Path: Retain Server Manager > Management > Users
User and Groups Management requires the Manage users and groups or the Assign Rights administrative right.
Path: Retain Server Manager > Management > Users > Settings tab
Table 3-1 Using the Settings tab
Field, Option, or Button |
Information and/or Action |
|
---|---|---|
Users List Select a user from the list. |
||
|
|
|
|
|
|
User-specific Settings Panel These settings are specific to each user. |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Inheritable Settings from Group Panel (User context) These settings can be inherited from the specified Configuration Group. If so, setting information, etc. displays in blue text. Settings displayed in normal text are set directly in the User account. |
||
|
|
|
|
|
|
|
If set, this option determines how a user’s input to the Retain Login Dialog is processed. There are two categories:
IMPORTANT:The drop-down list displayed contains only the options appropriate for the user type. |
|
|
blank |
If no Authentication Method is selected for a given user, Retain tries to authenticate the username/password by using each method in turn until the attempt either succeeds or fails. |
|
Offline Authentication Preferred |
Retain first tries authenticating the username/password against the user’s encrypted credentials that were manually entered or that it cached previously.
|
|
Offline Authentication Exclusive |
Retain only authenticates the username/password against the user’s encrypted password. No other methods are tried.
|
|
LDAP Authentication (GW) Preferred |
IMPORTANT:You must have previously configured GW LDAP Authentication in the GroupWise module > LDAP Tab.
|
|
LDAP Authentication (GW) Exclusive |
IMPORTANT:You must have previously configured GW LDAP Authentication in the GroupWise module > LDAP Tab.
|
|
SOAP Authentication (GW) Preferred |
IMPORTANT:You must have previously configured GW SOAP Authentication in the GroupWise module > SOAP Tab.
|
|
SOAP Authentication (GW) Exclusive |
IMPORTANT:You must have previously configured GW SOAP Authentication in the GroupWise module > SOAP Tab.
|
|
Exchange Authentication Preferred |
IMPORTANT:This option is generally not recommended for Office 365 users. If you choose it, make sure you understand the caveats explained in
|
|
Exchange Authentication Exclusive |
IMPORTANT:This option is generally not recommended for Office 365 users. If you choose it, make sure you understand the caveats explained in
|
|
Google IMAP Preferred |
IMPORTANT:This option is generally not recommended for GSuite users. If you choose it, make sure you understand the caveats explained in
|
|
Google IMAP Exclusive |
IMPORTANT:This option is generally not recommended for GSuite users. If you choose it, make sure you understand the caveats explained in
|
|
Google OpenID Connect Exclusive |
This option assumes the following:
When you set this option for users, the following occurs:
IMPORTANT:If you don’t apply this option, your GSuite users can choose to enter a username and password (Google IMAP) rather than clicking the Login Using Google button. You are responsible to inform them that they must enter their assigned App Password rather than the password associated with the GSuite account. See |
|
Microsoft OpenID Connect Exclusive |
This option assumes the following:
When you set this option for users, the following occurs:
IMPORTANT:If you don’t apply this option, your Office 365 users can choose to enter a username and password (Exchange Authentication) rather than clicking the Login Using Office 365 button. You are responsible to inform them that they must enter their assigned App Password rather than the password associated with the Office 365 account. See |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following points apply:
Access Rights: Users inherit the access rights assigned to each group they belong to, in addition to their explicitly assigned rights and attributes. If privilege-level differences exist between assigned groups, the highest privilege level applies.
Mailboxes: In addition to their primary mailbox, users have access to all mailboxes available to the groups that they belong to.
Inheritable Attributes: Several attributes that affect users can be assigned directly in the user’s account or inherited from a designated Configuration Group. For more information about these attributes, see Inheritable Settings from Group Panel (User context) and.Inheritable Settings from Group Panel (Group context).
