‘Send As’ permission allows a user to send emails from the shared mailbox email address. The message will appear to have been sent from the shared mailbox and will have no affiliation to the user’s personal email address.
Important: please ensure you select the correct user from the NHS Directory. If you select an incorrect user, this could lead to a potential data breach. If this does occur, it will be your responsibility to raise a security incident in line with your local policies.
To select users with ‘Send As’ permissions for the shared mailbox:
Type the user’s name into the search box
Select the tick box to the left of the user’s name
To add multiple users, tick the box next to their name
Click Select at the bottom of the page
‘Owner’ permissions allows a user to open the shared mailbox, view incoming emails and send emails from the shared mailbox email address . They will be responsible for managing all further permissions for the shared mailbox.
To select users with ‘Owner’ permission for the shared mailbox:
Click Add in the Owner box. You can add yourself as an owner by clicking “Add Myself As Owner” checkbox.
Follow the steps above to select the users who will be granted this permission
A mailbox owner should be encouraged to manage the mailbox themselves e.g. add additional users to the mailbox through Outlook Web App. For more information on performing these actions, direct users to Delegated and Shared Mailboxes on the NHSmail training and guidance pages
1. When any user is given Full Access permissions to a mailbox ensure that:
a. Mailbox delegation for that user is not setup via Outlook
b. That folder level permissions for that user are never applied as they will conflict
2. In the Outlook calendar there is a permission “My Organization” which appears in Outlook on the web as “People in my organization” – It is vital to understand that in the context of the mailbox any reference to “Organization” means all users in NHSmail – it does not mean your local NHS Organization. The permissions model sees all recipients in NHSmail as a single organisation. It is therefore critical never to change the default permission for the Calendar which should be:
- In Outlook: None
- In Outlook on the web: Can view when I’m busy
- The following common folder permissions should never be changed on any mailbox folder:
- All users with Full Access permissions to a mailbox all have identical permissions which means any of these users can delete or change any item in the mailbox.
- The permissions can be more granularly managed via Mailbox Delegation (above) as Full Access permissions can grant too permissive rights and delegation permissions can make these more focused (for example, Reviewer permissions would not allow the user to delete any mail)
- Always grant permissions of least privilege to reduce the likelihood of data loss or exposing data – consider whether users need Full Access to a mailbox or whether more restricted permissions via delegation are more suitable
- Any user with Full Access can potentially cause a data breach by modifying individual Folder Permissions and no user with the same Full Access permissions can stop this. We recommend only one nominated user should be responsible for setting folder level permissions. If there are no delegates these should not be changed from the defaults.
|Last Reviewed Date||27/10/2023|