Public Folders Access Control

Access to Exchange server public folders is protected by other custom mechanism. Although an object, which represents a folder in the Directory may have an associated Windows NT security descriptor with DACL in it, client access is controlled by an access control list of another kind. There is a bit of confusion here because both are called ACLs. The difference is that a Windows NT ACL specifies rights for Windows NT accounts, while a public folder ACL deals with MAPI PR_ENTRYIDs. I have a separate topic How NT Access Control Relates to Public Folder ACLs that describes where these two things come together.

You can access public folder ACLs via either IExchangeFolderACLs interface, or IExchangeModifyTable. I have written a few samples that illustrate both approaches. Also, MSDN has a sample named ACLEDIT, which illustrates usage of IExchangeFolderACLs.
 

Access Rights

The following code fragment extracted from the EdkMdb.pas file lists documented access rights.

//Security bits
const
    frightsReadAny    =   ULONG($0000001);
    frightsCreate   =   ULONG($0000002);
    frightsEditOwned   =   ULONG($0000008);
    frightsDeleteOwned   =   ULONG($0000010);
    frightsEditAny   =   ULONG($0000020);
    frightsDeleteAny   =   ULONG($0000040);
    frightsCreateSubfolder   =   ULONG($0000080);
    frightsOwner   =   ULONG($0000100);
    frightsContact    =   ULONG($0000200); 
    rightsNone   =   ULONG($00000000);
    rightsReadOnly = frightsReadAny;
    rightsReadWrite  =     (frightsReadAny or frightsEditAny);
    rightsAll   =   ULONG($00001FB);

The table below explains their meanings:
 
 
Flags
Meaning
frightsReadAny A right to read any message in the folder. 
frightsCreate A right to create messages in the folder. 
frightsEditOwned A right to edit any message owned by a user.
frightsDeleteOwned A right to delete any message owned by a user.
frightsEditAny A right to edit any message in the folder.
frightsDeleteAny A right to delete any message in the folder.
frightsCreateSubfolder A right to create a subfolder in the folder.
frightsOwner Indicates that a user owns the folder.
frightsContact Indicates that a user is the contact person for the folder.
rightsNone No rights at all.
rightsReadOnly Same as frightsReadAny.
rightsReadWrite Combines frightsReadAny and frightsEditAny access.
rightsAll All documented rights with exemption of frightsContact.

In addition to these rights Exchange server uses flag $0000400, which determines folder visibility to a user. This flag is not a member of rightsAll.
 

Roles

Microsoft Exchange server uses a few roles for public folder clients. Roles are convenient combinations of individual access rights. The following roles are defined:
 
 
Role
Access Mask
Owner $000007FB
Publishing Editor $000004FB
Editor $0000047B
Publishing Author $0000049B
Author $0000041B
Nonediting Author $00000413
Reviewer $00000401
Contributor $00000402
 
You may easily determine which individual rights contribute to the role by examining it access mask.
 

Who May Be Listed in an ACL?

The following entities may be listed in a public folder ACL: