Best practice tip for user import
Preparations
ELO users and their access rights in the repository are central to e-mail storage because correspondence, business or otherwise, should not generally be compromised. It is possible to prepare the repository manually before archiving any e-mails, or it can be done automatically by ELOxc. Central to e-mail archiving is the external mailbox owner whose messages are to be processed and later made available in the repository. ELOxc groups all external mailbox owners in mailbox catalogs, which are created when external directories are queried.
Usage example, user importUser import, usage exampleAutomatic import of user accounts from the catalog is not a default setting in ELOxc, because it can lead to conflicts with the LDAP import function in the ELO Administration Console or existing legacy data. However, if you have already used the ELO Indexserver LDAP connection, there is nothing to prevent you from allowing ELOxc to import users, but you should consider whether this is actually necessary or whether the LDAP connection is not the better function. ELOxc is limited to mailbox properties. Nevertheless, both import methods are compatible as they both identify the external users based on the GUID in the directories. This allows ELOxc to import user data before the ELO Indexserver LDAP connection is used without preventing it being used later on.
You should therefore do some careful planning before you import user accounts. Once you have done so, ELOxc can automatically import the relevant catalog data of the users and also configure permissions settings for archived items. This decision is likely made when messages need to be stored before mailbox owners have a chance to log into the repository for the first time.
In addition, the different mailbox types processed by ELOxc as well as the filing path influence the resulting permission settings after an e-mail has been stored. Therefore, this usage example consists of several parts, which build on one another and also illustrate central control mechanisms of ELO access permissions.
We recommend that you test the configuration examples and verify the usage example with your own tests depending on your individual level of experience.
You need:
- ELO 20
- ELO Administration Console
- ELO client
- Microsoft Outlook
- 3x user mailboxes – 1x sender, 2x recipients
- 1x shared mailbox (with these user mailboxes as delegates)
- ELOxc
- Microsoft Active Directory
- Microsoft 365
- Remote PowerShell (Default authentication mode)
- App registration for Microsoft Graph API (OAuth2)
Standard method
The standard method in ELOxc is based on the assumption that the user structure has been configured in the repository before the first mailboxes are archived. Mailboxes are only associated with ELO data via the filing path using the automated functions of form permissions, which also play an essential role in the following examples with automatic user import. The standard method is used specifically if you want to separate external users and ELO users. However, it must be used if a static mailbox catalog has been configured.
In this example, a user gets a separate folder in the main folder E-mails (prepared), in which messages will be stored according to the folder structure in Outlook. This folder should be named after its SMTP address:
Both folders are created using the default folder form so that all users have access to them. However, since we want to configure a user-specific e-mail repository, the stored e-mails must be protected against unauthorized access by other users using appropriate permission settings.
The first step is to create the user. This is done in the ELO Administration Console:
After you save the new user, it shows up in the list:
In the client, you now set the permissions for both folders. Navigate to the main folder E-mails (prepared).
All users have read access to the main folder:
The user folder that will contain the stored mailbox is assigned permission settings that grant xc191 the rights to read the e-mails, move them, and change their metadata as needed:
Once the folders have been configured accordingly, messages for xc191 can be stored. The expected Outlook folder structure is automatically secured based on the permission settings of the metadata forms used. The default Folder and E-mail forms already have the required Parent rights permissions settings, which ensures that permissions for the transferred mailbox folders and messages are passed on correctly during processing.
ELOxc is now used to configure simple e-mail storage. It is based on the metadata templates KW_DEFAULT_DOCUMENT and KW_DEFAULT_FOLDER. KW_DEFAULT_DOCUMENT is assigned to the stored documents or messages and KW_DEFAULT_FOLDER is assigned to the created folders:
Both metadata templates are part of the default settings of ELOxc, which is why they are verified every time ELOxc is started. If they are missing, ELOxc automatically creates them. In addition, they already contain the default mappings of message properties to metadata fields, which is why they shouldn't be changed. If other templates are required, you can create customized copies of the two standard templates.
