7.1 Users

User and Rights Management in Retain include:

  • Creating, deleting, and editing users

  • Allowing new user accounts, and restricting specific ones from being created

  • User expiration

  • Assigning users to groups, to conveniently grant rights or set initial settings on a multiple user basis

  • Granting access to mailboxes other than the user's personal mailbox

  • Changing the specific functions the user can perform

To access User and Groups Management, the user logging in needs the “Manage users and groups” administrative right.

7.1.1 Creating Users

The primary purpose of a user account is to store their preferences, rights, mailboxes to which they have access, and authentication information.

Users come from one of two places

  • They may be valid message system users logging in with their credentials

    • These users use SOAP authentication for GroupWise and Active Directory authentication for Exchange; Retain checks their login credentials with GroupWise or Exchange

    • These users initially belong to the group default. You may change this later default.

    • You may restrict users (prevent them from logging in)

  • Users may be specially created in Retain independently of any message system

    • Users created in Retain do not need to have a message system account

    • Users who don’t exist in the message system will use the offline password offline password.

7.1.2 Offline Password

There are, however, occasions when you might want someone to search through the Retain archives, but who is not part of the mail system. Such a person might be an independent auditor, a lawyer, a user deleted from the live system, etc.

For this reason, Retain has an offline password system. These passwords are stored in Retain’s control database. Retain does not care how a user authenticates: whether offline, via SOAP for GroupWise, Exchange, or LDAP, the same rights can be assigned. An administrator who possesses the Manage Users and Groups' administrative right can assign all the rights they contain.

Users may also be assigned access to more than one mailbox. Offline users will need to be given access to at least one mailbox to perform searches. Users who are assigned “Search All Mailboxes” rights have access to all users’ mailboxes.

GroupWise Proxy support only works for users who authenticate via GroupWise SOAP protocol.

7.1.3 Creating a new user

  1. Begin by clicking on the “Add User” button

  2. Enter a new user name and then fill out the options under each tab

  3. When you are done, click the save changes disk icon at the upper right

All previously created users are listed and can be edited or removed, by clicking on the user and editing the values, or through clicking on the Remove User button.

7.1.4 Core Settings

Authentication method

  • SOAP (for GroupWise users)

    • GroupWise users logging in are authenticated using SOAP

    • These users are automatically entered into Retain’s user list

  • Exchange (SOAP for Exchange). Exchange users are authenticated via SOAP for Exchange and users are added into Retain’s user list

  • Offline Password (credentials stored within Retain, any type of user)

  • Google IMAP. Google users are authenticated through IMAP to the Google system.

  • LDAP authentication – The LDAP Authentication must be setup under Server Configuration | accounts tab

  • You may lock a user account so it can only use one type of authentication

    • oIf “exclusive” is not checked, it will try one, then the other

Primary UID

  • Offline only accounts usually won’t have one

  • The initial admin account is set to use offline exclusively, so it never has one offline

Group Membership

  • Default is “default”

  • Create groups under “Groups” and they will appear as choices here

  • Users may belong to one and only one group. From an assigned group, additional rights, mailboxes, and initial settings may be inherited

Account Expiration

  • Check this box if this user’s account should not expire. Useful for administrator accounts

  • By default, accounts never expire, (0=never), but can be changed in Server Configuration

Offline Password

  • If you use this authentication method, store the password here

  • May be changed as needed

  • You can prevent the user from changing it themselves

  • Passwords are always stored in an encrypted format – never in clear text

Default Language

  • Choose which language will be used in the Search Interface for this user

Disable account

  • This allows the admin to pick a date when the account will no longer be allowed to login, but the account will not be deleted

7.1.5 User Rights

When an administrator level right is granted a user, that user will see that right in the management console when they log into Retain. If a right that the full Administrator can view is missing from the menu of that user, they are missing that right. To view and have access to that option, they must have the missing right granted to that user. If you have performed an upgrade and are missing options, check for a missing administrator right.

  • Control what rights you grant to the user here. Check the box to enable the right

  • These are extra rights

    • You don't need any of them for the user to access their mailboxes

    • You do need them to do “special things”. The first admin account gets them all

  • Retain first checks your assigned group and you start with the Group Rights

  • The rights you explicitly set here are added to the group rights for the user’s effective rights

  • This way, you can control users as a group and give different rights to different groups

  • If you don’t have rights to an administrative option, it won’t appear on the left

It should be clear from this screen that there is no such thing as an Administrator per se in Retain. Instead, some users simply have more rights to do more things than others. A distinction is made between Administrator level rights (which allow a user global system wide power) and User level rights, but any user can have zero or more rights in either category. The Administrator you created in the setup wizard was simply a user account with all of the Administrator level rights granted by default.

7.1.6 User Rights Summary

Administrator-level rights

  • Search all mailboxes: also grants View all Messages rights.

  • Publish messages: allows user to connect to Retain with the Publisher tool.

  • Restore messages [any mailbox]: returns message to live mailbox in Exchange, adds stub to GroupWise mailbox.

  • See confidential items [other mailboxes]: Allows users to view items which others have tagged as confidential

  • View all messages: All messages and content in Search Messages.

    • View Message Content: Only the message body and attachments.

    • View Message Metadata: Only the properties of the message.

  • Manage Server: Allows user access to the Configuration section of the Retain Server and access diagnostic utilities.

    • Encryption Management: Generate and revoke storage encryption keys under Server Configuration | Storage.

  • Access Reporting and Monitoring Server

  • Assign Rights: Can assign rights to other users.

  • Access all audit logs: Enables access to the audit logs.

