3.1 Users

Path: Retain Server Manager > Management > Users

User and Groups Management requires the Manage users and groups or the Assign Rights administrative right.

3.1.1 Settings Tab

Path: Retain Server Manager > Management > Users > Settings tab

Table 3-1 Using the Settings tab

Field, Option, or Button

Information and/or Action

Users List

Select a user from the list.

  • Add User button

  • Remove User and Remove Multiple Users buttons

  • Click to remove users. In the case of users imported from messaging systems, those systems are unaffected.

User-specific Settings Panel

These settings are specific to each user.

  • Description

  • Optional information about the user.

  • Primary UID

  • Offline-only accounts usually won't have this.

  • The initial admin account is set to use offline exclusively, so it doesn’t have this.

  • Expire Account

  • This lets the admin set a date when the account will no longer be allowed to log in. When an account expires, the account is not removed from Retain.

  • List of groups

  • Default is default.

  • Create groups under Groups and they appear as choices here.

  • If you choose to assign users to multiple groups, make sure you understand the explanation in When Users Belong to Multiple Groups.

  • If a listed group displays in red text, that group has been designated as the Default Configuration group for the user.

  • Remove Group button

  • Click this to remove the selected group.

    When the change is saved, the user no longer inherits privileges from this group.

  • Add Groups button

  • Click this to display a list of groups.

    Select one or more groups and click OK.

    The user then inherits privileges from the additional groups. Additionally, the groups that are added are eligible to be selected as the Configuration Group for the user.

Inheritable Settings from Group Panel (User context)

These settings can be inherited from the specified Configuration Group. If so, setting information, etc. displays in blue text.

Settings displayed in normal text are set directly in the User account.

  • Configuration Group

  • Initially, no group appears in this field, which means that the default group settings are available to be inherited.

    You can select one group from the groups assigned to this user in the User-specific panel (above).

    The settings under Inheritable Settings from Group Panel (Group context) are then available to be inherited by the user by selecting the empty slot at the top of each drop-down list.

    Alternatively, any of the other selectable settings will override the Configuration Group’s setting if they are specifically selected.

  • Enable Multi-factor Authentication

IMPORTANT:This option only appears for GroupWise and on-prem Exchange users.

  • This must be Enabled for MFA to work for this user.

  • You can enable the option here, or you can enable it in the user’s designated Configuration Group.

  • Authentication Method

  • You can have the user inherit this setting from a specified Configuration Group, or you can set it to one of the values in the drop-down list, as follows:

    • Offline Authentication: Credentials stored within Retain, any type of user

      • If you use this authentication method, store the password here.

      • It can be changed as needed.

      • You can prevent users from changing it.

      • Passwords are always stored in an encrypted format - never in clear text.

    • LDAP Authentication (GW): Must be set up in the GroupWise module > LDAP Tab.

    • SOAP Authentication (GW): Users are automatically entered into Retain's user list

    • Exchange Authentication: Users are automatically entered into Retain's user list

    • Google IMAP: Google users are authenticated through IMAP to the Google system

    • Use Exclusively: Allows the user to only use one type of authentication. If this setting is not checked, it will try one authentication and if that is unsuccessful, it will try another

  • Language

  • The language used in the search interface for this user.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

  • Change Internal Password

  • If Allow User to Change Password is set to yes, the user can reset the password in Retain..

  • Forwarded Messages Comment

  • The default comment for forwarding messages.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

  • Forwarded Messages Internet Domain

  • Automatically append the specified address to forwarded messages.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

  • Date Display Format

  • How to display dates.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

  • Time Display Format

  • How to display time.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

  • Display Number of Messages Per Page

  • How many items to display per page.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

  • Message Age Display

  • Default date filter for searching. Can be changed on the fly.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

  • View Message Format

  • Whether to display HTML format when possible or always display text regardless of actual format.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

  • Session Timeout (Minutes)

  • A value between 10 and 480 minutes.

    You can have the user inherit this setting from the specified Configuration Group, or you can set it to one of the values in the drop-down list.

When Users Belong to Multiple Groups

The following points apply:

  • Access Rights: Users inherit the access rights assigned to each group they belong to, in addition to their explicitly assigned rights and attributes. If privilege-level differences exist between assigned groups, the highest privilege level applies.

  • Mailboxes: In addition to their primary mailbox, users have access to all mailboxes available to the groups that they belong to.

