object.
This makes it possible for Admin1 to configure the settings for this profile, and, for example, to track only email messages in Email Monitoring that were associated with this access right when saved in the system.
Access right: PROFILE.MANAGEMENT, PROFILE.DOMAIN.COM, PROFIL.DOMAIN.DE
Here, the option offered is to create multiple access rights, which is how you can remove Admin2 rights for individual users as their responsibilities change and assign them to another admin without having to modify the access rights themselves.
Admin2 receives all three access rights in the User Management interface and can now map them as needed to individual EAS objects (i.e., the respective profiles and domains in the Email Security Service Settings menu ).
The term Admin doesn’t automatically refer to an EAS user with a Customer Admin security level who can configure assignments themselves and can, in this manner, from the start restrict access to certain areas in the service settings and to the contents of the Email Monitoring feature.