print friendly version

How to...

Using Role-based Accounts or other shared accounts


Introduction

This Guide primarily discusses role-based accounts, how to get one set up, how to use one, and gives other general guidance on the use of these accounts.

This Guide can also be used to set up access to a personal account for which access authorisation has been obtained: the method is the same. 

The Guide is primarily for the use of role-based accounts with Outlook, but information on their use with Thunderbird is also provided - see the relevant entries in the Contents list.

For the sake of simplicity, we'll refer to role-based accounts simply as "role accounts" in the remainder of this Guide.

Contents

  1. What is a role account?
  2. The registered keeper of a role account
  3. Who can use a role account
  4. How to apply for a role account
  5. Changing the registered keeper of a role account
  6. Getting ready to use a role account

    Using role or shared accounts with Outlook or OWA
  7. Accessing a role account or other shared account with Outlook
    Direct Access
    Delegated Access
    How to delegate access to a role or shared account
    Adding a shared account to Outlook
    Removing a shared account from Outlook
    Configuring Outlook Web App (OWA)
    What to do if it doesn't work
    IMPORTANT THINGS TO REMEMBER
    How to remove delegated access from a role or shared account

           Other useful information
       8. Making use of mail folders in a role account
       9. Password guidelines

1. What is a role account?

A role account is an account that acts as a contact point or as shared working space for use by a group of staff, whether this be for administration, research or any other group purpose. It differs from a personal account because it is associated with a role and is not tied to or associated with any particular person. However, the account must have a current member of staff as its registered "keeper" who holds responsibility for the account and its use. A role account is essentially future-proof in that it remains as it is, even if the people using it change as they leave the university or change roles.

Functionally, a role account is no different from a personal email account. The only real difference is that it is provided by IT Services for use to support a role or function rather than acting as a personal account, and - unlike personal email accounts - may be shared by authorised members of staff.

2. The registered keeper of a role account

A new role account is set up under the account management record of a member of staff.  That person is deemed to be the registered keeper of the role account, and is the person responsible for delegating access to the account, and for any issues that may arise from the use of the account.

3. Who can use a role account

Role accounts are normally available only to staff. They are not available to student groups, and students may only use them if they are doing paid work for the University or as part of a project being run by a member of staff. Any member of staff authorised by the registered keeper of the role account may access it on behalf of their staff group. How this is actually organised is the responsibility of each group.

[back to top]

4. How to apply for a role account

We recommend that you first discuss your requirements with IT Services, to determine whether or not a role account is the most appropriate solution for you. The best way to do this is to contact us at Online Support. Once this has been decided, make sure you have discussed and agreed all the necessary details of the new role account with your colleagues. Then visit the IT Services website and click the red Help button, then either (depending on the web browser you're using):

  • Enter your username and password where shown and click login, then click on the icon for a 'new role-based account', then complete the online form that appears.

    OR

  • Under How can we help?, in the Please choose... list, select Set up a role-based account.   Then enter your username and password where shown and click login, then complete the online form.

It is vital that you complete and submit the online form, because this not only records your request formally but also gives you the means to provide us with all the information we need to set up the new account.

When a role account is created, it is normally given a username (login name) beginning with grp- and ending with a number, for example grp-123 (the grp- prefix stands for 'group', as these used to be called group accounts, though their remit has now widened).  The number is allocated sequentially but has no other significance. The account will normally also be given a friendly email address, as requested by you, though some role accounts are not used for email and are not given friendly addresses. If the requested email address is already in use, we will notify you and ask you to provide an alternative. This address would normally be used for all communication with that role account, and its username would only be used by staff for logging in (signing in) to the account.

When we have created the role account, we will contact you by email to let you know the account details are ready for collection. We do not normally send account details by email, so you would normally need to call in at our Service Desk in the Shawcross Building to collect them.

[back to top]

5. Changing the registered keeper of a role account

A role account always has a registered keeper; that is, the person who is formally responsible for it. If you are leaving the University or changing role so that you will no longer have responsibility for a particular role account, it is vital that you arrange with IT Services for the account to have a new 'keeper', or refer us to someone who can arrange this. If you do not do this, we will not know who is responsible for the account, and if any mishap or misuse occurs then you may be held responsible. If you leave the University without arranging for a new keeper for the account, it will close automatically along with your personal account after you have left, and this could cause serious disruption for your former colleagues. ITS does not monitor staff changes and cannot automatically reassign ownership of role accounts when staff leave or change role.

If the registered keeper of a role account is not known, please contact IT Services to find out.

[back to top]

6. Getting ready to use a role account

It's normally necessary to make some changes in your preferred email application (Outlook etc) to allow you to access a role account or other shared account alongside your own.  It is however possible (if you have the password for a role account or shared account) to login to the account on its own, directly using Webmail (normally Outlook Web App), and no special configuration changes are needed.   The sections below describe how to prepare your preferred email application to access a given account.

7. Accessing a role account or other shared account with Outlook

There are two methods of accessing a role account's email with Outlook or Outlook Web App (OWA):

IMPORTANT NOTE:  If you wish to access another person's account, whether it be with their permission or for other operational reasons, you must first obtain formal authorisation from the Director of IT Services.  This is required by the University's Institutional Access Policy (in particular, see Appendix 1).  See also FAQ 2640 which gives Governance Office guidelines regarding delegation of email management by senior staff to assistants.

