Understanding Public Folder Permissions

You can configure public folder permissions for administrators or for users of client programs such as Microsoft Outlook. Public folder permissions consist of various access rights that specify the level of control a client user or administrator has over a public folder or public folder hierarchy.

Looking for management tasks related to public folder permissions? Check out Managing Public Folder Permissions.

Client User Access Rights and Roles

Use the Exchange Management Shell to configure the permissions for users who use client programs such as Outlook to access public folders. Whether you want to manually select the access rights or use predefined roles that contain specific access rights, you'll use the Add-PublicFolderClientPermission cmdlet.

Important

To make sure users can send e-mail messages to a mail-enabled public folder, the public folder must have at least the CreateItems access right granted to the Anonymous account.

The following is a list of client user access rights (followed by a table that shows the predefined permission roles):

  • ReadItems   The user can read items within the specified public folder.
  • CreateItems   The user can create items within the specified public folder and send e-mail messages to the public folder if it's mail-enabled.
  • EditOwnedItems   The user can edit the items that the user owns in the specified public folder.
  • DeleteOwnedItems   The user can delete items that the user owns in the specified public folder.
  • EditAllItems   The user can edit all items in the specified public folder.
  • DeleteAllItems   The user can delete all items in the specified public folder.
  • CreateSubfolders   The user can create subfolders in the specified public folder.
  • FolderOwner   The user is the owner of the specified public folder. The user can view and move the public folder, create subfolders, and set permissions for the folder. The user can't read, edit, delete, or create items.
  • FolderContact   The user is the contact for the specified public folder.
  • FolderVisible   The user can view the specified public folder, but can't read or edit items within the specified public folder.

The following table lists the predefined public folder roles and the access rights that are included in each role. The table headers reflect the access rights listed previously in this topic.

Note

The FolderOwner access right and the Owner role have different permissions as shown in the following table.

Access rights included with each predefined public folder role

Role CreateItems ReadItems CreateSubfolders FolderOwner Folder Contact FolderVisible EditOwnedItems EditAllItems DeleteOwnedItems DeleteAllItems

None

  

  

  

  

  

X

  

  

  

  

Owner

X

X

X

X

X

X

X

X

X

X

PublishingEditor

X

X

X

  

  

X

X

X

X

X

Editor

X

X

  

  

  

X

X

X

X

X

PublishingAuthor

X

X

X

  

  

X

X

  

X

X

Author

X

X

  

  

  

X

X

  

X

  

Non-EditingAuthor

X

X

  

  

  

X

  

  

  

  

Reviewer

  

X

  

  

  

X

  

  

  

  

Contributor

X

  

  

  

  

X

  

  

  

  

Note

Client users can use Outlook to manage public folder permissions for public folders that reside on a server running Microsoft Exchange Server 2010. For information about how to manage public folder permissions from Microsoft Office Outlook 2007 or Outlook 2010, see Create and Share a Public Folder. For information about how to manage public folder permissions for public folders that reside on Exchange 2010 servers from Office Outlook 2003, see Outlook folder permissions.

Administrator Access Rights

In Exchange 2010, there are two ways to grant administrators the rights to manage public folders:

The following table describes the differences between the rights that are granted by the Public Folder Management role group and the rights that are granted by using the Add-PublicFolderAdministrativePermission cmdlet.

Administrator access rights differences

Public Folder Management role group Add-PublicFolderAdministrativePermission cmdlet

The user can create top-level public folders.

The user can't create top-level public folders.

The user is granted the AllExtendedRights permission to public folders and the rights to run the public folder cmdlets.

The user can be granted or denied specific rights to public folders.

The user can administer any top-level public folder, child public folder, and system public folders in the public folder tree. In addition, this user's access rights can't be revoked by using the Remove-PublicFolderAdministrativePermission cmdlet.

The user can be granted the right to administer specific top-level public folders and specific child public folders. However, the user's access rights can be revoked by using the Remove-PublicFolderAdministrativePermission cmdlet.

The Public Folder Management role group is a Role Based Access Control (RBAC) role group that consists of the following roles:

  • Mail-Enabled Public Folders role
  • Public Folders role
  • Public Folder Replication role

For more information, see Public Folder Management.

Not applicable

The following list describes the standard set of administrative access rights that can be set on a public folder:

  • None   The administrator doesn't have any rights to modify public folder attributes.
  • ModifyPublicFolderACL   The administrator has the right to modify Client Access server role permissions for the specified folder.
  • ModifyPublicFolderAdminACL   The administrator has the right to modify administrator permissions for the specified public folder.
  • ModifyPublicFolderDeletedItemRetention   The administrator has the right to modify the Public Folder Deleted Item Retention attributes (RetainDeletedItemsFor, UseDatabaseRetentionDefaults).
  • ModifyPublicFolderExpiry   The administrator has the right to modify the Public Folder Expiration attributes (AgeLimit, UseDatabaseAgeDefaults).
  • ModifyPublicFolderQuotas   The administrator has the right to modify the Public Folder Quota attributes (MaxItemSize, PostQuota, PostWarningQuota, UseDatabaseQuotaDefaults)
  • ModifyPublicFolderReplicaList   The administrator has the right to modify the replica list attribute for the specified public folder (Replicas).
  • AdministerInformationStore   The administrator has the right to modify all other public folder properties not defined previously.
  • ViewInformationStore   The administrator has the right to view public folder properties.
  • AllExtendedRights   The administrator has the right to modify all public folder properties.

Creating Custom Role Groups

In addition to the Public Folder Management role group and the Add-PublicFolderAdministrativePermission cmdlet, you can create custom role groups that will allow a user to only perform certain tasks. For example, if you want to allow an administrator to manage public folders and mail-enabled public folders, but not public folder replication, you can create a custom role group that includes only the Mail Enabled Public Folders role and the Public Folders role. For more information about creating role groups, see Create a Role Group.