This document is specific to Microsoft Exchange connections used by Super-ExMerge. However, the information is also fundamental and would be true for any MAPI based connection to an Exchange mail store.
Super-ExMerge is able to execute the actions it has and with exceptional performance due to the use of MAPI. MAPI is often mis-categorized as a communication protocol when it is, in fact, simply a programming API. The term MAPI is truly an acronym for Messaging Application Programming Interface. As such, it is capable of using any different types of communication protocols.
The most common protocol used by may for Microsoft Exchange is HTTP, and yet this occurs with one of two subtypes: OutlookAnywhere (aka RPC-over-HTTP) and mapiHTTP. The latter of these two is newer and more modern with regards to resiliency, connection, and authentication. The former subtype, OutlookAnywhere reaches all the way back to Outlook and Exchange 2003.
In all cases and regardless of the communication protocol, authentication must occur first before any further actions can occur.
Authentication that is handled by MAPI is inherently dependent upon features of Microsoft Windows. Accessing any mail data in Exchange, regardless of whether it is Public Folders, Mailbox, or Archive begins with a logon to a mailbox in Exchange. The authentication established by this logon is then used when attempting to access other data in the Exchange system.
From this, it is important to know the different ways in which authentication can be accepted and access granted to an Exchange resource.
There are four fundamental ways in which a client application, including Super-ExMerge can access Exchange data, as follows:
As Owner
This is the most common access and the authentication occurs for the “owner” of the mailbox. If a mailbox exists for joe@source.com, and Joe’s logon name is joe@source.com and he provides a correct password to this mailbox, Joe is granted “Owner” access to the mailbox. As such, Joe has full access to all folders and elements of the contents of his mailbox and can send and receive mail and so on. This permission to access the mailbox in this way is inherent to the account because the underlying Active Directory account is also the one that has the mailbox attributes that define the mailbox for the account. Note that in Office 365 there still exists an Active Directory user account, however there is no direct access to this account as there is in an on-premises deployment of Microsoft Exchange.
In the context of Super-ExMerge, this would require knowledge of the password for each mailbox to be accessed. For public folders, Super-ExMerge would only have access to folders based on the mailbox. If the mailbox has no rights to any public folders, then Super-ExMerge will not be able to access them either.
Full Access
This is a specific right that can be applied to a mailbox and grants a non-owner full access to the mailbox. Only Exchange administrators can grant this permission. Further note that this permission is not the same as a folder-level permission that a user can set themselves. The Full Access permission allows the non-owner access to all folders and contents of the mailbox, regardless of folder-level permissions.
A mail-enabled account is not the same thing as a mailbox-enabled account, although it may sound like the same. In Microsoft Exchange, a MailUser or Mail-Enabled User is simply a user account that has an email address and a forwarding address. It has the same essential behavior as an Exchange Contact, but can also have a password – while a Contact cannot.
The Full Access permission allows the authentication to be that of an account that is not the owner of the mailbox. Additionally, the account that is granted this permissions does NOT have to be a mailbox enabled account. It is enough for it to be only a mail-enabled account (see the side-note above), with no mailbox.
This feature of Exchange is especially useful for migration work, e-Discovery work, and for backup/restore tasks. An administrator can grant an account access to one, some, many or all mailboxes for automation or application access to data.
In the context of Super-ExMerge, this permission is valuable in that the admin or user of Super-ExMerge is not required to know the password of each mailbox. A single “admin” account can be created and granted access to mulitple other mailboxes, and when no longer needed, can be reversed or the account can simply be deleted or disabled.
For public folders, there is no ability to set Full Access permissions on folders. In this case, an account must be give appropriate access on each folder directly.
System Access
System access refers to a feature of Microsoft Exchange whereby a mail-enabled user or group can be given special “system” privileges to data that bypasses all user-level permissions. This level of access can only be granted with on-premises Exchange. This privilege, known as Administer-Information-Store can only be set at a mailbox database level.
The value of this type of access is one of inheritance. When this permission is granted on a database, all mailboxes contained in that database inherit the permission granted to the user or group. This saves from having to possibly modify permission on dozens, hundreds, or thousands of mailboxes individually.
In the context of Super-ExMerge, this feature is quite valuable as it provides easy setup and control over a possibly dynamic number of mailboxes. Since this is set at a database level, new mailboxes that are added are inherently accessible to Super-ExMerge, if needed.
For Public Folders, this is the only option available to avoid setting individual folder permissions. This permission would still be granted at a database level regardless of whether public folders are legacy (e.g. a public folder database) or modern (e.g. one or more public folder mailboxes).
For more detail on applying this permission, please contact support@priasoft.com to schedule a discussion.
Notes
Super-ExMerge has to be able to authenticate to a mailbox first, then to the object that is desired (public folder, another mailbox, or archive). This means that at a minimum, 2 authentications will occur, however the same identity is used for both. There is not a way to authenticate to the mailbox, then authenticate differently to public folders, another mailbox, or an archive mailbox.
Furthermore, Super-ExMerge will only be able to perform actions that match the permissions granted. For example, if a two-way sync is created, but the account used to access the target store only has enough rights to read items (no create, modify, or delete), the application will not be able to properly sync data. This is an inherent nature of Microsoft Exchange’s security model and cannot be circumvented.
