Public Folders Access Control
| Nik Okuntseff |
MS Exchange Server Programming |
Public Folders Access Control
Access to Exchange server public folders is protected by other custom mechanism.
Although an object, which represents a folder in the Directory may have
an associated Windows NT security descriptor with DACL in it, client access
is controlled by an access control list of another kind. There is a bit
of confusion here because both are called ACLs. The difference is that
a Windows NT ACL specifies rights for Windows NT accounts, while a public
folder ACL deals with MAPI PR_ENTRYIDs. I have a separate topic How
NT Access Control Relates to Public Folder ACLs that describes where
these two things come together.
You can access public folder ACLs via either IExchangeFolderACLs
interface, or IExchangeModifyTable.
I have written a few samples that illustrate both approaches. Also, MSDN
has a sample named ACLEDIT, which illustrates usage of IExchangeFolderACLs.
Access Rights
The following code fragment extracted from the EdkMdb.h file lists documented
access rights.
//Security bits
#define frightsReadAny 0x0000001L
#define frightsCreate
0x0000002L
#define frightsEditOwned 0x0000008L
#define frightsDeleteOwned 0x0000010L
#define frightsEditAny
0x0000020L
#define frightsDeleteAny 0x0000040L
#define frightsCreateSubfolder 0x0000080L
#define frightsOwner
0x0000100L
#define frightsContact
0x0000200L // NOTE: not part of rightsAll
#define rightsNone
0x00000000
#define rightsReadOnly frightsReadAny
#define rightsReadWrite (frightsReadAny|frightsEditAny)
#define rightsAll
0x00001FBL
The table below explains their meanings:
|
Flags
|
Meaning
|
| frightsReadAny |
A right to read any message in the folder. |
| frightsCreate |
A right to create messages in the folder. |
| frightsEditOwned |
A right to edit any message owned by a user. |
| frightsDeleteOwned |
A right to delete any message owned by a user. |
| frightsEditAny |
A right to edit any message in the folder. |
| frightsDeleteAny |
A right to delete any message in the folder. |
| frightsCreateSubfolder |
A right to create a subfolder in the folder. |
| frightsOwner |
Indicates that a user owns the folder. |
| frightsContact |
Indicates that a user is the contact person for the folder. |
| rightsNone |
No rights at all. |
| rightsReadOnly |
Same as frightsReadAny. |
| rightsReadWrite |
Combines frightsReadAny and frightsEditAny access. |
| rightsAll |
All documented rights with exemption of frightsContact. |
In addition to these rights Exchange server uses flag 0x0000400, which
determines folder visibility to a user. This flag is not a member of rightsAll.
Roles
Microsoft Exchange server uses a few roles for public folder clients.
Roles are convenient combinations of individual access rights. The following
roles are defined:
|
Role
|
Access Mask
|
| Owner |
0x000007FB |
| Publishing Editor |
0x000004FB |
| Editor |
0x0000047B |
| Publishing Author |
0x0000049B |
| Author |
0x0000041B |
| Nonediting Author |
0x00000413 |
| Reviewer |
0x00000401 |
| Contributor |
0x00000402 |
You may easily determine which individual rights contribute to the
role by examining it access mask.
Who May Be Listed in an ACL?
The following entities may be listed in a public folder ACL:
-
A user from Microsoft Exchange server address book.
-
A distribution list from Microsoft Exchange server address book.
-
A public folder.
-
A defined role.
[ Contents |
Home
]
Send comments and suggestions to niko@wrconsulting.com
Copyright © 1997-1998 by Nik Okuntseff
|
