Muokkaa

Jaa


Set folder permissions for another user by using EWS in Exchange

Learn how to set permission levels on a folder by using the EWS Managed API or EWS in Exchange.

Folder-level permissions enable users to access one or more folders in another user's mailbox. Folder permissions are similar to delegate access, but they differ in the following ways:

  • Folder permissions do not enable a user to "send on behalf of" or "send as" another user. They only enable access to folders. Users can create items in those folders, but they can't send them.

  • You can set folder permissions on any folder in the mailbox, but you can only add a delegate to the Calendar, Contacts, Inbox, Journal, Notes, and Tasks folders.

  • You can set a number of permissions on a specific folder. When you add a delegate, you can assign one of only five permission levels.

  • You can set folder permissions for anonymous and default users. You can only grant delegate access to a mail-enabled account.

If you're familiar with Access Control Entries (ACEs) and Discretionary Access Control Lists (DACLs), you know that a user can only have one set of permissions for each folder. If you try to add a set of permissions for a user and they already have a set of permissions, you'll get an error. When you add, remove, or update permissions on a folder, you get the current DACL, add or remove any ACEs, and then send the updated DACL. You cannot add multiple ACEs for the same user. When you update permissions by using the EWS Managed API, you need to remove the user's current ACE and then add their new ACE to the collection. If you're using EWS, you just replace the previous set of ACEs with the new ones.

If you're making multiple permission changes to a single folder, you can batch additions, removals, or updates —just note that you cannot batch user updates on multiple folders. One call is required to get the permissions on a single folder, and a second call is required to update the permissions on that folder. When you add, remove, or update user permissions, you use the same two method calls or operations for each task.

Table 1. EWS Managed API methods and EWS operations for setting folder permissions

If you want to… Use this EWS Managed API method… Use this EWS operation…
Enable, remove, or update folder permissions
Folder.Bind followed by Folder.Update
GetFolder followed by UpdateFolder
Create a folder and define folder permissions
Folder.Save
CreateFolder

Folder permissions

You have quite a few options when it comes to setting folder permissions on a specific folder. You can set a permission level on a folder for each user, which adds a set of predefined individual permissions to the DACL, or you can set individual permissions on a folder — but you can't mix and match.

The following individual permissions are available:

  • Can create
  • Can create subfolders
  • Is folder owner
  • Is folder visible
  • Is folder contact
  • Edit items
  • Delete items
  • Read items

In addition, the following permission levels are available, which define a subset of individual permissions and values, as shown in Table 2:

  • None
  • Owner
  • PublishingEditor
  • Editor
  • PublishingAuthor
  • Author
  • NoneditingAuthor
  • Reviewer
  • Contributor
  • Custom - This value cannot be set by the application. The server sets this value if the application includes a custom collection of individual permissions.
  • FreeBusyTimeOnly - This can only be set on Calendar folders.
  • FreeBusyTimeAndSubjectAndLocation - This can only be set on Calendar folders.

The following table shows which individual permissions are applied by default based on permission level.

Table 2. Individual permissions by permission level

Permission level Can create items Can create sub folders Is folder owner Is folder visible Is folder contact Edit items Delete items Can read items
None
False
False
False
False
False
None
None
None
Owner
True
True
True
True
True
All
All
FullDetails
PublishingEditor
True
True
False
True
False
All
All
FullDetails
Editor
True
False
False
True
False
All
All
FullDetails
PublishingAuthor
True
True
False
True
False
Owned
Owned
FullDetails
Author
True
False
False
True
False
Owned
Owned
FullDetails
NoneditingAuthor
True
False
False
True
False
None
Owned
FullDetails
Reviewer
False
False
False
True
False
None
None
FullDetails
Contributor
True
False
False
True
False
None
None
None

If you specify a non-custom permission level in the folder-level permissions request, you don't need to specify the individual permission settings. If you do specify an individual permission when you set a permission level, an ErrorInvalidPermissionSettings error will be returned in the response.

Adding folder permissions by using the EWS Managed API

The following code example shows how to use the EWS Managed API to:

  • Create a new FolderPermission object for the new user.