OPERATIONAL DIFFERENCES between direct and delegated access to shared accounts

The table below shows the operational differences between using a role-based or other shared account in Outlook, by means of direct access and by means of delegated access:

  Direct access
Delegated access
How access is obtained Username and password required Delegated by the account owner (no password needed)
Where sent emails are saved In the role account's Sent Items folder In your own Sent Items folder
Signatures
Can be set separately for each account used Uses your own signature
Changes to folders in the role account Seen by all those accessing the role account Seen by you only
Sender information From the role account From you 'on behalf of' the role account

 

DIRECT ACCESS

For direct access, you will need the username and password of the required account.   This must be obtained from the registered keeper ('owner') of the account and the direct access method must be agreed with them beforehand.  No-one but the registered keeper is authorised to provide you with the account's password.

You can access the account directly in Outlook Web App (OWA) with no further action needed, just by entering the account's username and password.   Otherwise, to access the account from Outlook alongside your own account, you will need to add the account to Outlook as follows:

  1. In Outlook, click on the File menu and then click on the Add Account button:

    Outlook 2013 Add Account button

  2. In the Add Account dialogue box, enter the account's username (for example grp-123, as shown in the image below) in the Your Name box, and its email address and password in the other boxes provided.  Make sure all are exactly correct (do not guess!) otherwise the procedure will not work.  Here's an example of a completed dialogue box:

    Outlook 2013: Add Account example dialogue

  3. When you've completed the required boxes, click Next.
  4. Wait for the account to complete auto-configuration, then click the Finish button:

    Outlook 2013 auto-setup completed

  5. You will be prompted to restart Outlook.  Click OK:

    Outlook 2013 restart prompt

  6. Close down and restart Outlook.  After restarting (with your own profile if prompted), when presented with a login box, click on the Use another account button:

    Outlook 2013 use other account

    Then enter your own username and password in the boxes provided.  Click the Remember my credentials box so as to allow Outlook to remember your password for next time.
    NOTE: If you are prompted again for the credentials, and you are certain you entered them correctly, try entering the credentials for the shared account instead.  It's quite common for Outlook to ask for the credentials of both accounts after you have added an extra account and restarted Outlook.

    Outlook 2013 remember credentials

  7. These steps should only be necessary the first time.  Next time you start Outlook you should no longer be prompted for a username and password for either account.  However, if the shared account's password is subsequently changed (which is desirable as a regular security precaution), you may need to repeat the above procedure.

DELEGATED ACCESS

Delegation is a means of providing named people with access to specified email accounts from their own personal email accounts, without the need to disclose the account's password.  The advantage of this method is that the accounts are more secure against unauthorised use: this is the recommended method of access.  You may only freely set up delegated access to a role-based account:  you must not set up delegated access to a personal account without first obtaining authorisation from the Director of IT Services (see also FAQ 2640).

How to delegate access to a role or shared account

This must be done by the shared account's registered keeper (owner).

For someone to be able to read and send emails in a role-based account or other shared account, they need to be given delegated access to the account.  That means the account's registered keeper (normally the only person who knows the account's password) must first provide the delegated access.  If you are the registered keeper of a role account, you may still need to run through the delegation procedure described below before you can send emails on behalf of the account (although it's possible that you will already be able to view its folders and items in Outlook):

  1. Go to the IT Services delegation page.
  2. Under the Delegating account heading, enter the username (for example grp-123) and password for the role account or other shared account in the boxes provided.
  3. Under the Permissions heading, enter the email address of the delegate (the member of staff needing access to the shared account), for example A.N.Other@sussex.ac.uk).
  4. In the Calendar, Inbox, Contacts and Tasks boxes, choose the appropriate permission levels as required.  We recommend that you accept the Editor permissions offered as standard.
  5. Under the Folders heading, ensure the Enable permissions on all folders box is ticked, so that all the shared account's folders will be available to the delegate.
  6. Click the Add delegate button and wait for the delegating process to complete.

After delegation has completed, if you are not already able to see the role account's mailbox in your Outlook account  (in some cases this will happen automatically for account keepers), then you need to add it as described below (the instructions apply to Outlook 2013 or Outlook 2010).  We recommend closing Outlook and then restarting it before making these changes.

Adding a shared account to Outlook

This must be done by the person who has been given delegated access to a shared account.  This may include the shared account's registered keeper.

First, login to your own account in Outlook.

These instructions assume the use of Outlook 2013 or 2010 (the procedure in both is almost identical).

  1. Click on the File menu, then click on the Info section on the left.
  2. Click on the Account Settings button, then click on Account Settings... in the drop-down menu.