This simple storage process uses an active Archive Simple action tree.
The active action tree calls a subtree (or template tree) in which Export, Archiving, Tag, and Save are configured.
To ensure that the correct filing target is used in the repository, the Filing path action must be configured in advance.
During filing, the path is created by using existing path segments and creating missing ones. This ensures that the settings of the folders E-mails (prepared) and xc191@xc.local remain unchanged. This also means that the path segments in the repository are not changed by ELOxc once they have been created because the only identifier used is the folder name.
The segment for the main folder is configured as follows:
Since the name E-mails (prepared) is assigned by default and cannot be changed, the segment type must be set to constant. The metadata template of this path segment remains empty because the KW_DEFAULT_FOLDER template is already set at the top level of the entire action. If you want to use different templates for individual segments of the filing path, using different metadata forms, for example, you can configure this in this field of the segment. However, the segments are not linked to the metadata in this example.
The automatically generated name of the next segment in this example is the mailbox SMTP address. The variable BoxAddr is responsible in this case.
The third path segment uses the BoxPath variable, which is used to transfer the structure from Outlook during filing.
Now, when messages are processed, you can see in the repository that the desired permission settings are automatically applied correctly:
Automatic import of user accounts
This example with automatic user import for e-mail storage also assumes that there is a main folder, which will now be called E-mails (unprepared). This is where the mailbox folders with Outlook structures will be stored after filing. This does not require any preparations in the repository. Also, no ELO users are created. In your tests, make sure that you delete the created users over and over so that you can see changes to the user import process in new examples.
Make sure that you have enabled user import in the instanced configuration.
Parameters:
- Assume ownership: Enabling this option means that the user automatically created in the repository is also entered as the owner of the newly created documents.
- User notification: Enabling this option means that a message containing the user's credentials is automatically sent.
- Identity format: This selection field determines which catalog property to use as the ELO user name. The possible properties are UserPrincipalName, sAMAccountName, and displayName.
- Password: In this field, you can configure a default password for all imported users. If you leave the field blank, ELOxc generates a random password. In this case, you need to enable user notification because the password is not known otherwise. A new ELO user is able to set their own password when they log on for the first time.
- Default ACL: This where you specify the ACL for the user folder. This permission setting is applied to all transferred items based on the inheritance mechanisms of the metadata form (RW was selected here to distinguish it from RWDELP).
- Group membership and Group prefix: Each transferred user is automatically created as a member of a group whose name is set in these two fields. Separate group name and group prefix fields are required to allow recognition of the groups generated by ELOxc. If a user mailbox is processed, the group name ELOxc_USERS is used. However, in other cases, the USERS part of the name may be overwritten by names of shared mailboxes.
If you store an e-mail with these settings, you will get the following result:
The message Automatically without taking ownership is archived and is assigned the configured permissions settings RW. In addition, the user xc191 is notified that the ELO user account was created:
The user is now able to to log on to the repository where they will be prompted to set their own password:
If you enable the Assume ownership option in the instance configuration, each stored e-mail and each filing path folder created in this way will be assigned to the mailbox owner as if they had stored it manually:
If you do not enable this option, the stored message will be automatically assigned to the service account.
The assignment of rights in automatic user import only works properly if the filing path uses a variable that is associated with the mailbox owner:
The variables are assigned as follows:
| Variable | LDAP user property |
| BoxAccount | sAMAccountName |
| BoxAddr | |
| BoxName | displayName |
| BoxUPN | UserPrincipalName |
Information: If one of these variables is detected in the filing path and assigned a corresponding value, ELOxc simultaneously sets the configured ACL for the path segment. It therefore makes sense to use only one variable that is associated with a mailbox for each filing path. At the same time, one of these variables must always be configured for successful and secure mailbox emulation. If this is not the case, data could be compromised.
