Security Roles

Topic Last Modified: 2007-03-23

You can control access to Exchange store items, including folders, by defining access rights for security principals. A security principal can be a user or a group as defined in the Active Directory® directory service. This model is consistent with Microsoft Windows Server® operating systems security. Microsoft Exchange Server 2007 offers an additional security principal called a role.

You can add a role as an access control entry (ACE) to the security descriptor for an Exchange store item.

Roles are defined and stored on the item itself and require no changes to Active Directory. Therefore, Windows Server security ignores roles. You can use roles across domains.

To implement Exchange store security roles

1. Define a role ACE that specifies the name of a role security identifier (SID) property that contains a list of SIDs for the security principals participating in the role. The role ACE also specifies either a folder scope or an item scope.
2. Modify the security descriptor of an item with the role ACE.

At run time, the Exchange store replaces the role ACE with ACEs for each of the security principals in the role. The following figure shows this expansion.

You must specify role membership on Exchange 2007 by using a dynamic-link library (DLL), or in a C++ application. Remote configuration of membership is not supported. For an example, see Web Storage System Security.