  • Get the current permissions for a folder by using the Bind method.

  • Add the new FolderPermissions to the Folder.Permissions property.

  • Call the Update method to save the new permissions to the server.

This example assumes that service is a valid ExchangeService object for the mailbox owner and that the user has been authenticated to an Exchange server.

static void EnableFolderPermissions(ExchangeService service)
{
    // Create a property set to use for folder binding.
    PropertySet propSet = new PropertySet(BasePropertySet.IdOnly, FolderSchema.Permissions);
    // Specify the SMTP address of the new user and the folder permissions level.
    FolderPermission fldperm = new FolderPermission("sadie@contoso.com", FolderPermissionLevel.Editor);
    
    // Bind to the folder and get the current permissions. 
    // This call results in a GetFolder call to EWS.
    Folder sentItemsFolder = Folder.Bind(service, WellKnownFolderName.SentItems, propSet);
 
    // Add the permissions for the new user to the Sent Items DACL.
    sentItemsFolder.Permissions.Add(fldperm);
    // This call results in a UpdateFolder call to EWS.
    sentItemsFolder.Update();
}

The following line of code specifies the permission level.

    FolderPermission fldperm = new FolderPermission("sadie@contoso.com", FolderPermissionLevel.Editor);

If you want to use the custom permission level, use this code instead.

FolderPermission fldperm = new FolderPermission();
fldperm.UserId = "sadie@Contoso1000.onmicrosoft.com";
fldperm.CanCreateItems = true;
fldperm.CanCreateSubFolders = true;
…

You can set any or all of the writable FolderPermission properties when you create a FolderPermission object with a custom permission level. Note, however, that the FolderPermissionLevel is never explicitly set to Custom by the application. The FolderPermissionLevel is set to Custom only when you create a FolderPermission object and set individual permissions.

Adding folder permissions by using EWS

The following EWS code examples show how to add permissions to a specific folder by retrieving the current permissions and then submitting a list of new permissions.

The first step is to send a GetFolder request, where the DistinguishedFolderId value specifies the folder in which to add permissions (the Sent Items folder in this example) and the FieldURI value includes folder:PermissionSet. This request will retrieve the permission settings for the folder specified.

This is also the XML request that the EWS Managed API sends when you call the Bind method to add folder permissions.

  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                 xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
                 xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
                 xmlns:soap="https://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
      <t:RequestServerVersion Version="Exchange2007_SP1" />
    </soap:Header>
    <soap:Body>
      <m:GetFolder>
        <m:FolderShape>
          <t:BaseShape>IdOnly</t:BaseShape>
          <t:AdditionalProperties>
            <t:FieldURI FieldURI="folder:PermissionSet" />
          </t:AdditionalProperties>
        </m:FolderShape>
        <m:FolderIds>
          <t:DistinguishedFolderId Id="sentitems" />
        </m:FolderIds>
      </m:GetFolder>
    </soap:Body>
  </soap:Envelope>

The server responds to the GetFolder request with a GetFolderResponse message that includes a ResponseCode element value of NoError, which indicates that the folder was retrieved successfully. The FolderId and ParentFolderId values have been shortened for readability.

