Requirements for delegation permissions synchronization
Table: Requirements for delegate permissions synchronization lists the conditions under which a CloudLink task considers a delegate for delegate permissions synchronization.
Related information
Table: Requirements for delegate permissions synchronization
| Delegate type | Requirement for delegate permissions synchronization |
|---|---|
| User | The user must have a pre-existing archive account. |
| Mail-enabled security group | The synchronization task must target the group. |
Note that if the delegate type is a user, there is no requirement for the task to target the user, provided the user already has an archive account. Conversely, if the delegate type is a group, the task must target the group for the delegation permissions to be synchronized.
Access restrictions when the requirements are not met for a delegate with deny permission
Table: Delegate access restrictions if a delegate has a deny permission and synchronization requirements are not met lists the restrictions on delegate access if the synchronization requirement is not met for a delegate with a Deny delegation permission.
Table: Delegate access restrictions if a delegate has a deny permission and synchronization requirements are not met
| Delegate type with Deny permission | If this situation applies | Synchronization task takes this action | Result |
|---|---|---|---|
| User | The user does not have a pre-existing archive account. | The task removes any existing synchronized delegate permissions for the delegated mailbox. | No-one has delegate access to the mailbox archive. |
| Mail-enabled security group | The synchronization task does not target the group. | The task removes any existing synchronized delegate permissions for the delegated mailbox. | No-one has delegate access to the mailbox archive. |
Arctera Insight Archiving imposes these delegate access restrictions to ensure that users do not gain delegate access to archive accounts when a Deny delegation permission may have been set to prevent it.
Figure: Example: Mailbox with delegation permissions set for users and mail-enabled security groups shows a user mailbox or shared mailbox to which the Exchange administrator has assigned a number of mailbox delegation permissions.
Figure: Example: Mailbox with delegation permissions set for users and mail-enabled security groups
In this example, the Exchange administrator has granted User A and members of Group 1 Full Access permission to the mailbox. In contrast, User B and members of Group 2 have been given Deny Full Access permission. Assuming that CloudLink has synchronized all of these delegation permissions, then User A and members of Group 1 have access to the delegated mailbox archive, subject to the precedence of any deny delegation permissions.
-
But suppose that User B does not have an archive account. Since User B has a deny delegation permission, the task removes any synchronized delegation permissions for the mailbox. No-one has delegate access to the mailbox archive.
-
Or suppose that Group 2 is not targeted by the synchronization task, or that it becomes no longer targeted by a recurring synchronization task. For example, the group could be moved to an organizational unit that is not within the scope of the task. The task removes any synchronized delegation permissions for the mailbox, so that no-one has delegate access to the mailbox archive.