  • Deletion Manager: Access to Item and Mailbox Deletion.

  • Device Management: May add, remove, and edit devices.

  • Add, edit, remove global tag definitions: Allows manipulation of global tags in the view messages interface.

  • Apply or remove litigation hold: On individual users or groups.

  • Manage Users and Groups: Create users and groups and modify rights.

  • Manage Workers, Schedules, Profiles, Jobs: Control archive jobs.

NOTE:Only users with administrative rights will see the administrator’s screen on login. Non-admin users are simply forwarded to the Search Interface.

7.1.7 User-level rights

All user level rights are strictly optional, and add functionality. None are needed to access your own mailbox and other mailboxes assigned to you. The "Default" group grants Forwarding, View Attachment, and Printing rights. Note: There is no way to perfectly block printing in a web browser, so using this feature should not be taken as a 100% guarantee that users won’t be able to print. Nonetheless, for most users, it is effective. Rights marked [other mailbox] refers to other mailboxes the user has been granted rights to as explained below for the Mailboxes tab.

  • Apply confidential tag [other mailboxes]

  • View/Save attachments

  • View personal audit log

  • Delete messages [other mailboxes]

  • Delete messages [own mailbox]

  • Export messages: Enables the export to PDF button.

  • Forward messages

  • Print messages

  • Read configuration (Redline)

  • Restore messages [own mailbox]

  • Apply confidential tag [own mailbox]

  • Add, edit, remove user tag definitions

The Read Configuration right (Redline Integration)

If you are integrating with GWAVA’s Redline monitoring product, you will need to create a user account so that Redline can log in and retrieve monitoring information. We recommend the following settings:

  • Account Never Expires

  • Offline Password Authentication is required. (use exclusively) (be sure to set the password)

  • Read Configuration (Redline) right.

Mailboxes

Select the mailboxes this user will be able to access in addition to their own.

Often, you will want some users to be able to search through more than just their own mailbox. Administrators can have “Search All Mailboxes” as a right which gives them access to everything. This section allows you to give a far more selective range of mailboxes to a user for searching.

In the example above, the user has explicit rights to two mailboxes. These mailboxes can be taken away from the user simply by clicking on the red ‘X’.

Adding users to the list is done using the Address Book selector. In the criteria section, you may enter information to search for a mailbox or a set of mailboxes. The search results will appear in the Address Book section. Each listed entry has a check box you can use to select that mailbox for addition to the list. Once you are done selecting, click Add Selected Items to add those mailboxes to your list of searchable mailboxes.

7.1.8 Address Book Selector

This interface is utilized in various other areas, but is described here.

It shows the currently selected items at the top, and lets you delete an item by clicking the red X.

(The New Mailbox selector in the Search Interface is an exception; just choose another item)

Adding Mailboxes

  1. Choose between the configured module systems

  2. Fill out basic criteria to narrow your search results (or no criteria for the first 100)

  3. Click Search

  4. The results up to a maximum of 100 are displayed

  5. The user can then page back and forth among the first 5 pages of results

  6. Choose which of the results you want to add to the selected list

  7. Click Add Selected Items

Notes: You can restrict to just Users (skipping Resources). You can show only recently cached items (last 10 days). The search is not case sensitive.

About “Show only recently cached items”

This option restricts the list of items shown in the selector to those with items stored within the last 10 days. In user/group management, it restricts the list to users who have logged in to the live Mail system within the last 10 days. The idea is to show only current items. If you DO want to see all items regardless of whether they’ve shown activity within the last 10 days, just uncheck this option.

Miscellaneous Tab

This tab contains settings that mainly govern the way the Search Interface works for the selected user.

Note that the user can change any of these settings by using the User Options tab in the Search interface.

  • Comment: Default comment for forwarding messages

  • Date/Time Format: How you want your dates and times to be displayed

  • Display Number: How many items to display per page

  • Forward Messages: Automatically append the specified address to forwarded messages

  • Message Age Display: Default date filter for searching. May be changed on the fly

  • Message HTML View: Have Retain display HTML messages by default, when available

  • Session Timeout: Inactive session timeout. Can be between 5 and 60 minutes

7.1.9 GroupWise Proxy Support

Retain supports the GroupWise proxy function. To enable it, check the box in the Module Configuration section. (NOTE: using proxy is useless if the user you wish to enable this function for is set to use offline authentication – found under the core settings of the user)

NOTE:The ‘all user rights access’ in GroupWise is not supported.

This function is used to enable a user to access the mailbox of another user. For example, if user B grants the right to user A to access their mailbox in the GroupWise client, then user A can “proxy” in to user B’s mailbox.

Much the same way, if user A has proxy rights into user B’s mailbox in GroupWise, and the function is enabled in Retain, then user A may select user B’s mailbox for browsing or may search through user B’s mailbox in the Search Screen.

In Retain, it is the MAIL READ right which grants access.

Retain uses the list of available mailboxes shown in the GroupWise client to determine which mailboxes will be made available to the logged in user (user A in our example). Thus, it is important that user A has logged into user B’s mailbox as proxy using the GroupWise client before doing this in Retain. While user B might have granted the rights to user A, if user A has not yet logged in as proxy to user B’s mailbox with GroupWise, then user B will not appear in user A’s list of available accounts to proxy into.

Retain checks these proxy rights the first time you access a proxy users mailbox, then caches the information for 7 days as configured in the server Configuration – Miscellaneous tab. (Default is 7 days.)

If you have access to another mailbox by virtue of GroupWise proxy, then you will see that mailbox appear in the mailbox selector in the search screen or you may search through that mailbox as well.