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="https://schemas.xmlsoap.org/soap/envelope/">
  <s:Header>
    <h:ServerVersionInfo MajorVersion="15"
                         MinorVersion="0"
                         MajorBuildNumber="893"
                         MinorBuildNumber="17"
                         Version="V2_10"
                         xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types"
                         xmlns="http://schemas.microsoft.com/exchange/services/2006/types"
                         xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" />
  </s:Header>
  <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <m:GetFolderResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
                         xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
      <m:ResponseMessages>
        <m:GetFolderResponseMessage ResponseClass="Success">
          <m:ResponseCode>NoError</m:ResponseCode>
          <m:Folders>
            <t:Folder>
              <t:FolderId Id="CgAAAA=="
                          ChangeKey="AQAAABYAAADOilbYa8KaT7ZgMoTz2P+hAAABiRd1" />
              <t:PermissionSet>
                <t:Permissions>
                  <t:Permission>
                    <t:UserId>
                      <t:DistinguishedUser>Default</t:DistinguishedUser>
                    </t:UserId>
                    <t:CanCreateItems>false</t:CanCreateItems>
                    <t:CanCreateSubFolders>false</t:CanCreateSubFolders>
                    <t:IsFolderOwner>false</t:IsFolderOwner>
                    <t:IsFolderVisible>false</t:IsFolderVisible>
                    <t:IsFolderContact>false</t:IsFolderContact>
                    <t:EditItems>None</t:EditItems>
                    <t:DeleteItems>None</t:DeleteItems>
                    <t:ReadItems>None</t:ReadItems>
                    <t:PermissionLevel>None</t:PermissionLevel>
                  </t:Permission>
                  <t:Permission>
                    <t:UserId>
                      <t:DistinguishedUser>Anonymous</t:DistinguishedUser>
                    </t:UserId>
                    <t:CanCreateItems>false</t:CanCreateItems>
                    <t:CanCreateSubFolders>false</t:CanCreateSubFolders>
                    <t:IsFolderOwner>false</t:IsFolderOwner>
                    <t:IsFolderVisible>false</t:IsFolderVisible>
                    <t:IsFolderContact>false</t:IsFolderContact>
                    <t:EditItems>None</t:EditItems>
                    <t:DeleteItems>None</t:DeleteItems>
                    <t:ReadItems>None</t:ReadItems>
                    <t:PermissionLevel>None</t:PermissionLevel>
                  </t:Permission>
                </t:Permissions>
              </t:PermissionSet>
            </t:Folder>
          </m:Folders>
        </m:GetFolderResponseMessage>
      </m:ResponseMessages>
    </m:GetFolderResponse>
  </s:Body>
</s:Envelope>

Next, use the UpdateFolder operation to send the updated PermissionSet, which includes the Permission for the new user. Note that including the SetFolderField element for the respective folder in the UpdateFolder operation will overwrite all the permission settings on the folder. Likewise, including the DeleteFolderField option of the UpdateFolder operation will also delete all the permission settings on the folder.

This is also the XML request that the EWS Managed API sends when you call the Update method to add folder permissions.

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
               xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
               xmlns:soap="https://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <t:RequestServerVersion Version="Exchange2007_SP1" />
  </soap:Header>
  <soap:Body>
    <m:UpdateFolder>
      <m:FolderChanges>
        <t:FolderChange>
          <t:FolderId Id="CgAAAA=="
                      ChangeKey="AQAAABYAAADOilbYa8KaT7ZgMoTz2P+hAAABiRd1" />
          <t:Updates>
            <t:SetFolderField>
              <t:FieldURI FieldURI="folder:PermissionSet" />
              <t:Folder>
                <t:PermissionSet>
                  <t:Permissions>
                    <t:Permission>
                      <t:UserId>
                        <t:DistinguishedUser>Default</t:DistinguishedUser>
                      </t:UserId>
                      <t:PermissionLevel>None</t:PermissionLevel>
                    </t:Permission>
                    <t:Permission>
                      <t:UserId>
                        <t:DistinguishedUser>Anonymous</t:DistinguishedUser>
                      </t:UserId>
                      <t:PermissionLevel>None</t:PermissionLevel>
                    </t:Permission>
                    <t:Permission>
                      <t:UserId>
                        <t:PrimarySmtpAddress>sadie@contoso.com</t:PrimarySmtpAddress>
                      </t:UserId>
                      <t:PermissionLevel>Editor</t:PermissionLevel>
                    </t:Permission>
                  </t:Permissions>
                </t:PermissionSet>
              </t:Folder>
            </t:SetFolderField>
          </t:Updates>
        </t:FolderChange>
      </m:FolderChanges>
    </m:UpdateFolder>
  </soap:Body>
</soap:Envelope>

The following line of code specifies the permission level.