  • Inheritable Attributes: Several attributes that affect users can be assigned directly in the user’s account or inherited from a designated Configuration Group. For more information about these attributes, see Inheritable Settings from Group Panel (User context) and.Inheritable Settings from Group Panel (Group context).

3.1.2 User Rights Tab

When an administrator-level right is granted to a user, that user will see that right in the management console when they log into Retain. If a right that the full Administrator can view is missing from the menu of that user, they are missing that right. To view and have access to that option, they must have the missing right granted to that user. If you have performed an upgrade and are missing options, check for a missing administrator right.

  • Control what rights you grant to the user here. Check the box to enable the right

  • These are extra rights

    • You don't need any of them for the user to access their mailboxes

    • You do need them to do “special things”. The first admin account gets them all

  • Retain first checks your assigned group and you start with the Group Rights

  • The rights you explicitly set here are added to the group rights for the user’s effective rights

  • This way, you can control users as a group and give different rights to different groups

  • If you don’t have rights to an administrative option, it won’t appear on the left

It should be clear from this screen that there is no such thing as an Administrator per se in Retain. Instead, some users simply have more rights to do more things than others. A distinction is made between Administrator level rights (which allow a user global system wide power) and User level rights, but any user can have zero or more rights in either category. The Administrator you created in the setup wizard was simply a user account with all of the Administrator level rights granted by default.

Administrator-level Rights

  • Search all mailboxes: also grants View all Messages rights.

  • Publish messages: allows user to connect to Retain with the Publisher tool.

  • Restore messages [any mailbox]: returns message to live mailbox in Exchange, adds stub to GroupWise mailbox.

  • See confidential items [other mailboxes]: Allows users to view items which others have tagged as confidential

  • View all messages: All messages and content in Search Messages.

    • View Message Content: Only the message body and attachments.

    • View Message Metadata: Only the properties of the message.

  • Manage Server: Allows user access to the Configuration section of the Retain Server and access diagnostic utilities.

    • Encryption Management: Generate and revoke storage encryption keys under Server Configuration | Storage.

  • Access Reporting and Monitoring Server

  • Assign Rights: Can assign rights to other users.

  • Access all audit logs: Enables access to the audit logs.

  • Deletion Manager: Access to Item and Mailbox Deletion.

  • Device Management: May add, remove, and edit devices.

  • Add, edit, remove global tag definitions: Allows manipulation of global tags in the view messages interface.

  • Apply or remove litigation hold: On individual users or groups.

  • Manage Users and Groups: Create users and groups and modify rights.

  • Manage Workers, Schedules, Profiles, Jobs: Control archive jobs.

NOTE:Only users with administrative rights will see the administrator’s screen on login. Non-admin users are simply forwarded to the Search Interface.

User-level Rights

All user level rights are strictly optional, and add functionality. None are needed to access your own mailbox and other mailboxes assigned to you. The "Default" group grants Forwarding, View Attachment, and Printing rights. Note: There is no way to perfectly block printing in a web browser, so using this feature should not be taken as a 100% guarantee that users won’t be able to print. Nonetheless, for most users, it is effective. Rights marked [other mailbox] refers to other mailboxes the user has been granted rights to as explained below for the Mailboxes tab.

  • Apply confidential tag [other mailboxes]

  • View/Save attachments

  • View personal audit log

  • Delete messages [other mailboxes]

  • Delete messages [own mailbox]

  • Export messages: Enables the export to PDF button.

  • Forward messages

  • Print messages

  • Read configuration (Redline)

  • Restore messages [own mailbox]

  • Apply confidential tag [own mailbox]

  • Add, edit, remove user tag definitions

The Read Configuration right (GroupWise Reporting and Monitoring Integration)

If you are integrating with GroupWise Reporting and Monitoring (GWRM) product, you will need to create a user account so that GWRM can log in and retrieve monitoring information. We recommend the following settings:

  • Account Never Expires

  • Offline Password Authentication is required. (use exclusively) (be sure to set the password)

  • Read Configuration (Redline) right.

3.1.3 Mailboxes Tab

Select the mailboxes this user will be able to access in addition to their own. This allows one user to access another user’s mailbox.

Granting Rights to All Mailboxes

You may want some users to be able to search through more than just their own mailbox. Administrators have the “Search All Mailboxes” under User Rights as a right which gives them access to everything. If that is too much access for that user you can grant rights to individual mailboxes.

Granting Rights to Individual Mailboxes

You may grant rights to some users so they can access just certain mailboxes. For example we can give the facilities manager rights to two of his workers.

