Permissions Available in Exchange
The following sections list the different permissions that are available in Microsoft® Exchange. For more detailed information about most of these permissions (such as their hexadecimal, access-mask values), see the Exchange Server 2003 TechCenter, or the Microsoft Windows® 2000 or Active Directory® directory service documentation in the Microsoft Platform SDK.
Special Permissions
Exchange uses special permissions internally to govern access to mailboxes, in conjunction with the preliminary checks that it performs. Exchange does not use these permissions for security descriptors. The following table lists these mailbox-specific permissions.
Mailbox-specific permissions
| Exchange permissions | Member permissions or Windows equivalents |
|---|---|
fsdpermUserDeleteMailbox |
DELETE |
fsdpermUserMailboxOwner |
|
fsdpermUserSendAs |
|
fsdpermUserPrimaryUser |
(Used in conjunction with the Master Account SID in Active Directory) |
sdpermUserGenericRead |
STANDARD_RIGHTS_READ |
sdpermUserGenericExecute |
STANDARD_RIGHTS_EXECUTE |
sdpermUserGenericWrite |
STANDARD_RIGHTS_WRITE fsdpermUserDeleteMailbox |
sdpermUserGenericAll |
STANDARD_RIGHTS_ALL FsdpermUserMailboxOwner FsdpermUserSendAs fsdpermUserPrimaryUser |
Permissions Used in the Windows NT Security Descriptor
The following tables list the permissions that are used in the Microsoft Windows NT® security descriptor. For more information about these permissions, see the "Security" topic in the "Key Tasks" section of the Microsoft Exchange Software Development Kit (SDK).
Permissions for Mailbox Folders and Public Folders
The permissions used in the Windows NT security descriptor of a folder are the same whether the folder resides in a mailbox or in a public folder hierarchy. The following tables list these permissions (the permissions listed in the "Standard Windows permissions used in folder security descriptors" table are available on objects throughout Windows 2000).
In the following table, an asterisk (*) denotes an Exchange-specific permission.
Folder permissions
| Display name | Permission | Description |
|---|---|---|
List contents |
fsdrightListContents |
Same as FILE_LIST_DIRECTORY. Trustee can list file contents. |
Create item |
fsdrightCreateItem |
Same as FILE_ADD_FILE. Trustee can add a file to a folder. |
Create container |
fsdrightCreateContainer |
Same as FILE_ADD_SUBDIRECTORY. Trustee can add a subfolder. |
Read property |
fsdrightReadProperty |
Same as FILE_READ_EA. |
Write property |
fsdrightWriteProperty |
Same as FILE_WRITE_EA. |
Read attributes |
fsdrightReadAttributes |
Same as FILE_READ_ATTRIBUTES. Reserved for future use. |
Write attributes |
fsdrightWriteAttributes |
Same as FILE_WRITE_ATTRIBUTES. Reserved for future use. |
Write own property |
fsdrightWriteOwnProperty* |
The trustee can modify his or her own items. |
Delete own item |
fsdrightDeleteOwnItem |
The trustee can delete his or her own items. |
View item |
fsdrightViewItem* |
The trustee can view items. |
Owner |
fsdrightOwner* |
The trustee is the owner of the folder. This right corresponds to the frightsOwner right in previous versions of Exchange and is provided for backward compatibility. |
Contact |
fsdrightContact* |
Not used for security. Identifies the user as the contact for the folder. This right corresponds to the frightsContact right in previous versions of Exchange and is provided for backward compatibility. |
- |
fsdrightReserved1 |
Same as FILE_DELETE_CHILD. Currently unused. |
Note
The permissions fsdrightReadProperty and fsdrightReadAttributes are related and are always granted or denied together. Similarly, fsdrightWriteProperty and fsdrightWriteAttributes are always granted or denied together.
Standard Windows permissions used in folder security descriptors
| Display name | Permission | Member permission or Windows equivalent |
|---|---|---|
Delete |
fsdrightDelete |
DELETE |
Read permissions |
fsdrightReadControl |
READ_CONTROL |
Change permissions |
fsdrightWriteSD |
WRITE_DAC |
Take ownership |
fsdrightWriteOwner |
WRITE_OWNER |
Synchronize |
fsdrightSynchronize |
SYNCHRONIZE |
- |
sdrightsFolderOwner |
fsdrightWriteProperty fsdrightOwner fsdrightWriteSD fsdrightDelete fsdrightWriteOwner fsdrightWriteAttributes |
Permissions for Messages
The tables in this section list the message permissions.
Message permissions
| Display name | Permission | Member permission or Windows equivalent |
|---|---|---|
Read body |
fsdrightReadBody |
Only on messages, same as FILE_READ_DATA. |
Write body |
fsdrightWriteBody |
Only on messages, same as FILE_WRITE_DATA. |
Append message |
fsdrightAppendMsg |
Only on messages, same as FILE_WRITE_DATA. Enforced by IFS. |
Read property |
fsdrightReadProperty |
Same as FILE_READ_EA. |
Write property |
fsdrightWriteProperty |
Same as FILE_WRITE_EA. |
Execute |
fsdrightExecute |
Same as FILE_EXECUTE/FILE_TRAVERSE. Enforced by IFS. |
Read attributes |
fsdrightReadAttributes |
Same as FILE_READ_ATTRIBUTES. Currently unused. |
Write attributes |
fsdrightWriteAttributes |
Same as FILE_WRITE_ATTRIBUTES. Currently unused. |
Write own property |
fsdrightWriteOwnProperty |
Only on messages. |
Delete own item |
fsdrightDeleteOwnItem |
Only on messages. |
View item |
fsdrightViewItem |
|
Note
The permissions fsdrightReadProperty, fsdrightReadAttributes, and fsdrightReadBody are related and are always granted or denied together. Similarly, fsdrightWriteProperty, fsdrightWriteAttributes, and fsdrightWriteBody are always granted or denied together.