When an administrator-level right is granted to a user, that user will see that right in the management console when they log into Retain. If a right that the full Administrator can view is missing from the menu of that user, they are missing that right. To view and have access to that option, they must have the missing right granted to that user. If you have performed an upgrade and are missing options, check for a missing administrator right.
Control what rights you grant to the user here. Check the box to enable the right
These are extra rights
You don't need any of them for the user to access their mailboxes
You do need them to do “special things”. The first admin account gets them all
Retain first checks your assigned group and you start with the Group Rights
The rights you explicitly set here are added to the group rights for the user’s effective rights
This way, you can control users as a group and give different rights to different groups
If you don’t have rights to an administrative option, it won’t appear on the left
It should be clear from this screen that there is no such thing as an Administrator per se in Retain. Instead, some users simply have more rights to do more things than others. A distinction is made between Administrator level rights (which allow a user global system wide power) and User level rights, but any user can have zero or more rights in either category. The Administrator you created in the setup wizard was simply a user account with all of the Administrator level rights granted by default.
Search all mailboxes: also grants View all Messages rights.
Publish messages: allows user to connect to Retain with the Publisher tool.
Restore messages [any mailbox]: returns message to live mailbox in Exchange, adds stub to GroupWise mailbox.
See confidential items [other mailboxes]: Allows users to view items which others have tagged as confidential
View all messages: All messages and content in Search Messages.
View Message Content: Only the message body and attachments.
View Message Metadata: Only the properties of the message.
Manage Server: Allows user access to the Configuration section of the Retain Server and access diagnostic utilities.
Encryption Management: Generate and revoke storage encryption keys under Server Configuration | Storage.
Access Reporting and Monitoring Server
Assign Rights: Can assign rights to other users.
Access all audit logs: Enables access to the audit logs.
Deletion Manager: Access to Item and Mailbox Deletion.
Device Management: May add, remove, and edit devices.
Add, edit, remove global tag definitions: Allows manipulation of global tags in the view messages interface.
Apply or remove litigation hold: On individual users or groups.
Manage Users and Groups: Create users and groups and modify rights.
Manage Workers, Schedules, Profiles, Jobs: Control archive jobs.
NOTE:Only users with administrative rights will see the administrator’s screen on login. Non-admin users are simply forwarded to the Search Interface.
All user level rights are strictly optional, and add functionality. None are needed to access your own mailbox and other mailboxes assigned to you. The "Default" group grants Forwarding, View Attachment, and Printing rights. Note: There is no way to perfectly block printing in a web browser, so using this feature should not be taken as a 100% guarantee that users won’t be able to print. Nonetheless, for most users, it is effective. Rights marked [other mailbox] refers to other mailboxes the user has been granted rights to as explained below for the Mailboxes tab.
Apply confidential tag [other mailboxes]
View/Save attachments
View personal audit log
Delete messages [other mailboxes]
Delete messages [own mailbox]
Export messages: Enables the export to PDF button.
Forward messages
Print messages
Read configuration (Redline)
Restore messages [own mailbox]
Apply confidential tag [own mailbox]
Add, edit, remove user tag definitions
If you are integrating with GroupWise Reporting and Monitoring (GWRM) product, you will need to create a user account so that GWRM can log in and retrieve monitoring information. We recommend the following settings:
Account Never Expires
Offline Password Authentication is required. (use exclusively) (be sure to set the password)
Read Configuration (Redline) right.
Select the mailboxes this user will be able to access in addition to their own. This allows one user to access another user’s mailbox.
You may want some users to be able to search through more than just their own mailbox. Administrators have the “Search All Mailboxes” under User Rights as a right which gives them access to everything. If that is too much access for that user you can grant rights to individual mailboxes.
You may grant rights to some users so they can access just certain mailboxes. For example we can give the facilities manager rights to two of his workers.
In the example above, the user has explicit rights to two mailboxes. These mailboxes can be taken away from the user simply by clicking on the red ‘X’.
