This documentation is archived and is not being maintained.


Exchange Server 2003


This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

The Exchange store supports Microsoft® Windows® 2000 and Microsoft® Windows NT® security descriptors. Each item and folder has a security descriptor property. This property, along with others in the namespace, is stored in a binary format, but is provided as XML.

Note  Because architecturally a folder is an item that is also a collection, this documentation uses "item" to refer to either an Exchange store folder or item.

You can use the Exchange Application Security Module, a set of Microsoft JScript® and ASP files, to access and modify the XML content provided by the security descriptor. A security descriptor consists of access control entries (ACEs) that specify security identifiers (SIDs) for security principals such as users, administrators, and groups in Microsoft Active Directory®. These ACEs are contained in an access control list (ACL).

The Exchange Application Security Module provides two objects: a discretionary access control list (DACL) object and an entity object. The DACL object can contain one or more entity objects. Entity objects define security principals and their SIDs. In the Security Module, hexidecimal bitmasks identify a user's permissions that are evaluated against an item's security identifier (SID). To understand how bitmasks are evaluated, see the HasMask Method. The Exchange Application Security Module does not provide an object for accessing a system access control list (SACL).

To secure an item, create a DACL object and load the item's URL to obtain its DACL. The DACL object contains a collection of entity objects of the existing security principals. You can add and remove entity objects and manipulate the permissions for the secured item.

The Exchange Application Security Module uses Microsoft ActiveX® Data Objects (ADO) on the server to load and save DACL objects, based on input received from client browsers. If the browser is Microsoft Internet Explorer, the client can use an XMLHTTP object to manipulate security descriptors remotely.

This module is supplemented with a sample application that uses the methods and properties defined by core Application Security Module files. You can use this sample with Internet Explorer or any browser that supports JScript. You can modify this application and use its code in other applications and scripts.

You can perform the following tasks with the Application Security Module:

  • Manage masks on entity objects using methods that compare, copy, and clear masks.
  • Manage entities in DACL objects as a collection, and use the DACL object as a template to manage and compare entities.

The following figure shows the Exchange Application Security Module architecture:

Architecture of the Application Security Module

Note   The Application Security Module does not allow you to set permissions on inherited ACEs.

Related Topics