Platform SDK: Exchange Server

About Access Control Lists

An access control list (ACL) is used to control user access to information store objects. Any information store object for which a user can have access rights may have an associated ACL, including servers, sites, containers, mailboxes, and folders as represented within the information store.

Each ACL consists of a list of members and their associated security privileges, where each member is one of four entities:

Applications are able to set, interrogate, modify, and delete ACL entries when the required permissions are in place. In this way they can control access to the folders they use.

The Structure of ACLs

An access control list (ACL) is stored as a table. Each row of the table consists of a distinguished name (DN) and a value that can be translated into the set of access controls (permissions) applied to that member. An ACL table is structured as follows.

Structure of an access control list

Because a directory object is identified within an ACL by its DN, any entity in the directory (including DLs) can be an entry in an ACL and thus have permissions on any folder. The permissions that may be assigned to an ACL entry are listed in the following table.

Permissions on information store objects

Permission Description
frightsReadAny Read any items.
frightsCreate Create items.
frightsEditOwned Edit any items owned by the user.
frightsDeleteOwned Delete any items owned by the user.
frightsEditAny Edit any item.
frightsDeleteAny Delete any item.
frightsCreateSubfolder Create subfolders for the folder.
frightsOwner Set permissions on the folder.
frightsContact Appear as the contact on the folder. Not part of rightsAll.
rightsNone No permissions on the folder.
rightsReadOnly Read any item in the folder.
rightsReadWrite Read from and write to any item in the folder.
rightsAll All the above permissions on the folder except frightsContact.

At the time a folder is created, the entire ACL table is copied from the folder's parent object. This means that the initial ACL contains at least these two entries: default and owner. This applies to private as well as public folders.

The initial default entry in an ACL cannot be deleted. Owner entries can be deleted, and other owners can be added. That is, new entries with the permission frightsOwner can be added, and an existing entry can be assigned the permission frightsOwner.

For more information about access control lists, see Manipulating ACLs, the ACL COM Component, and ACLASP sample application.