<t:Permission>
    <t:UserId>
        <t:PrimarySmtpAddress>sadie@contoso.com</t:PrimarySmtpAddress>
    </t:UserId>
    <t:PermissionLevel>Editor</t:PermissionLevel>
</t:Permission>

If you want to use the custom permission level, use this code instead.

<t:Permission>
    <t:UserId>
        <t:PrimarySmtpAddress> sadie@contoso.com </t:PrimarySmtpAddress>
    </t:UserId>
    <t:CanCreateItems>true</t:CanCreateItems>
    <t:CanCreateSubFolders>true</t:CanCreateSubFolders>
    <t:IsFolderOwner>false</t:IsFolderOwner>
    <t:IsFolderVisible>false</t:IsFolderVisible>
    <t:IsFolderContact>false</t:IsFolderContact>
    <t:EditItems>None</t:EditItems>
    <t:DeleteItems>None</t:DeleteItems>
    <t:ReadItems>None</t:ReadItems>
    <t:PermissionLevel>Custom</t:PermissionLevel>
</t:Permission>

The server responds to the UpdateFolder request with an UpdateFolderResponse message that includes a ResponseCode element value of NoError, which indicates that the folder was updated successfully.

Removing folder permissions by using the EWS Managed API

The following code example shows how to use the EWS Managed API to remove all user permissions on a specific folder, except for the default and anonymous permissions, by:

  1. Getting the current permissions for a folder by using the Bind method.

  2. Iterating through the Permissions collection and removing permissions for individual users.

  3. Calling the Update method to save the changes.

This example removes all user permissions on a folder. If you want to modify this example to remove permissions only for a specific user, change the following line of code to identify either the display name or SMTP address of the user.

if (sentItemsFolder.Permissions[t].UserId.DisplayName != null || sentItemsFolder.Permissions[t].UserId.PrimarySmtpAddress != null)

This example assumes that service is a valid ExchangeService object for the mailbox owner and that the user has been authenticated to an Exchange server.

static void RemoveFolderPermissions(ExchangeService service)
{
    // Create a property set to use for folder binding.
    PropertySet propSet = new PropertySet(BasePropertySet.FirstClassProperties, FolderSchema.Permissions);
    // Bind to the folder and get the current permissions. 
    // This call results in a GetFolder call to EWS.
    Folder sentItemsFolder = Folder.Bind(service, new FolderId(WellKnownFolderName.SentItems, "primary@contoso.com"), propSet);
    // Iterate through the collection of permissions and remove permissions for any 
    // user with a display name or SMTP address. This leaves the anonymous and 
    // default user permissions unchanged. 
    if (sentItemsFolder.Permissions.Count != 0)
    {
        for (int t = 0; t < sentItemsFolder.Permissions.Count; t++)
        {
            // Find any permissions associated with the specified user and remove them from the DACL
            if (sentItemsFolder.Permissions[t].UserId.DisplayName != null || sentItemsFolder.Permissions[t].UserId.PrimarySmtpAddress != null)
            {
                sentItemsFolder.Permissions.Remove(sentItemsFolder.Permissions[t]);
            }
        }
    }
    // This call results in an UpdateFolder call to EWS.
    sentItemsFolder.Update();
}

Removing folder permissions by using EWS

The following EWS code examples show how to remove all user permissions on a specific folder, except for the default and anonymous permissions.

First, send a GetFolder request where the DistinguishedFolderId value specifies the folder in which to remove permissions (the Sent Items folder in this example) and the FieldURI value includes folder:PermissionSet. This request will retrieve the PermissionSet for the folder specified.

This is also the XML request that the EWS Managed API sends when you call the Bind method to remove folder permissions.

