Users can perform operations on folders (view contents, add items, delete items, etc.) if permissions on the respective folder were defined. By default, all users have permissions on their own folders and can allow other users to access one or more of their personal folders with different permission levels (read only, read and write, etc.). These permissions can be set either from WebMail or Outlook and can be granted to a user or a group of users (defined by the system administrator in WebAdmin).
The system administrator has the right to set permissions on any user or public folder.
Computing permissions
Each time the server needs to determine if a specific action on a specific resource is allowed or denied for a specific administrative user the following reasoning is used:
-
if the permission is set to deny on at least one of the parent folders in the chain, for the user or a group that the user belongs to, the permission will be denied;
-
if the permission is not denied on any of parent folders in the chain but allowed on at least one, for the user and/or a group that the user belongs to, the permission will be allowed;
-
if the permission is neutral (not set) on all parent folders in the chain, for the user and/or a group that the user belongs to, the permission will be denied.
The "Effective permissions" tab will show the final result of this operation.
Permissions description
-
Read items – the folder is visible and its contained items can be read;
-
View items – the folder appears in the hierarchy ("lookup");
-
Read folder content – the items in this folder may be read;
-
Share the read / unread status – changes to the read / unread flag are seen by other users (does not apply for contacts, calendar, tasks, journal, and notes folders);
-
Set / clear flags – modify flags other than read / unread and deleted / not deleted (does not apply for contacts, calendar, tasks, journal, and notes folders);
-
Add items – add new items to the folder (create new, move to, copy to). Both 'add items' and 'delete items' permissions are required for modifying items;
-
Add sub-folders – add new sub-folders below this folder (create new, move to, copy to);
-
Delete folder – delete the folder, including all its contained items;
-
Delete items – delete items in the folder; both 'add items' and 'delete items' permissions are required for modifying items;
-
Mark items as deleted / not deleted – modify the deleted / not deleted flag;
-
Expunge folder – purge the items marked with the deleted flag;
-
Manage permissions – modify permissions on the folder.
Types of permissions
When new entities are created they can have two types of permissions:
1. Implicit permissions do not appear in the permissions list for resources, cannot be modified (they are resolved directly by the MACL engine) and cannot be overridden with an explicit 'DENY' from any level (above or below). These are:
-
the 'postmaster' user has 'all rights' on all public folders;
-
the 'postmaster' user has 'Lookup' and 'Manage permissions' on all folders of all the accounts in its domain;
-
the 'postmaster' user has 'all rights' on his mailbox (and all sub-folders);
-
each user has 'all rights' on his / her mailbox (and all sub-folders).
2. Default permissions are explicit, modifiable and appear when specific entities are created. They are:
-
newly created folder in the PF namespace or in a mailbox other than the creator's, the creator has 'all rights', with 'apply to sub-folders';
-
if the newly created public folder is created from the WebAdmin interface, no explicit permissions are set for it;
-
when a new domain is created, the PF root contains the permission: 'all users in domain, allow, Lookup, apply to sub-folders'.
Details on how to set folder permissions are available in the Setting Sharing Permissions chapter.