Platform SDK: Exchange Server |
An access control list (ACL) is used to control user access to information store objects. Any information store object for which a user can have access rights may have an associated ACL, including servers, sites, containers, mailboxes, and folders as represented within the information store.
Each ACL consists of a list of members and their associated security privileges, where each member is one of four entities:
Applications are able to set, interrogate, modify, and delete ACL entries when the required permissions are in place. In this way they can control access to the folders they use.
An access control list (ACL) is stored as a table. Each row of the table consists of a distinguished name (DN) and a value that can be translated into the set of access controls (permissions) applied to that member. An ACL table is structured as follows.
Structure of an access control list
Because a directory object is identified within an ACL by its DN, any entity in the directory (including DLs) can be an entry in an ACL and thus have permissions on any folder. The permissions that may be assigned to an ACL entry are listed in the following table.
Permissions on information store objects
Permission | Description |
---|---|
frightsReadAny | Read any items. |
frightsCreate | Create items. |
frightsEditOwned | Edit any items owned by the user. |
frightsDeleteOwned | Delete any items owned by the user. |
frightsEditAny | Edit any item. |
frightsDeleteAny | Delete any item. |
frightsCreateSubfolder | Create subfolders for the folder. |
frightsOwner | Set permissions on the folder. |
frightsContact | Appear as the contact on the folder. Not part of rightsAll. |
rightsNone | No permissions on the folder. |
rightsReadOnly | Read any item in the folder. |
rightsReadWrite | Read from and write to any item in the folder. |
rightsAll | All the above permissions on the folder except frightsContact. |
At the time a folder is created, the entire ACL table is copied from the folder's parent object. This means that the initial ACL contains at least these two entries: default and owner. This applies to private as well as public folders.
The initial default entry in an ACL cannot be deleted. Owner entries can be deleted, and other owners can be added. That is, new entries with the permission frightsOwner can be added, and an existing entry can be assigned the permission frightsOwner.
For more information about access control lists, see Manipulating ACLs, the ACL COM Component, and ACLASP sample application.