Request # 12
Exchange ACL (Modifying Access Rights) Public Folders Access Control
Access to Exchange server public folders is protected by custom mechanism. Although an object, which represents a folder in the Directory may have an associated Windows NT security descriptor with DACL in it, client access is controlled by an access control list of another kind. There is a bit of confusion here because both are called ACLs. The difference is that a Windows NT ACL specifies rights for Windows NT accounts, while a public folder ACL deals with MAPI PR_ENTRYIDs. I have a separate topic How NT Access Control Relates to Public Folder ACLs that describes where these two things come together. You can access public folder ACLs via either IExchangeFolderACLs interface, or IExchangeModifyTable. We have written
a few samples that illustrate both approaches. Also, MSDN has a sample named ACLEDIT, which illustrates usage of IExchangeFolderACLs. Access Rights The following code fragment extracted from the Edk.pas file lists documented access rights.
frightsReadAny = ULONG($0000001);
frightsCreate = ULONG($0000002);
frightsEditOwned = ULONG($0000008);
frightsDeleteOwned = ULONG($0000010);
frightsEditAny = ULONG($0000020);
frightsDeleteAny = ULONG($0000040);
frightsCreateSubfolder = ULONG($0000080);
frightsOwner = ULONG($0000100);
frightsContact = ULONG($0000200);
rightsNone = ULONG($00000000);
rightsReadOnly = frightsReadAny;
rightsReadWrite = (frightsReadAny or frightsEditAny);
rightsAll = ULONG($00001FB);
The table below explains their meanings:
|frightsReadAny||A right to read any message in the folder.|
|frightsCreate||A right to create messages in the folder.|
|frightsEditOwned||A right to edit any message owned by a user.|
|frightsDeleteOwned||A right to delete any message owned by a user.|
|frightsEditAny||A right to edit any message in the folder.|
|frightsDeleteAny||A right to delete any message in the folder.|
|frightsCreateSubfolder||A right to create a subfolder in the folder.|
|frightsOwner||Indicates that a user owns the folder.|
|frightsContact||Indicates that a user is the contact person for the folder.|
|rightsNone||No rights at all.|
|rightsReadOnly||Same as frightsReadAny.|
|rightsReadWrite||Combines frightsReadAny and frightsEditAny access.|
|rightsAll||All documented rights with exemption of frightsContact.|
In addition to these rights Exchange server uses flag $0000400, which determines folder visibility to a user. This flag is not a member of rightsAll.
Microsoft Exchange server uses a few roles for public folder clients. Roles are convenient combinations of individual access rights. The following roles are defined:
You may easily determine which individual rights contribute to the role by examining it access mask.
Who May Be Listed in an ACL?
The following entities may be listed in a public folder ACL:
- A user from Microsoft Exchange server address book.
- A distribution list from Microsoft Exchange server address book.
- A public folder.
- A defined role.
Let’s see how IExchangeModifyTable interface may be used to read and modify access control entries for a public folder…