Admin and user roles in Trustifi

In the Trustifi system there are several kinds of roles that affect the level of access each type of admin or user has in the system.
For transparency, every action performed by admins or other users with extended permissions is logged in the Trustifi web portal under the “Audit log” page in the corresponding section.
This document will outline the various roles, the level of access/permissions they have, and how to configure each role.

Primary Admin

This admin role refers to the primary administrator of the Trustifi plan. Each plan in Trustifi can only have one primary admin, and all of the plan users are listed under this admin. This role is determined during the onboarding process when the Trustifi plan is created.

By default, admins and sub-admins will receive notifications regarding user activity such as new users joining plans, suspicious activity performed by users, DLP/inbound rules triggered by a user email, etc.

Primary admins have full read and write permissions for all functions in every Trustifi module.

A primary admin can assign admin or reviewer level permissions to other users of the plan, and can also revoke these permissions. Other users cannot revoke admin permissions from the primary admin.

When viewing the “User Management“ page in the Trustifi portal, the primary admin will always be the one listed at the top of the list. Any other users with the role of “admin” will be the sub-admins.

If you want to set another user as the primary admin instead of the existing one, please contact Trustifi support at support@trustificorp.com .

Sub-admin

A sub-admin is a user who has been granted admin-level permissions to the Trustifi system by the main admin.

Sub-admins have the same level of access as the primary admin, and can perform the same actions. The only action a sub-admin cannot perform is to remove admin permissions from the primary admin.

To set a user as a sub-admin:

• • Open the “User Management“ page under “Outbound Management“
  • Find the user in the “User Management” list and click on “Actions” next to the user
  • Click on “Modify Permissions” to open the permission management window

In this window, click on the toggle for “Grant administrative permissions to user” to give this user admin-level permissions throughout the Trustifi portal.

Read-only admin

Users can be given read-only access to the Trustifi admin portal – meaning they can access all of the management modules, but they can only view information without the ability to take actions or make any changes.
To allow read-only admin permissions to a user – follow the same steps as above, except in the “Modify Permissions” window you should enable both “Grant administrative permissions to user” and “Read only permissions” like so:

Partner – Admins

A “Partner-admin” is a special type of admin in the Trustifi system, who can manage other admin-level plans under their account. This type of admin is mostly used by MSPs or resellers to manage their clients.

Partner-admins have access to Trustifi’s multi-tenant view, which allows them to easily view and manage their client accounts from the web portal.
The multi-tenant view can be accessed from the top part of the page, directly under the page header. From there, you can search and select the client you want to manage.

Access to the Multi-tenant View

Partner admins can toggle the multi-tenant view on or off for their sub-admins, depending on whether those sub-admins should or shouldn’t have access to the accounts of their clients.

This setting can also be found in the “Modify Permissions” window, under the “Multi tenant view” section.

Inbound Shield Reviewer

Inbound Shield Reviewers are users who are assigned to a specific role of enforcing and monitoring inbound email security, and have partial admin-level access to these pages in the Trustifi web portal (under “Inbound Management“):

• • Inbound Shield
  • Configuration
  • Quarantined Emails
  • Trends & Insights
  • Threat Response
  • Audit Log

These reviewers can set policies for inbound mail flow, view and manage the allowlists and blocklists, and view and manage the quarantined emails for all of the organization’s users/mailboxes, including releasing emails from quarantine.

Additionally, inbound reviewers will receive notifications about threats received by users in the organization, depending on which threat type has the “Notify reviewer” setting under “Threat Prevention Rules”.

Assigning an Inbound Shield Reviewer

Assigning a user as an Inbound Shield reviewer can be done in 2 ways:

1. From the User Management page:

• Open the “User Management“ page under “Outbound Management“
• Find the user in the “User Management” list and click on “Actions” next to the user
• Click on “Modify Permissions” to open the permission management window
• Select “Set as Inbound Shield Reviewer”

2. From the Inbound Shield Configuration page:

• Navigate to the Inbound Shield Configuration page
• Click on the “Add Reviewer” button
• Add the user’s email address

From this section you may also configure if the reviewer should be allowed to do the following:

• View content of quarantined emails
• Release emails tagged as “Malicious“
• Change plan configurations and policies for Inbound Shield. If this setting is disabled the reviewer can only review emails in quarantine and release them 

Outbound Reviewer

Outbound reviewers have admin-level access to the following pages under the “Outbound Management” section:

• Rules & Policies
• Trends & Insights
• Quarantined Emails
• Reports
• Audit log

Outbound reviewers will also receive notifications about emails going into the outbound quarantine.