When you check whether the users have been imported in the ELO Administration Console, you will find both the user xc191 and the user group ELOxc_USERS:
The user name xc191@xc.local is taken from the directory propertyUserPrincipalName. If this identity is selected, the Windows user is automatically set in the format <domain>\<account>. The SMTP address is applied as the e-mail address and the newly created user is automatically assigned to the ELOxc_USERS group stored in the configuration with the group prefix and group membership parameters:
Information: The user ID cannot be changed because it is determined automatically by the ELO Access Manager. It is an internal identifier and plays an important role in user import by integrating user data sets and permissions settings. It is the main reason why users previously imported from an external directory have to be identified in ELO. If this is not the case, permissions settings will be lost, orphaned, or even incorrectly assigned. If users are imported with the ELO Indexserver LDAP connection or imported by ELOxc, the directory property objectGUID identifies the users. When importing users with LDAP in the ELO Administration Console, you need to make an alteration if you want to use the objectGUID.
When using LDAP mailbox catalogs, supervisors defined in ELO are automatically assigned to ELO users. This requires the LDAP property manager.
The user xc192 is assigned xc191 as supervisor in the local directory:
If user import is enabled, the ELO user xc191 is automatically entered as the supervisor of ELO user xc192 when this user is created:
If the manager property is not set, the ELO Administrator is entered as the supervisor. During subsequent processing, if the property is available or has changed, the setting will be applied.
ELO user entries with automatic import
In order to apply the automatic user import settings to the user entries and to store e-mails in these structures, you need to modify the configuration of the filing path. In this case, you need to set user instead of the default value archive.
ELO user entries are part of the default configuration of a repository and are shared with all ELO users. Each user has a personal area in the repository, which cannot be accessed by other users. If you set the root of the filing path to user, the e-mails will be stored in this area. This eliminates the need to create a folder that is associated with a mailbox, which is why the filing path is easier to configure:
If you now store a message, you can see that the permissions settings of the user's personal area are automatically applied:
Shared mailboxes with automatic import
If you want to store messages from a shared mailbox, two different mailbox types are available – shared and user:
A shared mailbox shared19 with configured delegates xc191 and xc192 is processed with the setting shared, which triggers mailbox emulation, which processes shared19 as the mailboxes xc191 and xc192. For this to work, the filing path must use a variable that is associated with the mailbox, indirectly associating the delegate as its owner. The path configuration could look like this:
If the e-mail is stored using the mailbox type shared, the result in the repository looks like this:
Each delegate receives a copy of the processed message. The permissions correspond to the configuration of the instance configuration. However, if the e-mail is stored with the mailbox type="user" in native mode, ELOxc uses this filing structure:
Only one message copy is stored for the shared and in this case not emulated (or resolved) mailbox shared19@xc.local.
In terms of the permission settings when processing a shared mailbox, regardless of whether you select the type user or shared, an ELO user group is always created whose members are the delegates of shared19@xc.local. The difference is that type="shared" assigns individual access rights and type="user" assigns group rights.
In the ELO user manager, you can see that a user group ELOxc_SHARED19 was created for shared19@xc.local. This user group is a member of the general group ELOxc_USERS. This occurs independently of type="shared" and type="user", reflecting the mailbox configuration and probably the mailbox usage.
The mailbox delegates are assigned to the user group ELOxc_SHARED19:
If you use mailbox emulation in native mode, the result for the path root user is congruent to the result for the path root archive.
This is what the result with mailbox emulation looks like:
This is the result with native mode, i.e. without mailbox emulation:
Journal recipients with automatic import
User accounts are also automatically transferred when processing journal recipients. However, a journal is not used in the same sense as shared mailboxes. A journal recipient is a user mailbox and is therefore treated by ELO as a user.
Journal recipient, import userAs long as a journal is configured as the mailbox type journal in ELOxc, mailbox emulation with automatic creation of all users whose mailboxes are on the same Exchange server mailbox database will occur as expected. However, if the journal is processed in native mode, user accounts are created in ELO for all journal mailbox owners as well as the user account of the journal recipient.
