Accessing Exchange Objects

 

This topic uses two examples to illustrate the access control process that Microsoft® Exchange uses. In the first example, a user attempts to open a folder or a message in his or her mailbox. In the second example, a user attempts to open a folder or a message in a public folder.

Opening a Folder or a Message in a User Mailbox

When a user attempts to gain access to, or perform an operation on, a folder or message in a mailbox, Exchange uses the process that is illustrated in the following figure to determine whether or not the user is authorized to perform the operation.

Note

Windows 2000 performs the actual checks, but Exchange controls the process, sometimes imposing special rules and modifications. For a description of these rules and modifications, see Details of the Exchange Access Control Process.

Access checks that Exchange performs when a user attempts to gain access to a folder or a message in a mailbox

efa00397-3f58-4272-893f-44339b8e9a3b

As shown in the preceding figure, the authorization process takes place in two main steps: a set of preliminary checks, and a folder-level or message-level check.

Preliminary checks for user mailboxes   Exchange performs three preliminary checks:

  • Is the user requesting an attribute of a folder or a message? (Access control for attributes is a topic beyond the scope of this book.)

  • What type of user is requesting access? Certain types of users, such as the mailbox owner, have full access permissions to all of the items in the mailbox.

  • Is the user also performing an administrative action? Administrative actions (such as changing the storage limits for a particular mailbox) are controlled by a different set of permissions than those that control client actions (such as creating a new message). Exchange uses this check to determine which set of permissions to use when it checks folder or message permissions.

    For information about how Exchange identifies administrative actions, see "Determining the Type of Client Application" in Details of the Exchange Access Control Process.

Folder or message check for user mailboxes   Exchange handles this check in one of two ways, depending on the outcome of the first check:

  • If the user is a designated special user (for example, the user is the mailbox owner), Exchange skips this check and grants full access permissions.

  • If the user is not a designated special user, Exchange determines whether the user has the appropriate permissions to perform the requested action. If the user is using an administrative application but does not have the appropriate permissions to perform the requested action, Exchange performs another check using the regular permissions.

Because the second check in the authorization process occurs at the folder or message level, it is possible for a user to log on to a mailbox that the user does not own; however, the user will not be able to access items in the mailbox unless access permissions have been specified for this user for a particular folder or message.

Note

Although this example describes access checks for a user mailbox, the process is the same for a system mailbox (or any other type of mailbox that you create).

Opening a Public Folder or a Public Folder Message

When a user attempts to gain access to, or perform an operation on, a public folder or a message in a public folder, Exchange uses the process that is illustrated in the following figure to determine whether or not the user is authorized to perform the operation.

Access checks that Exchange performs when a user attempts to gain access to a public folder or a message in a public folder

4ef416c3-8f2a-4dd9-83f6-881c22a06560

As shown in the preceding diagram, the authorization process takes place in two main steps: a set of preliminary checks, and a folder-level or message-level check.

Preliminary checks for public folders or messages   Exchange performs the following preliminary checks:

  • Is the user requesting an attribute of a folder or a message? (Access control for attributes is a topic beyond the scope of this book.)

  • Is the user also performing an administrative action?

    Exchange uses this check to determine which set of permissions to use when it checks folder or message permissions. Administrative actions are controlled by a different set of permissions than the permissions that control client actions. Exchange identifies an action as "administrative" based upon the type of application that is requesting the action. If Microsoft Outlook® requests the action, Exchange treats the action as a client action. If Exchange System Manager requests the action, Exchange treats the action as an administrative action. Even if the action is the same (such as changing permissions) and the user might think of the action as "administrative," Exchange treats the action as a client action when it is requested by Outlook and as an administrative action when it is requested by Exchange System Manager. For more information about how Exchange identifies administrative actions, see "Determining the Type of Client Application" in Details of the Exchange Access Control Process.

Folder or message check for public folders or messages Exchange handles this check in one of three ways, depending on the outcome of the preliminary checks:

  • If the user is a designated special user (for example, the user is a folder owner) and the requested action is not an administrative action, Exchange skips this check and grants full access permissions.

  • If the user is a designated special user and the requested action is an administrative action, Exchange determines whether the user has the appropriate administrative permissions to perform the requested action.

  • If the user is not a designated special user, Exchange determines whether the user has the appropriate non-administrative permissions to perform the requested action.

    Note

    System folders (such as the free and busy public folder) have additional restrictions that are not addressed here.