Assigning an Outbound Reviewer

Assigning a user as an outbound reviewer can be done in 2 ways:

1. From the User Management page:

• Open the “User Management“ page under “Outbound Management“
• Find the user in the “User Management” list and click on “Actions” next to the user
• Click on “Modify Permissions” to open the permission management window
• Select “Set as Outbound Reviewer”

2. From the outbound reviewers page:

• Navigate to the outbound reviewers page
• Click on the “Add Reviewer” button
• Add the user’s email address

Archive Reviewer

Archive reviewers have access to all pages under the “Archive” section of the Trustifi admin portal. They can create, view, share, and manage archive cases, as well as accessing the audit log for this section.

Assigning an Archive Reviewer

Assigning a user as an archive reviewer can be done in 2 ways:

1. From the User Management page:

• Open the “User Management“ page under “Outbound Management“
• Find the user in the “User Management” list and click on “Actions” next to the user
• Click on “Modify Permissions” to open the permission management window
• Select “Set as Archive Reviewer”

2. From the archive configurations page:

• Navigate to the archive configurations page
• Click on the “Add Reviewer” button
• Add the user’s email address

From this section you can also toggle on or off the reviewer’s permissions to view the content of archived emails.

Threat Simulation Reviewer

Threat simulation reviewers have access to all pages under the “Threat Simulation” section of the Trustifi admin portal. They can send and view simulation campaigns, create and edit templates, and view the trends & insights page.

Assigning a Threat Simulation Reviewer

Assigning a user as a threat simulation reviewer can be done in 2 ways:

1. From the User Management page:

• Open the “User Management“ page under “Outbound Management“
• Find the user in the “User Management” list and click on “Actions” next to the user
• Click on “Modify Permissions” to open the permission management window
• Select “Set as Threat Simulation Reviewer”

2. From the Threat Simulation reviewers page:

• Navigate to the Threat Simulation reviewers page
• Click on the “Add Reviewer” button
• Add the user’s email address

Account Takeover Reviewer

Account takeover reviewers have access to all pages under the “Account Takeover Protection” section of the Trustifi admin portal. They can manage policies, view suspicious events and take actions on users, and view the trends & insights.

Assigning an Account Takeover Reviewer

Assigning a user as an account takeover reviewer can be done in 2 ways:

1. From the User Management page:

• Open the “User Management“ page under “Outbound Management“
• Find the user in the “User Management” list and click on “Actions” next to the user
• Click on “Modify Permissions” to open the permission management window
• Select “Set as Account Takeover Reviewer”

2. From the Account Takeover reviewers page:

• Navigate to the Account Takeover reviewers page
• Click on the “Add Reviewer” button
• Add the user’s email address

Partner Reviewer

Partner reviewers have access to all pages under the “Partners” section of the Trustifi admin portal. They can view usage statistics, generate reports, register deals, and access partner resources.

Assigning a Partner Reviewer

Assigning a partner reviewer can be done from the User Management page:

• Open the “User Management“ page under “Outbound Management“
• Find the user in the “User Management” list and click on “Actions” next to the user
• Click on “Modify Permissions” to open the permission management window
• Select “Set as Partner Reviewer”

Global Reviewers

Global reviewers can be assigned by partner-admins who manage other Trustifi clients/plans. Global reviewers have full admin-level read and write permissions for the clients they manage and in the module they are assigned to.
This means that when a user is assigned as a global reviewer, they will get access to the multi-tenant view which they can use to access and modify the Trustifi plans of managed clients.
For some modules, the partner-admin can set limitations on the permissions of the global reviewers. More details below.

Assigning a Global Reviewer

Assigning a global reviewer can be done from the User Management page:

• Open the “User Management“ page under “Outbound Management“
• Find the user in the “User Management” list and click on “Actions” next to the user
• Click on “Edit Global Reviewer”

  

• In the pop-up window, select which modules the user should be assigned as a global reviewer for

  

Global Inbound Reviewer

A global inbound reviewer has access to all pages and tabs under the “Inbound Management” section of clients managed by this partner/MSP. Global inbound reviewers can review client quarantined emails and release them, update allowlists and blocklists, and manage other settings related to Inbound Shield.

Assigning a Global Inbound Reviewer

In the “Global Reviewer” pop-up window, select “Set as Inbound Shield Reviewer“.

