Conversion Between MAPI and Windows Permissions
As described in "ACE Sequences in the ACL" in Details of the Exchange Access Control Process, Exchange routinely converts Windows 2000 permissions to and from MAPI permissions. This section lists the MAPI permissions that Exchange 2003 uses and demonstrates how Exchange converts permissions from one form to the other.
Available MAPI Permissions
The table in this section list the MAPI permissions that Exchange 2003 uses. Only the permissions in the first table are available in the user interface. The permissions in the second table are available programmatically.
MAPI permissions available in the user interface
Display name | Permission |
---|---|
Read items |
frightsReadAny |
Create items |
frightsCreate |
Edit items: Own |
frightsEditOwned |
Delete items: Own |
frightsDeleteOwned |
Edit items: All |
frightsEditAny |
Delete items: All |
frightsDeleteAny |
Create subfolders |
frightsCreateSubfolder |
Folder owner |
frightsOwner |
Folder contact |
frightsContact (not part of rightsAll) |
Folder visible |
frightsFolderVisible |
Groups of MAPI permissions available programmatically
Permission | Member permissions |
---|---|
rightsNone |
None |
rightsReadOnly |
frightsReadAny |
rightsReadWrite |
frightsReadAny frightsEditAny |
rightsAll |
All |
Converting to MAPI Permissions
Exchange uses the following process to convert Windows 2000 permissions to MAPI permissions.
Convert the message ACEs, as described in the following table.
Message ACEs
Exchange 2003 permissions MAPI permissions fsdrightReadProperty
frightsReadAny
fsdrightWriteOwnProperty
frightsEditOwned
fsdrightWriteProperty
frightsEditAny
fsdrightDeleteOwnItem
frightsDeleteOwned
fsdrightDelete
frightsDeleteAny
Convert the folder ACEs, as described in the following table.
Folder ACEs
Exchange 2003 permissions MAPI permissions fsdrightCreateContainer
frightsCreateSubfolder
fsdrightContact
frightsContact
If all of the folder owner rights are present:
fsdrightWriteProperty
fsdrightOwner
fsdrightWriteSD
fsdrightDelete
fsdrightWriteOwner
fsdrightWriteAttributes
fsdrightViewItem
frightsOwner
fsdrightCreateItem
frightsCreate
For either folders or messages, if fsdrightViewItem is present, map it to frightsVisible.
Ensure that the converted permissions are internally consistent by making the following additional changes:
If frightsDeleteAny is granted, grant frightsDeleteOwned.
If frightsEditAny is granted, grant frightsEditOwned.
If frightsReadAny or frightsOwner is granted, grant frightsVisible.
Converting from MAPI Permissions
Exchange uses the following process to convert MAPI permissions to Windows 2000 permissions.
Important
Exchange overwrites the existing security descriptor ACEs with the freshly converted ACEs. The same conversion takes place whether you are using the MAPI user interface to modify permissions, or if the ACEs have been replicated from a coexisting Exchange 5.5 server. If the ACEs have been replicated from Exchange 5.5, the conversion starts with the preliminary step of converting the Exchange 5.5 distinguished name of the user or group to a Windows 2000 security identifier.
Expand the MAPI ACE into two ACEs.
An object-inherit/inherit-only (OI/IO) ACE (for messages; ignored on folders)
A container-inherit (CI) ACE (for folders; ignored on messages)
Convert the permissions in the ACEs, as described in the following table.
Permissions in the ACEs
MAPI permission Exchange 2003 permission frightsEditAny
All of the legal generic write bits on messages (except delete)
frightsDeleteAny
fsdrightDelete
frightsEditOwned
fsdrightWriteOwnProperty
frightsDeleteOwned
fsdrightDeleteOwnItem
frightsReadAny
All of the legal generic read bits on messages
All of the legal generic execute bits on messages, including fsdrightViewItem on messages
On folder ACEs, this affects fsdrightViewItem
frightsCreateSubfolder
fsdrightCreateContainer
frightsOwner
fsdrightWriteProperty
fsdrightOwner
fsdrightWriteSD
fsdrightDelete
fsdrightWriteOwner
fsdrightWriteAttributes
fsdrightViewItem
frightsContact
fsdrightContact
frightsVisible
All of the legal generic read bits on folders
All of the legal generic execute bits on folders
fsdrightViewItem
Verify that the required Grant/Deny pairs of ACEs are present and in the correct sequence.