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
               xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
               xmlns:soap="https://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <t:RequestServerVersion Version="Exchange2007_SP1" />
  </soap:Header>
  <soap:Body>
    <m:GetFolder>
      <m:FolderShape>
        <t:BaseShape>AllProperties</t:BaseShape>
        <t:AdditionalProperties>
          <t:FieldURI FieldURI="folder:PermissionSet" />
        </t:AdditionalProperties>
      </m:FolderShape>
      <m:FolderIds>
        <t:DistinguishedFolderId Id="drafts">
          <t:Mailbox>
            <t:EmailAddress>primary@contoso.com</t:EmailAddress>
          </t:Mailbox>
        </t:DistinguishedFolderId>
      </m:FolderIds>
    </m:GetFolder>
  </soap:Body>
</soap:Envelope>

The server responds to the GetFolder request with a GetFolderResponse message that includes a ResponseCode element value of NoError, which indicates that the folder was retrieved successfully. The values of the FolderId and ParentFolderId elements have been shortened for readability.

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="https://schemas.xmlsoap.org/soap/envelope/">
  <s:Header>
    <h:ServerVersionInfo MajorVersion="15"
                         MinorVersion="0"
                         MajorBuildNumber="893"
                         MinorBuildNumber="17"
                         Version="V2_10"
                         xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types"
                         xmlns="http://schemas.microsoft.com/exchange/services/2006/types"
                         xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" />
  </s:Header>
  <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <m:GetFolderResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
                         xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
      <m:ResponseMessages>
        <m:GetFolderResponseMessage ResponseClass="Success">
          <m:ResponseCode>NoError</m:ResponseCode>
          <m:Folders>
            <t:Folder>
              <t:FolderId Id="EAAAAA=="
                          ChangeKey="AQAAABYAAADOilbYa8KaT7ZgMoTz2P+hAAABiRd5" />
              <t:ParentFolderId Id="CQAAAA=="
                                ChangeKey="AQAAAA==" />
              <t:FolderClass>IPF.Note</t:FolderClass>
              <t:DisplayName>Drafts</t:DisplayName>
              <t:TotalCount>0</t:TotalCount>
              <t:ChildFolderCount>0</t:ChildFolderCount>
              <t:EffectiveRights>
                <t:CreateAssociated>true</t:CreateAssociated>
                <t:CreateContents>true</t:CreateContents>
                <t:CreateHierarchy>true</t:CreateHierarchy>
                <t:Delete>true</t:Delete>
                <t:Modify>true</t:Modify>
                <t:Read>true</t:Read>
                <t:ViewPrivateItems>true</t:ViewPrivateItems>
              </t:EffectiveRights>
              <t:PermissionSet>
                <t:Permissions>
                  <t:Permission>
                    <t:UserId>
                      <t:DistinguishedUser>Default</t:DistinguishedUser>
                    </t:UserId>
                    <t:CanCreateItems>false</t:CanCreateItems>
                    <t:CanCreateSubFolders>false</t:CanCreateSubFolders>
                    <t:IsFolderOwner>false</t:IsFolderOwner>
                    <t:IsFolderVisible>false</t:IsFolderVisible>
                    <t:IsFolderContact>false</t:IsFolderContact>
                    <t:EditItems>None</t:EditItems>
                    <t:DeleteItems>None</t:DeleteItems>
                    <t:ReadItems>None</t:ReadItems>
                    <t:PermissionLevel>None</t:PermissionLevel>
                  </t:Permission>
                  <t:Permission>
                    <t:UserId>
                      <t:DistinguishedUser>Anonymous</t:DistinguishedUser>
                    </t:UserId>
                    <t:CanCreateItems>false</t:CanCreateItems>
                    <t:CanCreateSubFolders>false</t:CanCreateSubFolders>
                    <t:IsFolderOwner>false</t:IsFolderOwner>
                    <t:IsFolderVisible>false</t:IsFolderVisible>
                    <t:IsFolderContact>false</t:IsFolderContact>
                    <t:EditItems>None</t:EditItems>
                    <t:DeleteItems>None</t:DeleteItems>
                    <t:ReadItems>None</t:ReadItems>
                    <t:PermissionLevel>None</t:PermissionLevel>
                  </t:Permission>
                  <t:Permission>
                    <t:UserId>
                      <t:SID>S-1-5-21-1337771579-694202782-848329751-1535223</t:SID>
                      <t:PrimarySmtpAddress>sadie@Contoso.com</t:PrimarySmtpAddress>
                      <t:DisplayName>Sadie Daniels</t:DisplayName>
                    </t:UserId>
                    <t:CanCreateItems>true</t:CanCreateItems>
                    <t:CanCreateSubFolders>false</t:CanCreateSubFolders>
                    <t:IsFolderOwner>false</t:IsFolderOwner>
                    <t:IsFolderVisible>true</t:IsFolderVisible>
                    <t:IsFolderContact>false</t:IsFolderContact>
                    <t:EditItems>All</t:EditItems>
                    <t:DeleteItems>All</t:DeleteItems>
                    <t:ReadItems>FullDetails</t:ReadItems>
                    <t:PermissionLevel>Editor</t:PermissionLevel>
                  </t:Permission>
                </t:Permissions>
              </t:PermissionSet>
              <t:UnreadCount>0</t:UnreadCount>
            </t:Folder>
          </m:Folders>
        </m:GetFolderResponseMessage>
      </m:ResponseMessages>
    </m:GetFolderResponse>
  </s:Body>
</s:Envelope>