Permission Restrictions for Global Inbound Reviewers

When assigning a global inbound reviewer, you may set the following permissions/limitations:

• Allow this reviewer to release malicious emails: If this setting is on, the global reviewer will be able to release all types of emails from quarantine. Otherwise, they will be able to release any type of quarantined email except malicious emails.
• Allow this reviewer to view quarantined email content: If this setting is on, the global reviewer will be able to view the content and attachments of client quarantined emails.

Global Outbound Reviewer

A global outbound reviewer has access to all pages and tabs under the “Outbound Management” section of clients managed by this partner/MSP. Global outbound reviewers can add and manage users, create and edit DLP rules and policies, and view outbound email reports.

Assigning a Global Outbound Reviewer

In the “Global Reviewer” pop-up window, select “Set as Outbound Reviewer“.

Global Archive Reviewer

A global archive reviewer has access to all pages and tabs under the “Archive” section of clients managed by this partner/MSP. Global archive reviewers can create, view, share, and manage archive cases, as well as accessing the audit log for this section.

Assigning a Global Archive Reviewer

In the “Global Reviewer” pop-up window, select “Set as Archive Reviewer“.

Permission Restrictions for Global Archive Reviewers

When assigning a global inbound reviewer, you may set the following permissions/limitations:

• Allow this reviewer to view archived email content: If this setting is on, the global reviewer will be able to view the content and attachments of client archived emails.

Global Threat Simulation Reviewer

A global threat simulation reviewer has access to all pages and tabs under the “Threat Simulation” section of clients managed by this partner/MSP. Global threat simulation reviewers can send and view simulation campaigns, create and edit templates, and view the trends & insights page.

Assigning a Global Threat Simulation Reviewer

In the “Global Reviewer” pop-up window, select “Set as Threat Simulation Reviewer“.

Global Account Takeover Reviewer

A global account takeover reviewer has access to all pages and tabs under the “Account Takeover Protection” section of clients managed by this partner/MSP. Global account takeover reviewers can manage policies, view suspicious events and take actions on users, and view the trends & insights.

Assigning a Global Account Takeover Reviewer

In the “Global Reviewer” pop-up window, select “Set as Account Takeover Reviewer“.

User

End-users have no control over rules or policies that affect other users. In the Trustifi web portal, users can perform the following actions:

• • Send secure emails
  • Manage their own contacts and templates
  • Manage their own secure attachments
    Note: access to the items above can be blocked by the admin. If you wish to block users from performing these actions, please contact Trustifi support.
  • View their own quarantined emails. Under default settings, users cannot release their own quarantined emails. This can be allowed by admins or reviewers by selecting “Allow recipient control” for a specific type of emails under “Threat Prevention Rules”, or by assigning a user to be a personal reviewer (detailed further in this guide).
  • View and manage their personal allowlists and blocklists

Blocking users

Admins may choose to block a user if they suspect the user’s mailbox has been compromised, if the user is purposely sending malicious/spam content, if they are sharing sensitive information in an unsecured way, or for any other reason.

Blocking users is very simply from the Trustifi web portal:

• • Navigate to “User Management” under “Outbound Management” as an admin
  • Find the user you wish to block
  • Click on “Actions” > “Block User”

When a user is blocked, the following restrictions will apply:

• • The user will not be able to log into any Trustifi system using their credentials
  • The user will not be able to send any emails using Trustifi. If your email server is integrated with Trustifi, that means the user will not be able to send any emails at all using their mailbox.
  • Any encrypted emails, attachments, or links the user has previously sent using Trustifi will not be available to any recipient.

If you wish to unblock the user, simply repeat the process detailed above and select “Unblock user” from the “Actions” menu.
Once a user has been unblocked, all the restrictions listed above will be reverted.

Outbound and inbound user licenses

Since Trustifi can be deployed either as a full suite or as an inbound-only or outbound-only solution, user licenses are divided into outbound users and inbound users which are listed as mailboxes.

Outbound users can be viewed and managed under the “User Management” page, and inbound users can be viewed and managed under the “Mailbox Management” page.
If you are connected to Trustifi’s outbound or inbound email relay, Trustifi users will automatically be created for your organization members whenever they send or receive emails.

Personal Reviewer

A “Personal Reviewer” is a regular user who has permissions to review and release their own quarantined emails. They cannot review quarantined emails from any other user, or make changes to inbound or outbound policies.

To grant a user “personal reviewer” permissions as an admin:

• • Navigate to “Mailbox Management” under “Inbound Management”
  • Find the mailbox of the user
  • Click on “Actions” > “Edit Personal Reviewer”
  • In the pop-up window, select if the user should also be able to release malicious emails
  • Click “OK” to confirm