Examples of the Conversion Process
These examples illustrate the process of converting Windows 2000 permissions to MAPI permissions, and back again. As a starting point, consider a security descriptor on a folder in the Exchange store. The security descriptor contains two ACEs that specify permissions that are granted to the FolderUsers group:
A folder ACE (an ACE that carries the CONTAINER_INHERIT_ACE flag)
A message ACE (an ACE that carries the OBJECT_INHERIT_ACE and INHERIT_ONLY_ACE flags)
To simplify the discussion, these ACEs grant all applicable permissions to the FolderUsers group. Otherwise, two additional ACEs would be required to deny any permissions that were not granted.
The following table lists the permissions that are granted by the two ACEs.
Permissions specified by the FolderUsers group's two Grant ACEs
Permissions in the folder ACE | Permissions in the message ACE |
---|---|
fsdrightSynchronize |
fsdrightSynchronize |
fsdrightDelete |
fsdrightDelete |
fsdrightReadControl |
fsdrightReadControl |
fsdrightWriteSD |
fsdrightWriteSD |
fsdrightWriteOwner |
fsdrightWriteOwner |
fsdrightOwner |
fsdrightWriteAttributes |
fsdrightWriteAttributes |
fsdrightWriteOwnProperty |
fsdrightViewItem |
fsdrightDeleteOwnItem |
fsdrightWriteProperty |
fsdrightViewItem |
fsdrightExecute |
fsdrightWriteProperty |
fsdrightReserved1 |
fsdrightExecute |
fsdrightReadAttributes |
fsdrightReadAttributes |
fsdrightListContents |
fsdrightReadBody |
fsdrightCreateItem |
fsdrightWriteBody |
fsdrightCreateContainer |
fsdrightAppendMsg |
fsdrightReadProperty |
fsdrightReadProperty |
This example concentrates on the folder ACE. For the moment, it is not necessary to be concerned with the message ACE.
The following table shows how the Windows 2000 permissions map to MAPI permissions. Note that in many cases a single MAPI permission maps to a group of Windows 2000 permissions, and some of the Windows 2000 permissions are dropped.
Converting permissions
Windows 2000 permissions | MAPI permissions |
---|---|
fsdrightOwner fsdrightWriteAttributes fsdrightWriteSD fsdrightWriteOwner (fsdrightViewItem, fsdrightWriteProperty, and fsdrightDelete must also be present for this conversion to succeed) |
frightsOwner |
fsdrightViewItem |
frightsVisible |
fsdrightWriteProperty |
frightsEditAny frightsEditOwned |
fsdrightDelete |
frightsDeleteAny frightsDeleteOwned |
fsdrightCreateItem |
frightsCreate |
fsdrightCreateContainer |
frightsCreateSubfolder |
fsdrightReadProperty |
frightsReadAny |
fsdrightSynchronize fsdrightReadControl fsdrightExecute fsdrightReserved1 fsdrightReadAttributes fsdrightListContents |
Ignored |
The mapping process shown above results in a folder ACE for the group FolderUsers that grants MAPI permissions.
To reverse the conversion, Exchange starts by duplicating the ACE to again produce a folder ACE and a message ACE as shown in The following table.
Duplicate ACEs
Folder ACE | Message ACE |
---|---|
frightsOwner |
frightsOwner |
frightsVisible |
frightsVisible |
frightsEditAny |
frightsEditAny |
frightsEditOwned |
frightsEditOwned |
frightsDeleteAny |
frightsDeleteAny |
frightsDeleteOwned |
frightsDeleteOwned |
frightsCreate |
frightsCreate |
frightsCreateSubfolder |
frightsCreateSubfolder |
frightsReadAny |
frightsReadAny |
Next, Exchange converts the permissions, as shown in the following two tables.