E-mail storage with mailbox emulation ( type="journal") of the journal recipient journal19@xc.local:
E-mail storage with type="user" in native mode produces this result:
Due to native mailbox processing, the journal recipient appears in the user manager in the same way as the journal mailbox owners:
If an e-mail is stored in the ELO repository using mailbox emulation and the path root user, it is stored in the user's personal area:
With native processing (type="user") of the journal recipient in ELO, only one message copy is stored in the repository for journal19@xc.local.
E-mail storage of journal recipients in native mode differs from native mode with shared mailboxes not only because the user journal19 is also transferred. In this case, other messages are stored as well:
The original message is stored in the journal recipient's mailbox as an attachment to an envelope. The envelope contains the recipients of the message. E-mail storage of journal recipients in native mode is therefore more suited for meeting requirements for documentation of e-mail correspondence than is user-based e-mail storage. If you still want ELO users to be able to access these messages at a later date, it is possible to extract the original message using downstream processes and make them available to automatically imported ELO users with appropriate permissions settings.
Mailbox catalogs with automatic import
The different catalog types in ELOxc all retrieve the main user properties Name, Windows user, and E-mail. ELOxc also applies the GUID (objectGUID property) of the external mailbox owner as the ELO user GUID. If users are created manually, there is no external GUID so you need to configure the LDAP import function in the ELO Administration Console to use this GUID. The external GUID is essential for data transfer later on, which is why it is also specified as the default setting for the ELO Indexserver LDAP connection.
In addition to the main user properties, ELOxc stores additional catalog data in the ldapuserprops table of the ELO Access Manager, which can be retrieved via the Indexserver API.
The table below illustrates how properties are mapped according to the access constants in the Indexserver API:
| External name | ldap | ps | UserInfoC |
| displayName | X | X | LDAP_KEY_DISPLAY_NAME |
| distinguishedName | X | X | LDAP_KEY_DISTINGUISHED_NAME |
| legacyExchangeDN | X | X | LDAP_KEY_LEGACY_EXCHANGE_DN |
| X | LDAP_KEY_MAIL | ||
| PrimarySmtpAddress | X | LDAP_KEY_MAIL | |
| Manager | X | LDAP_KEY_MANAGER | |
| msExchRecipientTypeDetails | X | LDAP_KEY_EXCH_RECIPIENT_TYPE_DETAILS | |
| RecipientTypeDetails | X | LDAP_KEY_EXCH_RECIPIENT_TYPE_DETAILS | |
| person | person | LDAP_KEY_OBJECT_CLASS | |
| objectGUID | X | LDAP_KEY_OBJECT_GUID | |
| Guid | X | LDAP_KEY_OBJECT_GUID | |
| false | LDAP_KEY_ONLINE | ||
| true | LDAP_KEY_ONLINE | ||
| sAMAccountName | X | LDAP_KEY_SAM_ACCOUNT_NAME | |
| samAccountName | X | LDAP_KEY_SAM_ACCOUNT_NAME | |
| userPrincipalName | X | X | LDAP_KEY_USER_PRINCIPAL_NAME |
It is possible to configure external properties as main user properties (Name, Windows user and E-mail using the Identity format parameter, although Name=UserPrincipalName, Windows user=domain\account, and E-mail=SMTP address should remain the preferred default.
Name=account and Windows user=UserPrincipalName can be useful if you have older repositories. Since the user data is only created if it is missing and is not updated after that, you must carefully consider whether ELO Access Manager databases should do without the preferred default settings.
