Access Control Lists Rights Reference
*************************************

Access rights in Cyrus IMAP are fully compatible with **RFC 4314**,
*IMAP4 Access Control List (ACL) Extension*, which has obsoleted **RFC
2086**.

Additional documentation on Access Control is available in the
following documents:

* Combining Access Rights

* Access Control Defaults


Individual Rights Reference
===========================


"l"
---

   Stands for **lookup**.

   The ACI subject can lookup this folder, and see that the folder
   exists, meaning the folder will appear in the response to a "LIST
   "" "*"" command issued by a client.

   Folders to which the ACI subject has no lookup rights may still be
   subscribed to. The lookup right is only required if Cyrus IMAP has
   been configured with the "allowallsubscribe" setting to "0".

   This setting defaults to "0". In a Cyrus IMAP Murder, this setting
   is typically set to "1".

   The l right can be assigned to a folder, without the l right having
   been given out for the parent folder. Cyrus IMAP will pretend the
   parent folder does not exist;

   **RFC 4314**, states the following example in section 4:

      Note that if the user has l right to a mailbox "A/B", but not to
      its parent mailbox "A", the "LIST" command should behave as if
      the mailbox "A" doesn't exist, for example:

         C: A777 LIST "" *
         S: * LIST (\NoInferiors) "/" "A/B"
         S: * LIST () "/" "C"
         S: * LIST (\NoInferiors) "/" "C/D"
         S: A777 OK LIST completed


"r"
---

   Stands for **read**.

   The ACI subject can read the contents of this folder, meaning that
   the ACI subject is allowed to "SELECT" or "EXAMINE" the folder,
   query its "STATUS", "FETCH" data, "SEARCH" the contents, and "COPY"
   contents from the folder.

   The r right also allows the user to "GETMETADATA" when used in
   conjunction with the l right, as defined in **RFC 5464**.


"s"
---

   Stands for **seen**.

   The ACI subject is permitted to maintain the ACI subject's seen
   state for this folder, or the shared seen state in case the
   "/vendor/cmu/cyrus-imapd/sharedseen" has been set to "1" (see
   NAME).

   Additionally, the "\Recent" flags are preserved for the ACI
   subject.


"w"
---

   Stands for **write**.

   The ACI subject is permitted to write to the folder, actually
   meaning the ACI subject is permitted to maintain flags and keywords
   other then "\Seen" and "\Deleted", which are controlled using the s
   and t rights respectively.

   The w right also allows the user to "SETMETADATA" when used in
   conjunction with the l and r rights, as defined in **RFC 5464**.

   Note:

     IMAP clients may expect to be able to set flags other than
     "\Seen" and "\Deleted" and attempt to set those flags immediately
     along with a "Mark as read" action, but without the ACI subject
     actually being permitted to set some of those flags through the w
     right.**RFC 4314**, section 4., page 15, states that the server
     SHOULD NOT fail, as the tagged NO response is not handled very
     well by deployed clients.In order to comply, we have Bug #1375,
     as Cyrus IMAP currently does seem to issue a tagged "NO"
     response.


"i"
---

   Stands for **insert**.

   The ACI subject is permitted to insert content into a folder,
   meaning the ACI subject may "COPY" messages with this folder as the
   target folder, and may "APPEND" messages to this folder.


"p"
---

   Stands for **post**.

   The post right currently is exclusive to Cyrus IMAP, and allows the
   ACI subject to send email to the submission address for the
   mailbox.

   This right differs from the i right in that the delivery system
   inserts trace information into submitted messages.

   Example implementations using the p right include shared folders to
   which specific recipient addresses are delivered through LMTP pre-
   authorized as the "postuser", which must then also have the p right
   on the target folder.


"c"
---

   Stands for **create**.

   The create right is a right introduced with **RFC 2086**,
   indicating the ACI subject's right to create new sub-folders in the
   parent folder on which this right has been assigned, but also to
   delete the same folder.

   Since **RFC 4314**, the c right has been replaced with the k right
   to allow the ACI subject to "CREATE" folders, and the x right to
   allow the ACI subject to "DELETE" folders.

   Important:

     The c right should no longer be used. It will be deprecated
     completely in version 3.0.While Cyrus IMAP is backwards
     compatible when it comes to the c right, which it implements as
     implying as the k right, implementations should not count on the
     c right backwards compatibility to be around forever, and fully
     implement the successor rights k and x.


"k"
---

   The ACI subject has the right to "CREATE" a new folder if the k
   right exists on the parent folder of the folder to be created.