    Outlook 2010 Account Settings


  3. In the Account Settings menu, click the E-mail tab if not already selected.
  4. Click on your account name under the Name heading, then click Change... in the row of tools above that window:

    Outlook 2010 Change account settings

  5. Click the More Settings button, then click the Advanced tab.
  6. Click the Add button, and in the Add Mailbox pop-up, enter the username for the other email account you wish to use (for example, grp-123). Then click OK.
    If more than one account is shown, select the correct one and click OK.
    The other account should now be listed under Open these additional mailboxes.  You can add more accounts if necessary, by repeating step 6.
  7. Click OK to return to the Exchange server settings window.
  8. Click Next and then click Finish, then click Close to return to the Outlook window.
    Your list of mail folders should now include a new entry: Mailbox - account (where account is the name of the extra account), ready to be opened to display the account's mailbox with its folders.
  9. It's best at this point to close Outlook and restart it, as we have found that Outlook sometimes fails to access the new account at first, and a restart usually resolves that problem.

Please read the Important things to remember section for information about sending email from a role account using delegated access.

Removing a shared account from Outlook

This needs to be done by the person who has been given delegated access to a shared account, but who no longer needs to use it.

If you no longer require access to a shared account (for example if you change role and no longer need to use the account), you should remove the account from Outlook as follows:

  1. Follow steps 1 through 5 in the Adding a shared account section shown above.
  2. In the list of accounts shown, click on the account you no longer need to access, then click the Remove button.
  3. Click OK, then click Next, then click Finish.
  4. You should now restart Outlook, after which you should find the previously shared account is no longer listed in Outlook.

Configuring Outlook Web App (OWA)

This needs to be done by the person who has been given delegated access to a shared account.  This may include the shared account's registered keeper.

Outlook Web App is limited in its ability to handle additional accounts. You can view the Inbox for a role account and send email on its behalf, but you can't view any other folders.  You may find it easier to login directly to the role account in OWA, then the steps below will not be necessary.

To view the Inbox, first delegate the appropriate permissions (see above) and then:

  1. Login to Outlook Web App and right-click (Ctrl+click on a Mac) on your account name (usually your own name) near the top in the left-hand navigation panel.
  2. Choose Open Other User's Inbox.
  3. Click on Name and lookup the role account.
  4. Double-click on it so it shows in the Select Field and click OK.
  5. Click OK again to close the window.

A reference to the other account, and its Inbox, should now appear below the list of your own folders.  Click the Inbox to open it, just as with your own folders.

What to do if it doesn't work

If the account access permissions are not correctly set then you may see a message saying that "An object could not be found".  If you believe that you have the correct access permissions but cannot open the folders, try closing and then restarting Outlook. Try also closing down your computer and restarting it. Contact IT Services for assistance if you are still unable to view or send messages.

IMPORTANT THINGS TO REMEMBER when sending email from a role account using delegated access

  • To send a New email from the role account, click Options in the New Message window, then click From Field to display a box in which to enter the email address of the role-account.  If you don't do this, the message will appear to come from your own personal account.
  • If you Reply to a message in the role account's Inbox, the reply will be sent using the role account's email address.
  • If you want to force a reply to be from your own personal email address, remove the role account's name from the From box at the top.
  • Messages sent from the role-account are copied to your own Sent Items folder, not that of the role account.  Unfortunately there is no way around this except to physically move the copied message from your own Sent Items folder to that of the role account.
  • If you want to vary the signature being used in outgoing messages, this will depend on the Mail Format you have selected.  With the recommended format it is best to select none in the Signatures section, and use the Insert menu to select the signature you want to use.   If the Insert menu does not offer Signatures, try right-clicking in the message text area to see if Signature is available there.

How to remove delegated access from a role or shared account

You can remove individuals from an account's list of delegates in Outlook 2013 or 2010 as follows:

  1. Click on the File menu, then click on the Info section on the left.
  2. Click on the Account Settings button.
  3. Click on Delegate access in the drop-down menu.
  4. In the list of delegates provided, click on the name of the person you want to remove from the list.
  5. Click the Remove button.  Allow time for the internal operations to complete.
  6. Click OK.

[back to top]

8. Making use of mail folders in a role account

Mail folders should be used to store related email in its own dedicated space, rather than all mixed together in the Inbox, and will make it much easier to handle the various types of business associated with a role account.

Name the folders according to particular tasks, activities or business in the group, so that email related to those tasks can be stored appropriately and be easier to find later.

[back to top]

9. Password guidelines

The nature of a role account, and the way it is used, emphasises the need for extra security for the account's password.

  • Keep the password secure: with the use of delegation to control access to an account using Outlook, it should not be necessary for anyone except the account's registered keeper to know its password.  If sharing the password is unavoidable, only the members of staff authorised to use the account must be given its password.
  • Only the account's registered keeper should change the account password.
  • In the absence of the registered keeper, other members of the group may change the password if it is considered necessary, but they should inform the account's keeper of this as soon as is practical.   If it's not known who the account's keeper is, contact IT Services for help.
  • If the password is forgotten the registered owner should call in at the IT Services Enquiries Desk to request a new one. They must provide proof of their identity and staff group affiliation.  In the absence of the registered keeper, another member of the group can make the request, but they must provide ITS with evidence that they are a member of the group, and the account's keeper will be notified.

[back to top]

created on 2010-01-01 by Andy Clews
last updated on 2018-03-23 by Paul Ryan