Converting the folder ACE
MAPI permissions | Windows 2000 permissions |
---|---|
frightsOwner |
fsdrightOwner fsdrightWriteProperty fsdrightWriteSD fsdrightDelete fsdrightWriteOwner fsdrightWriteAttributes fsdrightViewItem |
frightsVisible |
fsdrightViewItem fsdrightReadControl fsdrightReadAttributes fsdrightExecute fsdrightReadProperty fsdrightSynchronize |
frightsEditAny |
fsdrightReadControl fsdrightWriteBody (ignored on folders) fsdrightWriteAttributes fsdrightWriteProperty fsdrightAppendMsg (ignored on folders) fsdrightCreateItem fsdrightDelete fsdrightCreateContainer fsdrightOwner fsdrightSynchronize fsdrightWriteSD fsdrightWriteOwner |
frightsEditOwned |
fsdrightWriteOwnProperty (ignored on folders) |
frightsDeleteAny |
fsdrightDelete |
frightsDeleteOwned |
fsdrightDeleteOwnItem (ignored on folders) |
frightsCreate |
fsdrightCreateItem |
frightsCreateSubfolder |
fsdrightCreateContainer |
frightsReadAny |
fsdrightReadControl fsdrightReadBody (ignored on folders) fsdrightListContents fsdrightReadAttributes fsdrightReadProperty fsdrightViewItem fsdrightSynchronize fsdrightExecute |
Converting the message ACE
MAPI permissions | Windows 2000 permissions |
---|---|
frightsOwner |
fsdrightOwner (ignored on messages) fsdrightWriteProperty fsdrightWriteSD fsdrightDelete fsdrightWriteOwner fsdrightWriteAttributes fsdrightViewItem |
frightsVisible |
fsdrightViewItem fsdrightReadControl fsdrightReadAttributes fsdrightExecute fsdrightReadProperty fsdrightSynchronize |
frightsEditAny |
fsdrightReadControl fsdrightWriteBody fsdrightWriteAttributes fsdrightWriteProperty fsdrightAppendMsg fsdrightCreateItem (ignored on messages) fsdrightDelete fsdrightCreateContainer (ignored on messages) fsdrightOwner (ignored on messages) fsdrightsynchronize fsdrightWriteSD fsdrightWriteOwner |
frightsEditOwned |
fsdrightWriteOwnProperty |
frightsDeleteAny |
fsdrightDelete |
frightsDeleteOwned |
fsdrightDeleteOwnItem |
frightsCreate |
fsdrightCreateItem (ignored on messages) |
frightsCreateSubfolder |
fsdrightCreateContainer (ignored on messages) |
frightsReadAny |
fsdrightReadControl fsdrightReadBody fsdrightListContents (ignored on messages) fsdrightReadAttributes fsdrightReadProperty fsdrightViewItem fsdrightSynchronize fsdrightExecute |
The preceding conversions produce the two Grant ACEs, as shown in the following table.
Permissions specified by the FolderUsers group's two Grant ACEs
Permissions in the folder ACE | Permissions in the message ACE |
---|---|
fsdrightOwner |
fsdrightWriteProperty |
fsdrightWriteProperty |
fsdrightWriteSD |
fsdrightWriteSD |
fsdrightDelete |
fsdrightDelete |
fsdrightWriteOwner |
fsdrightWriteOwner |
fsdrightWriteAttributes |
fsdrightWriteAttributes |
fsdrightViewItem |
fsdrightViewItem |
fsdrightReadControl |
fsdrightReadControl |
fsdrightReadAttributes |
fsdrightReadAttributes |
fsdrightExecute |
fsdrightExecute |
fsdrightReadProperty |
fsdrightReadProperty |
fsdrightSynchronize |
fsdrightSynchronize |
fsdrightWriteBody |
fsdrightCreateItem |
fsdrightAppendMsg |
fsdrightCreateContainer |
fsdrightWriteOwnProperty |
fsdrightListContents |
fsdrightDeleteOwnItem |
fsdrightReserved1 |
fsdrightReadBody |
The folder ACE and the message ACE effectively grant all of the available permissions to FolderUsers, so that the two corresponding Deny ACEs are not needed. Basically, these are the same two ACEs that were listed in the "Permissions specified by the FolderUsers group's two Grant ACEs" table, before any conversions took place.