Adding users to the list is done using the Address Book selector. In the criteria section, you may enter information to search for a mailbox or a set of mailboxes. The search results will appear in the Address Book section. Each listed entry has a check box you can use to select that mailbox for addition to the list. Once you are done selecting, click Add Selected Items to add those mailboxes to your list of searchable mailboxes.
This interface is utilized in various other areas, but is described here.
It shows the currently selected items at the top, and lets you delete an item by clicking the red X.
(The New Mailbox selector in the Search Interface is an exception; just choose another item)
Choose between the configured module systems
Fill out basic criteria to narrow your search results (or no criteria for the first 100)
Click Search
The results up to a maximum of 100 are displayed
The user can then page back and forth among the first 5 pages of results
Choose which of the results you want to add to the selected list
Click Add Selected Items
Notes: You can restrict to just Users (skipping Resources). You can show only recently cached items (last 10 days). The search is not case sensitive.
This option restricts the list of items shown in the selector to those with items stored within the last 10 days. In user/group management, it restricts the list to users who have logged in to the live Mail system within the last 10 days. The idea is to show only current items. If you DO want to see all items regardless of whether they’ve shown activity within the last 10 days, just uncheck this option.
Retain supports the GroupWise proxy function. To enable it, check the box in the Module Configuration section. (NOTE: using proxy is useless if the user you wish to enable this function for is set to use offline authentication – found under the core settings of the user)
NOTE:The ‘all user rights access’ in GroupWise is not supported.
This function is used to enable a user to access the mailbox of another user. For example, if user B grants the right to user A to access their mailbox in the GroupWise client, then user A can “proxy” in to user B’s mailbox.
Much the same way, if user A has proxy rights into user B’s mailbox in GroupWise, and the function is enabled in Retain, then user A may select user B’s mailbox for browsing or may search through user B’s mailbox in the Search Screen.
In Retain, it is the MAIL READ right which grants access.
Retain uses the list of available mailboxes shown in the GroupWise client to determine which mailboxes will be made available to the logged in user (user A in our example). Thus, it is important that user A has logged into user B’s mailbox as proxy using the GroupWise client before doing this in Retain. While user B might have granted the rights to user A, if user A has not yet logged in as proxy to user B’s mailbox with GroupWise, then user B will not appear in user A’s list of available accounts to proxy into.
Retain checks these proxy rights the first time you access a proxy users mailbox, then caches the information for 7 days as configured in the server Configuration – Miscellaneous tab. (Default is 7 days.)
If you have access to another mailbox by virtue of GroupWise proxy, then you will see that mailbox appear in the mailbox selector in the search screen or you may search through that mailbox as well.
The primary purpose of a user account is to store their preferences, rights, mailboxes to which they have access, and authentication information.
Retain allows two types of users:
Associated Messaging System Users: Retain adds these in conjunction with archiving their message content.
These users authenticate to Retain using their messaging system credentials. For example, GroupWise users authenticate using SOAP, Exchange users authenticate using Active Directory credentials.
Retain-Only Users: You create these in Retain, independent of any message system.
These users authenticate using what Retain calls a Offline Passwords, which you create for them. Offline means that no connection to a separate system is required for authentication.
Initially, both of these user types belong only to the group named default, but you can add them to other groups that you create as needed.
You can allow users to search through the Retain archives who are not part of the mail system, such as an independent auditor, a lawyer, or a user that has been deleted from the system.
Offline passwords are stored in Retain’s control database.
How a user authenticates has no bearing on their access rights within Retain. An administrator who possesses the Assign Rights administrative right can assign all pertinent rights to any user on the system.
Users can be assigned access to more than one mailbox. Retain-only users must be given access permissions for at least one mailbox to perform searches. Users who are assigned “Search All Mailboxes” rights have access to all users’ mailboxes.
NOTE:GroupWise Proxy support only works for users who authenticate via the GroupWise SOAP protocol.
Click the “Add User” button.
Enter a new user name and then fill out the options under each tab.
When you are done, click the save changes disk icon at the upper right