Note
The permissions listed in the following two tables do not appear in the user interface. However, they can be used in custom applications.
Standard Windows permissions used in message security descriptors
| Display name | Permission | Member permission or Windows equivalent |
|---|---|---|
Delete |
fsdrightDelete |
DELETE |
Read permissions |
fsdrightReadControl |
READ_CONTROL |
Change permissions |
fsdrightWriteSD |
WRITE_DAC |
Take ownership |
fsdrightWriteOwner |
WRITE_OWNER |
Synchronize |
fsdrightSynchronize |
SYNCHRONIZE |
Note
In the following table, access rights that belong to the sdrightsIgnored permission are ignored in the determination of an Exchange Canonical ACL. Because the Exchange store ignores these rights, their presence or absence doesn't make an ACL canonical.
Groups of message permissions
| Permission | Member permission or Windows equivalent |
|---|---|
sdrightsNone |
|
sdrightsBestAccess |
MAXIMUM_ALLOWED |
sdrightsReadOnly |
GENERIC_READ |
sdrightsReadWrite |
GENERIC_READ GENERIC_WRITE |
sdrightsGenericRead |
fsdrightReadControl fsdrightReadBody fsdrightReadAttributes fsdrightReadProperty fsdrightViewItem fsdrightSynchronize |
sdrightsGenericWrite |
fsdrightReadControl fsdrightWriteBody fsdrightWriteAttributes fsdrightWriteProperty fsdrightAppendMsg fsdrightCreateItem fsdrightDelete fsdrightCreateContainer fsdrightOwner fsdrightSynchronize fsdrightWriteSD fsdrightWriteOwner |
sdrightsGenericExecute |
fsdrightReadControl fsdrightReadAttributes fsdrightExecute fsdrightViewItem fsdrightSynchronize |
sdrightsGenericAll |
fsdrightDelete fsdrightReadProperty fsdrightWriteProperty fsdrightCreateItem fsdrightCreateContainer fsdrightReadControl fsdrightWriteSD fsdrightWriteOwner fsdrightReadControl fsdrightViewItem fsdrightOwner fsdrightWriteOwnProperty fsdrightDeleteOwnItem fsdrightSynchronize fsdrightExecute fsdrightReserved1 fsdrightReadAttributes fsdrightWriteAttributes fsdrightReadBody fsdrightWriteBody fsdrightSynchronize fsdrightContact |
sdrightsIgnored |
fsdrightExecute fsdrightAppendMsg fsdrightContact fsdrightReserved1 |
Backward-compatible message permissions
| Permission | Member permissions |
|---|---|
msgrightsGenericRead |
sdrightsGenericRead sdrightsItems |
msgrightsGenericWrite |
sdrightsGenericWrite sdrightsItems |
msgrightsGenericExecute |
sdrightsGenericExecute sdrightsItems |
msgrightsGenericAll |
sdrightsGenericAll sdrightsItems |
fldrightsGenericRead |
sdrightsGenericRead sdrightsFolders |
fldrightsGenericWrite |
sdrightsGenericWrite sdrightsFolders |
fldrightsGenericExecute |
sdrightsGenericExecute sdrightsFolders |
fldrightsGenericAll |
sdrightsGenericAll sdrightsFolders |
Exchange provides an additional control value, EXCHANGE_RM_SET_EXPLICIT_SD, which can be set in the control field of a security descriptor. An administrator can then set the security descriptor of the object explicitly. For more information about setting EXCHANGE_RM_SET_EXPLICIT_SD, see the Windows XP API documentation.
Permissions Used in the Administrative Security Descriptor
In addition to standard Windows 2000 permissions, Exchange defines a set of extended permissions that pertain specifically to Exchange functions. The following table lists these permissions.
Note
The permissions Create public folder, Create top-level public folder, and Create named properties in the information store can apply to both administrative and non-administrative users.
Extended permissions defined and used by Exchange
| Display name | Common name (cn) |
|---|---|
Add PF to admin group |
ms-Exch-Add-PF-To-Admin-Group |
Exchange administrator |
ms-Exch-Admin-Role-Administrator |
Exchange full administrator |
ms-Exch-Admin-Role-Full-Administrator |
Exchange public folder read-only administrator |
ms-Exch-Admin-Role-Read-Only-Administrator |
Exchange public folder service |
ms-Exch-Admin-Role-Service |
Create public folder |
ms-Exch-Create-Public-Folder |
Create top level public folder |
ms-Exch-Create-Top-Level-Public-Folder |
Mail-enable public folder |
ms-Exch-Mail-Enabled-Public-Folder |
Modify public folder ACL |
ms-Exch-Modify-PF-ACL |
Modify public folder admin ACL |
ms-Exch-Modify-PF-Admin-ACL |
Modify public folder deleted item retention |
ms-Exch-Modify-Public-Folder-Deleted-Item-Retention |
Modify public folder expiry |
ms-Exch-Modify-Public-Folder-Expiry |
Modify public folder quotas |
ms-Exch-Modify-Public-Folder-Quotas |
Modify public folder replica list |
ms-Exch-Modify-Public-Folder-Replica-List |
Open mail send queue |
ms-Exch-Open-Send-Queue |
Read metabase properties |
ms-Exch-Read-Metabase-Properties |
Remove PF from admin group |
ms-Exch-Remove-PF-From-Admin-Group |
Administer information store |
ms-Exch-Store-Admin |
Create named properties in the information store |
ms-Exch-Store-Create-Named-Properties |
View information store status |
ms-Exch-Store-Visible |
Send-As |
Send-As |
Receive-As |
Receive-As |