RFC 2086 (rfc2086) - Page 2 of 8


IMAP4 ACL extension



Alternative Format: Original Text Document



RFC 2086                     ACL extension                  January 1997


3.   Introduction and Overview

   The ACL extension is present in any IMAP4 implementation which
   returns "ACL" as one of the supported capabilities to the CAPABILITY
   command.

   An access control list is a set of  pairs.

   Identifier is a US-ASCII string.  The identifier anyone is reserved
   to refer to the universal identity (all authentications, including
   anonymous). All user name strings accepted by the LOGIN or
   AUTHENTICATE commands to authenticate to the IMAP server are reserved
   as identifiers for the corresponding user.  Identifiers starting with
   a dash ("-") are reserved for "negative rights", described below.
   All other identifier strings are interpreted in an implementation-
   defined manner.

   Rights is a string listing a (possibly empty) set of alphanumeric
   characters, each character listing a set of operations which is being
   controlled. Letters are reserved for ``standard'' rights, listed
   below.  The set of standard rights may only be extended by a
   standards-track document.  Digits are reserved for implementation or
   site defined rights.  The currently defined standard rights are:

   l - lookup (mailbox is visible to LIST/LSUB commands)
   r - read (SELECT the mailbox, perform CHECK, FETCH, PARTIAL,
       SEARCH, COPY from mailbox)
   s - keep seen/unseen information across sessions (STORE SEEN flag)
   w - write (STORE flags other than SEEN and DELETED)
   i - insert (perform APPEND, COPY into mailbox)
   p - post (send mail to submission address for mailbox,
       not enforced by IMAP4 itself)
   c - create (CREATE new sub-mailboxes in any implementation-defined
       hierarchy)
   d - delete (STORE DELETED flag, perform EXPUNGE)
   a - administer (perform SETACL)

   An implementation may tie rights together or may force rights to
   always or never be granted to particular identifiers.  For example,
   in an implementation that uses unix mode bits, the rights "wisd" are
   tied, the "a" right is always granted to the owner of a mailbox and
   is never granted to another user.  If rights are tied in an
   implementation, the implementation must be conservative in granting
   rights in response to SETACL commands--unless all rights in a tied
   set are specified, none of that set should be included in the ACL
   entry for that identifier.  A client may discover the set of rights
   which may be granted to a given identifier in the ACL for a given
   mailbox by using the LISTRIGHTS command.



Myers                       Standards Track