Next, use the UpdateFolder operation to send the updated PermissionSet, which does not include the Permission for the removed user.

This is also the XML request that the EWS Managed API sends when you call the Update method to remove folder permissions.

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
               xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
               xmlns:soap="https://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <t:RequestServerVersion Version="Exchange2007_SP1" />
  </soap:Header>
  <soap:Body>
    <m:UpdateFolder>
      <m:FolderChanges>
        <t:FolderChange>
          <t:FolderId Id="EAAAAA=="
                      ChangeKey="AQAAABYAAADOilbYa8KaT7ZgMoTz2P+hAAABiRd5" />
          <t:Updates>
            <t:SetFolderField>
              <t:FieldURI FieldURI="folder:PermissionSet" />
              <t:Folder>
                <t:PermissionSet>
                  <t:Permissions>
                    <t:Permission>
                      <t:UserId>
                        <t:DistinguishedUser>Default</t:DistinguishedUser>
                      </t:UserId>
                      <t:PermissionLevel>None</t:PermissionLevel>
                    </t:Permission>
                    <t:Permission>
                      <t:UserId>
                        <t:DistinguishedUser>Anonymous</t:DistinguishedUser>
                      </t:UserId>
                      <t:PermissionLevel>None</t:PermissionLevel>
                    </t:Permission>
                  </t:Permissions>
                </t:PermissionSet>
              </t:Folder>
            </t:SetFolderField>
          </t:Updates>
        </t:FolderChange>
      </m:FolderChanges>
    </m:UpdateFolder>
  </soap:Body>
</soap:Envelope>

The server responds to the UpdateFolder request with an UpdateFolderResponse message that includes a ResponseCode element value of NoError, which indicates that the update was successful.

Updating folder permissions by using the EWS Managed API

You can also update folder permissions for a specific folder by using the EWS Managed API. To update the permissions:

  1. Remove the folder permissions for the outdated permissions, but do not call the Update method (yet).

  2. Add folder permissions for the new or changed users.

  3. Call the Update method to save the changes.

If you try to add two sets of permissions for the same user, you will receive a ServiceResponseException error with the following description: "The specified permission set contains duplicate UserIds". In that case, remove the current permissions from the Permission collection, then add the new permissions to the Permission collection.

Updating folder permissions by using EWS

You can also update folder permissions for specific folders by using EWS by combining the removal and addition process. To update the permissions:

  1. Retrieve the folder's current permissions by using the GetFolder operation.

  2. Send an updated list of permissions by using the UpdateFolder operation.

These are the same two operations you use to enable or remove access by using EWS. The only difference is that when you receive the GetFolder response, it will contain a Permission set for user. Simply replace that existing Permission element with the new Permission element, and then send the UpdateFolder operation with the new Permission value or values.

If you try to add two sets of permissions for the same user, you will receive a ResponseCode value of ErrorDuplicateUserIdsSpecified. In that case, remove the outdated Permission value for the user from the request and then retry the request.

Next steps

After you give a user permission to a specific folder, the user can access the folder as a delegate. For more information, see:

See also