In the example above, the user has explicit rights to two mailboxes. These mailboxes can be taken away from the user simply by clicking on the red ‘X’.

Address Book Selector

Adding users to the list is done using the Address Book selector. In the criteria section, you may enter information to search for a mailbox or a set of mailboxes. The search results will appear in the Address Book section. Each listed entry has a check box you can use to select that mailbox for addition to the list. Once you are done selecting, click Add Selected Items to add those mailboxes to your list of searchable mailboxes.

This interface is utilized in various other areas, but is described here.

It shows the currently selected items at the top, and lets you delete an item by clicking the red X.

(The New Mailbox selector in the Search Interface is an exception; just choose another item)

Adding Mailboxes

  1. Choose between the configured module systems

  2. Fill out basic criteria to narrow your search results (or no criteria for the first 100)

  3. Click Search

  4. The results up to a maximum of 100 are displayed

  5. The user can then page back and forth among the first 5 pages of results

  6. Choose which of the results you want to add to the selected list

  7. Click Add Selected Items

Notes: You can restrict to just Users (skipping Resources). You can show only recently cached items (last 10 days). The search is not case sensitive.

About “Show only recently cached items”

This option restricts the list of items shown in the selector to those with items stored within the last 10 days. In user/group management, it restricts the list to users who have logged in to the live Mail system within the last 10 days. The idea is to show only current items. If you DO want to see all items regardless of whether they’ve shown activity within the last 10 days, just uncheck this option.

3.1.4 GroupWise Proxy Support

Retain supports the GroupWise proxy function. To enable it, check the box in the Module Configuration section. (NOTE: using proxy is useless if the user you wish to enable this function for is set to use offline authentication – found under the core settings of the user)

NOTE:The ‘all user rights access’ in GroupWise is not supported.

This function is used to enable a user to access the mailbox of another user. For example, if user B grants the right to user A to access their mailbox in the GroupWise client, then user A can “proxy” in to user B’s mailbox.

Much the same way, if user A has proxy rights into user B’s mailbox in GroupWise, and the function is enabled in Retain, then user A may select user B’s mailbox for browsing or may search through user B’s mailbox in the Search Screen.

In Retain, it is the MAIL READ right which grants access.

Retain uses the list of available mailboxes shown in the GroupWise client to determine which mailboxes will be made available to the logged in user (user A in our example). Thus, it is important that user A has logged into user B’s mailbox as proxy using the GroupWise client before doing this in Retain. While user B might have granted the rights to user A, if user A has not yet logged in as proxy to user B’s mailbox with GroupWise, then user B will not appear in user A’s list of available accounts to proxy into.

Retain checks these proxy rights the first time you access a proxy users mailbox, then caches the information for 7 days as configured in the server Configuration – Miscellaneous tab. (Default is 7 days.)

If you have access to another mailbox by virtue of GroupWise proxy, then you will see that mailbox appear in the mailbox selector in the search screen or you may search through that mailbox as well.

3.1.5 Creating Users

The primary purpose of a user account is to store their preferences, rights, mailboxes to which they have access, and authentication information.

Retain allows two types of users:

  • Associated Messaging System Users: Retain adds these in conjunction with archiving their message content.

    These users authenticate to Retain using their messaging system credentials. For example, GroupWise users authenticate using SOAP, Exchange users authenticate using Active Directory credentials.

  • Retain-Only Users: You create these in Retain, independent of any message system.

    These users authenticate using what Retain calls an Offline Passwords, which you create for them. Offline means that no connection to a separate system is required for authentication.

Initially, both of these user types belong only to the group named default, but you can add them to other groups that you create as needed.

Offline Passwords

You can allow users to search through the Retain archives who are not part of the mail system, such as an independent auditor, a lawyer, or a user that has been deleted from the system.

Offline passwords are stored in Retain’s control database.

All Authentication Methods Provide Access

How a user authenticates has no bearing on their access rights within Retain. An administrator who possesses the Assign Rights administrative right can assign all pertinent rights to any user on the system.

Users can be assigned access to more than one mailbox. Retain-only users must be given access permissions for at least one mailbox to perform searches. Users who are assigned “Search All Mailboxes” rights have access to all users’ mailboxes.

NOTE:GroupWise Proxy support only works for users who authenticate via GroupWise SOAP protocol.

3.1.6 Creating a Retain Only User

  1. Click the “Add User” button.

  2. Enter a new user name and then fill out the options under each tab.

  3. When you are done, click the save changes disk icon at the upper right