‘Send As’ permission allows a user to send emails from the shared mailbox email address. The message will appear to have been sent from the shared mailbox and will have no affiliation to the user’s personal email address.
Important: please ensure you select the correct user from the NHS Directory. If you select an incorrect user, this could lead to a potential data breach. If this does occur, it will be your responsibility to raise a security incident in line with your local policies.
To select users with ‘Send As’ permissions for the shared mailbox:
Click Add in the Send As box
Type the user’s name into the search box
You can also use the navigation features at the bottom of the user list
Select the tick box to the left of the user’s name
To add multiple users, tick the box next to their name
Use the advanced search to narrow the results by for example status or organisation
Click Select at the bottom of the page
‘Owner’ permissions allows a user to open the shared mailbox, view incoming emails and send emails from the shared mailbox email address . They will be responsible for managing all further permissions for the shared mailbox.
To select users with ‘Owner’ permission for the shared mailbox:
Click Add in the Owner box. You can add yourself as an owner by clicking “Add Myself As Owner” checkbox.
Follow the steps above to select the users who will be granted this permission
A mailbox owner should be encouraged to manage the mailbox themselves e.g. add additional users to the mailbox through Outlook Web App. For more information on performing these actions, direct users to Delegated and Shared Mailboxes on the NHSmail training and guidance pages
If you accidentally grant a user ‘Send As’ or ‘Owner’ permissions, click on the red cross:
Click Create and the following message will be displayed:
The message is displayed as in the screenshot
For all information on policies and procedures related to Shared Mailboxes refer to the Shared Mailbox Guide for NHSmail located under Help
- Refer to the Editing a Shared Mailbox for more information on how to change any shared mailbox attributions following creation
- You will not be able to set an out of office on a shared mailbox, this should be managed by the shared mailbox owner in Outlook Web App
Best Practices
1. When any user is given Full Access permissions to a mailbox ensure that:
a. Mailbox delegation for that user is not setup via Outlook
b. That folder level permissions for that user are never applied as they will conflict
2. In the Outlook calendar there is a permission “My Organization” which appears in Outlook on the web as “People in my organization” – It is vital to understand that in the context of the mailbox any reference to “Organization” means all users in NHSmail – it does not mean your local NHS Organization. The permissions model sees all recipients in NHSmail as a single organisation. It is therefore critical never to change the default permission for the Calendar which should be:
-
- In Outlook: None
- In Outlook on the web: Can view when I’m busy
- The following common folder permissions should never be changed on any mailbox folder:
Name Permission
Default None
Anonymous None
- All users with Full Access permissions to a mailbox all have identical permissions which means any of these users can delete or change any item in the mailbox.
- The permissions can be more granularly managed via Mailbox Delegation (above) as Full Access permissions can grant too permissive rights and delegation permissions can make these more focused (for example, Reviewer permissions would not allow the user to delete any mail)
- Always grant permissions of least privilege to reduce the likelihood of data loss or exposing data – consider whether users need Full Access to a mailbox or whether more restricted permissions via delegation are more suitable
- Any user with Full Access can potentially cause a data breach by modifying individual Folder Permissions and no user with the same Full Access permissions can stop this. We recommend only one nominated user should be responsible for setting folder level permissions. If there are no delegates these should not be changed from the defaults.
| Last Reviewed Date | 27/10/2023 |
