mdip mdip - 29 days ago 10
C# Question

How to get "What other user's calendars can a user edit" from Exchange

I'm trying to find what other users' calendars a given user has editor rights over in a server side C# application.

In the web application I'm writing, when a user has "Calendar Edit" permissions for another user, our customer would like them to be able to modify that other user's configuration within our application. As a result, when a user logs into our web application, we need to be able to get who those users are to display them to the target user.

I looked into EWS and PowerShell cmdlets that are able to get me "A list of users with editor rights to this mailbox's calendar", but none that handle "A list of calendars this user can edit". It's making me think it will be a similar problem to determining filesystem rights (i.e., it's one call to ask "Give me the users who can access this specific filesystem folder", but an operation of enumerating/evaluating all of the ACLs in the filesystem to answer "give me all of the folders this user has access to").

While I can go the route of "get permissions for every mailbox's default calendar" and map it to users within our application, it'd involve a delay between permissions being granted and the application knowing about those permissions.

I've been looking at EWS and PowerShell for this, but I'm not limited by those APIs. The application runs on Windows Server 2012+ and can be assigned whatever permissions it requires to get at this information (it's not running as the user, but rather a service account). But I'm open to any API/method that can get at this information provided it's faster than a large mailbox ACL enumeration operation.

So I'm wondering, is there a PowerShell command or EWS method that will retrieve, for a user, all of the folders in all of the mailboxes in an Exchange environment that the user has access to?

EDIT: It appears the answer is as I suspected: No, there is not. The only option is to enumerate mailboxes for permissions.

Answer

It's making me think it will be a similar problem to determining filesystem rights (i.e., it's one call to ask "Give me the users who can access this specific filesystem folder", but an operation of enumerating/evaluating all of the ACLs in the filesystem to answer "give me all of the folders this user has access to").

It's exactly the same problem there is no backlinking of the ACL's so your only way of knowing if a user have been granted access to a particular folder in another users mailbox is to enumerate all the Target Mailboxes (If the permissions have been granted via Outlook Delegates then that's another story because there is back-linking of delegates). Generally the easiest method would be to use Get-MailboxFolderPermission https://technet.microsoft.com/en-us/library/dd335061(v=exchg.160).aspx on the Calendar folder. That cmdlet will run with Delegated RBAC rights (making it more secure way of doing it) rather then needing explicit rights that any of the Mailbox API's would require or EWS Impersonation.