Run-Time Permission
Topic Last Modified: 2008-08-06
This topic provides information about how the different technologies compare with regard to Run-Time Permissions.
| Technology | What permissions are required by a running application that uses the technology? |
|---|---|
Active Directory Services Interfaces (ADSI) |
Applications that use ADSI should be deployed only on those systems and for users who have sufficient permissions to access the information needed by the application. |
Collaboration Data Objects for Windows 2000 (CDOSYS) |
No special permissions are required to run interactive applications or ASP pages to enable use of CDOSYS. In applications that use the SMTP or NNTP drop-directory, the application or user must have permission to write into that directory. When running an application that sends e-mail, the user will require either write access to the pickup directory or read access to the Microsoft Internet Information Services (IIS) metabase so that the application can determine which SMTP port is used for sending mail. |
CDOSYS SMTP/NNTP Event Sinks |
CDOSYS SMTP/NNTP event sinks run in the same process as IIS, and share the same security credentials as that service account. This may affect what resources the event sink can access. |
Collaboration Data Objects for Exchange 2000 Server (CDOEX) |
Depending on the application architecture, special permissions might be required for applications to access mailboxes and other user data, if the user cannot pass compatible credentials to the application. It is recommended that user credentials be verified by the application when the application attempts to access information in Exchange. |
Collaboration Data Objects for Exchange Management (CDOEXM) |
Because CDOEXM controls and configures components of an Exchange server, only Exchange administrators should be permitted to run applications that use CDOEXM. For applications that use CDOEXM from an Exchange administrative console computer, the administrative console computer must be in the same domain as the Exchange server. |
Collaboration Data Objects for Exchange Workflow (CDOWF) |
Workflow processes created by applications that use CDOWF are run under the Workflow System Account. That account needs access to the folders and other resources used by the workflow processing code. Read the appropriate SDK for more information about permissions required for workflow processes. |
Exchange OLE DB Provider (ExOLEDB) |
Because applications that use ExOLEDB are located on the Exchange server on which the data is stored, the user running the application must have sufficient permission to access the data. |
Exchange Store Event Sinks |
To run applications that use Exchange store events, the applications must have permissions to write into the folders on which the events are run. |
Exchange Web Forms |
To use Exchange Web forms, the folder permissions must allow scripts to run. Use caution when granting permissions to run scripts on the Exchange store. |
Exchange Web Services |
To use an Exchange Web Services client application, the client must use a valid domain account to access the Client Access server. |
HTTP/Web Distributed Authoring and Versioning (WebDAV) |
The run-time permissions needed by applications that use WebDAV depend entirely upon the authentication/authorization methods used between the client and the WebDAV virtual server. When the application tier that uses WebDAV to connect to the Exchange server includes a small number of computers, often the virtual server is configured to allow connections from only those middle-tier computers. |
WebDAV Notifications |
The run-time permissions needed by applications that use WebDAV notification depend entirely upon the authentication/authorization methods used between the client and the WebDAV virtual server. When the application tier that uses WebDAV to connect to the Exchange server includes a small number of computers, often the virtual server is configured to allow connections from only those middle-tier computers. Because WebDAV notifications use UDP to contact the client, WebDAV notifications should only be used within an intranet, or by means of a secured PPTP tunnel. |
Incremental Change Synchronization (ICS) |
The user account under which an ICS-based application runs must have permission to access the data in the Exchange store if the ICS application runs under the developer's security context. In the case of ICS, this depends on the permissions required to access the data being synchronized. In addition, access to the destination system must also be permitted to the user under which the synchronizer runs. |
Lightweight Directory Access Protocol (LDAP) |
Applications that access directory service information should be deployed only on those systems and for users who have sufficient permissions to access the information needed by the application. |
Messaging Application Programming Interface (MAPI) |
To run a MAPI-based application, the user usually only requires sufficient permissions to access the data on the Exchange store. |
Outlook Object Model (OOM) |
No special permissions are required to run applications that use OOM. |
Outlook Web Access |
Outlook Web Access customization and component reuse is not supported by Microsoft. |
Exchange Rules |
No special permissions are required to deploy applications that use Exchange rules. |
SMTP Event Sinks |
SMTP event sinks run in the same process as the SMTP service, and share the same security credentials as that service account. This may affect what resources the event sink can access. |
Windows Management Instrumentation (WMI) providers for Exchange |
Applications that use WMI pass a user security context to the WMI provider. This can either be supplied as a user name and password, or obtained from the user running the script. The Exchange WMI providers allow only Exchange administrators to perform actions that affect the Exchange system. |
Exchange Backup and Restore API |
Applications that use the ESE Backup and Restore API must run under the security context of a user who has backup and restore privileges on both the source and destination computers. |
Exchange writer for the Windows Volume Shadow Copy Service |
A VSS requestor typically needs to be run under an account that is either a member of the Administrators built-in group or the Backup Operators group. |