   The rights required for a "RENAME" to be successful could be
   illustrated by describing a "RENAME" as a "CREATE" of the new
   folder, not exactly followed by a "COPY" on the old folder's
   contents, but more like a move like on a filesystem, and finally a
   "DELETE" on the old folder.

   As such, the k is the right required on the parent folder of the
   target folder, and the x right on the source folder.

   To further illustrate, suppose the ACI subject has the k right on
   folder "C/", and the x right on folder "A/B". The execution of the
   command "RENAME A/B C/B" would succeed.


"a"
---

   Stands for **administer**.

   The ACI subject is allowed to administer the folder, meaning the
   ACI subject is allowed to perform administrative operations on the
   folder.

   The a right is needed to successfully execute "SETACL", "DELETEACL"
   (short for "SETACL """) and to execute "GETACL" or "LISTRIGHTS".

   Note:

     IMAP clients may issue a "GETACL" in order to obtain the ACI
     subject's rights on the folder, where they should be using
     "MYRIGHTS", as "GETACL" or "LISTRIGHTS" return the full Access
     Control List, including other ACI subject's identifiers.However
     unless the ACI subject has the a right on a folder, issuing a
     "GETACL" or "LISTRIGHTS" will cause Cyrus IMAP to send a tagged
     "NO: Permission denied" response if the ACI subject has the l
     right on the folder, and a "NO: No Such Mailbox" response
     otherwise, as per section 8 of **RFC 2086** and section 6 of
     **RFC 4314** -- both conveniently called *Security
     Considerations* -- which state that the IMAP server must not
     inadvertently admit the mailbox exists.


"x"
---

   Use the x right to indicate the ACI subject has the right to
   "DELETE" the folder on which the ACL is set, as opposed to the now
   obsolete c right or d right.


"t"
---

   The ACI subject is allowed to delete messages from this folder,
   meaning that the ACI subject is allowed to flag messages as
   "\Deleted".

   In IMAP, messages are only actually deleted (i.e. in a way that
   makes them invisible to users of the folder) after the folder's
   contents have been expunged.

   For the corresponding "EXPUNGE" command however, the e right is
   required.


"n"
---

   The ACI subject is allowed to annotate individual messages in this
   folder, in compliance with **RFC 5257**.

   Note:

     The ACI subject must also have at least the r right, as otherwise
     the ACI subject won't know which messages are available to
     annotate.This is not explicitly mentioned in the **RFC 5257**,
     but implied.


"e"
---

   Stands for **expunge**.

   The ACI subject is allowed to expunge messages in this folder,
   meaning the ACI subject has the right to remove all messages that
   have been flagged as "\Deleted" from all visibility.

   In IMAP, expunging messages only applies to messages flagged as
   "\Deleted". For the ACI subject to be able to flag messages as
   "\Deleted" however, the t right is required.

   We say "remove from all visibility", because the implementation of
   expunging messages in Cyrus IMAP is subject to the "expunge_mode"
   setting in imapd.conf(5), which when set to "delayed" only causes
   the reference to the expunged messages to be deleted from the
   folder index database -- effectively removing the expunged
   message(s) from all visibility, while the individual message files
   remain in place on the Cyrus IMAP server filesystem.

   See also:

     * Deleting and Undeleting Messages and Folders

   Note:

     IMAP clients may expect to be able to "EXPUNGE" a folder
     regardless of the availability of the e right to the current
     user.


"d"
---

   Stands for **delete**.

   This is the legacy **RFC 2086** access control right for the
   "DELETE" command.

   In versions of Cyrus IMAP implementing only this right (prior to
   2.3.7), ACI subjects were allowed to flag messages as "\Deleted",
   and "EXPUNGE" and "DELETE" folders.

   The delete right has been split in to three separate rights, t
   (flag messages as "\Deleted"), e ("EXPUNGE" folder) and x ("DELETE"
   folder).

   Note:

     The "deleteright" setting in imapd.conf(5) controls the **RFC
     2086** right which controls whether or not the ACI subject may
     delete a folder. However, this setting (as the original
     specification for the delete right was considered ambiguous) is
     ignored, and if it is set to c, is automatically converted to the
     x right.

   Important:

     Even though Cyrus IMAP is backwards compatible when it comes to
     the d right, which it implements as implying as the e and t
     rights, implementations should not count on the d right backwards
     compatibility to be around forever, and instead fully implement
     the successor rights e, t and x rights.
