About Information Store Security

Platform SDK: Exchange Server

Information store objects can be accessed only by users or applications with sufficient permissions. The ability to create or delete folders, post items, and edit public folder contents depends on the account's permissions on that object, as specified by the access control list (ACL). An ACL is similar in function to the discretionary access control list (DACL), which limits access to directory objects. (See About Directory Security).

Access to information stores and the objects within them is granted in the following ways:

Mailboxes The information store verifies that the account requesting to log on (as identified by its security identifier) is that of the mailbox's owner. If so, logon permission is granted.
Public information stores Security is not enforced on the public information store, but rather on individual folders within the store.
Offline folder stores (OST) Access to an OST is granted to the logon account with the profile in which the offline store was created. The OST may also be opened by another profile, but that profile must be logged on to the corresponding mailbox. File-level security can also be used to deny access to an OST.
Top folder within a store Special permissions are needed to create the top level folder in a public information store. No special permissions are needed in private information stores. Administrators can control the creation of top-level folders through the Administrator program.
Folder within a folder Folders within folders are treated as Contents of Folders, with this exception: The requestor must own a folder to delete it.
Contents of folders Access to messages and other items is determined by the permissions granted the requestor, as defined in the ACL of the containing folder. Any folder in an information store can have an access control list.