ELO Indexserver LDAP connection
With the default settings, the ELO Indexserver LDAP connection adopts the following properties:
| LDAP | UserInfoC |
| Cn | LDAP_KEY_CN |
| displayName | LDAP_KEY_DISPLAY_NAME |
| distinguishedName | LDAP_KEY_DISTINGUISHED_NAME |
| LDAP_KEY_DOMAIN | |
| groupType | LDAP_KEY_GROUP_TYPE |
| mailNickname | LDAP_KEY_MAIL_NICK_NAME |
| manager | LDAP_KEY_MANAGER |
| msExchMailboxGuid | LDAP_KEY_MS_EXCHANGE_MAILBOX_GUID |
| name | LDAP_KEY_NAME |
| objectCategory | LDAP_KEY_OBJECT_CATEGORY |
| objectGUID | LDAP_KEY_OBJECT_GUID |
| objectSid | LDAP_KEY_OBJECT_SID |
| proxyAddresses | LDAP_KEY_PROXY_ADDRESSES |
| sAMAccountName | LDAP_KEY_SAM_ACCOUNT_NAME |
| sAMAccountType | LDAP_KEY_SAM_ACCOUNT_TYPE |
| userAccountControl | LDAP_KEY_USER_ACCOUNT_CONTROL |
| userPrincipalName | LDAP_KEY_USER_PRINCIPAL_NAME |
Information: Refer to the LDAP connection documentation for instructions on how to customize the property mappings. Nevertheless, it makes sense for the LDAP connection and the user import from ELOxc to generate the same result for the main ELO user properties Name, Windows user, and E-mail.
Summary
ELOxc can only set the permissions of newly created items in the repository. Once data is archived, the settings in the repository cannot be changed. Access permissions to items in the repository must always be set with the client. Automatically transferred users are retained even if they are subsequently deleted in the directory. This also applies for the LDAP property manager.
By default, it is necessary to define the settings, including the permission settings, for storing e-mails in the repository. The default metadata forms Folder and E-mail are useful configuration tools and are available as standard metadata templates of ELOxc.
Automatic import of user accounts is an option that allows you to avoid manual configuration of filing structures. The mailbox owners are imported as ELO users and assigned access rights that correspond to the mailbox type depending on the configured processing type. The main user properties GUID, Name, SMTP address and Account or UserPrincipalName can be applied for all catalog groups. Furthermore, additional directory data is stored in ELO Access Manager.
When mapping external data to user properties in ELO, however, make sure that you avoid conflicts since, for example, manual creation of users with simultaneous transfer by ELOxc can cause ambiguities that you may not notice until later on and are difficult to correct.
It is therefore important that you answer the following questions when creating or rebuilding a repository:
- How will users be managed in the long term? Where will they be managed?
- Will there (also) be ELO users only, or will all user data be imported from an external source?
- Have you made sure that ELO Administrator and ELO Service (and other service accounts, if applicable) are not generated from external sources? If the main user accounts are to be managed externally, have you made sure that their passwords remain changed so as not to disable active ELO components?
- Which component meets the administrative requirements for automatic user transfer: LDAP connection, LDAP import, or ELOxc?
The key aspects of permissions configuration for e-mail storage as illustrated in this example are:
- ELO Administration Console: Creation and validation of users and groups
- LDAP connection: Import of user accounts (general and at granular level)
- Metadata forms and fields: Default metadata forms Folder and E-mail
- Metadata templates: KW_DEFAULT_FOLDER and KW_DEFAULT_DOCUMENT
- Mailbox types: user, shared, journal
- Import of user accounts: Activation, identity format, assume ownership
- Filing paths: Path root archive or user, variables associated with a mailbox
The mailbox type user is always associated with native processing. The mailbox types journal and shared can also be processed in native mode, but we do not recommend this because the user focus is lost as a result. The recommended default for these two mailbox types is mailbox emulation.
The results/implications of automatic user import are listed in the following table:
| Mailbox | Configuration | Path root | Permissions settings |
| User | user | archive | User-based |
| user | User-based | ||
| Shared | shared | archive | User-based (plus own group) |
| user | User-based (plus own group) | ||
| user | archive | Group-based via own group | |
| user | Group-based via own group | ||
| Journal | journal | archive | User-based |
| user | User-based | ||
| user | archive | Mapped to journal recipient | |
| user | Mapped to journal recipient |