Lotus Notes ACL & Delegation versus Outlook Permissions & Delegation – Part 1
By Conrad Murray
Delegate Access is most commonly used between a manager and assistant, where the assistant (delegate) is responsible for processing the manager’s incoming meeting requests or email messages and coordinating the manager’s schedule. Delegate Access can be used between peers; e.g., to coordinate schedules. However Delegation and Sharing is also a function of Shared Mailboxes / Mail-In Databases.
The process of comparing, mapping and migrating different types of Mailfile/Mailbox delegation & permissions between IBM Lotus Notes to Microsoft Outlook/Exchange is a tricky one.
Understanding both sides of the ledger is the key to a successful transition.
Lotus Notes Delegation typically also provides full mailbox sharing of all folders, whereas Outlook Delegation is all about Inbox & Calendar and Send-on-Behalf-of.
Before embarking on an attempt to migrate Delegation and/or Permissions, a decision should be made up front whether to actually migrate the Delegation & Permissions or to simply Audit and Send the ACL / Delegation information to the mail file owner so that they may re-create them at their leisure. Quite often over a long period of time Mailfile owners may not be aware of who actually still has access to their Mailfile and are quite often surprised when presented with this information! A greenfield approach may actually be the better solution to the problem.
The use of Binary Tree’s CMT for Exchange toolset has the ability to Audit Mailfile and Mail-In Database ACL entries. This information can be emailed to the user so that they may consider re-creating the Delegation/Permissions in their target Outlook Mailbox or perhaps asking an Administrator to do this.
Moving forward there are a number of key differences in how IBM Lotus Notes & Domino and Microsoft Outlook & Exchange apply Permissions and Delegation.
- Delegation & Permission equivalents
- Full Mailbox permissions
- Cascaded Folder sharing
o (Lotus Notes applies this by default)
- Send As / Send on Behalf of permissions
- Sent Item & Deleted Item storage
- Out of Office is also potentially a function of Permissions Delegation and is covered in this blog also.
Knowing the above points and planning how to effectively map & match them is crucial.
Delegation & Permission equivalents
If these are your Lotus Notes Delegation options, ask yourself – what are the Outlook equivalents?
Outlook by Default gives Send on Behalf of to any Delegated user with Editor Access to the Inbox
|Lotus Notes||Microsoft Outlook|
|Access options for Mailfile / Mailbox|
|No Access Delegate cannot access anything in that category||None Delegate cannot access anything in that category|
|Read any document Gives Reader access so delegate can read your messages, to do items, and calendar and contact entries||Reviewer Delegate has read only access to that category/folders|
|Read and create any document, send mail on your behalf Gives Reader access as stated above, plus Author access and Create documents privilege so delegate can create and send messages, create to do items, and create calendar and contact entries for you||Author Delegate can read and create items in those category/folders, and change and delete items that he or she creates. A delegate can create task requests and meeting requests directly in your Task or Calendar folder and then send the item on your behalf.|
|Read, edit, and create any document, send mail, enable Out-of-Office Gives Reader and Author access, and Create documents privilege as stated above, plus Editor access so delegate can edit messages, to do items, and calendar or contact entries for you, as well as flag messages for follow-up and enable out-of-office notification||Full Mailbox Permissions Delegate can read, create, and modify ALL items in that category/folder including their own and others To set Out of Office, Full Mailbox Access is needed. Note in notes the lack of DELETE Items though.|
|Read, edit, create, and delete any document, send mail, enable Out-of-Office Gives Reader, Author and Editor access, and Create documents privilege as stated above, plus Delete documents privilege to delete any document, including messages, to do items, and calendar and contacts entries||Full Mailbox Permissions Delegate can read, create, and modify ALL items in that category/folder including their own and others To set Out of Office, Full Mailbox Access is needed.|
|Read/create any document, delete documents they created, send mail on your behalf Gives Reader and Author access, and Create and Delete documents privileges as stated above, but delegate can delete only documents they created for you, and cannot delete documents created by you or others||Editor Delegate can read, create, and modify ALL items in that category/folder including their own and others|
|Access options for Calendar, To Do, and Contacts only|
|Lotus Notes Preferences Option||Outlook Options Equivalent|
|Read any Calendar Entry, To Do, or Contact Gives Reader access so delegate can read all to do items, and calendar and contact entries||Reviewer Delegate has read only access to that category/folders|
|Read, create, edit, and delete any Calendar Entry, To Do, and Contact Gives Reader access as stated above, plus Author and Editor access and Create and Delete documents privileges, so delegate can create, edit, and delete to do items, and calendar and contact entries||Editor Delegate can read, create, and modify ALL items in that category/folder including their own and others|
Full Mailbox Permissions
Yes, EDITOR with SendOnBehalfOf would often be sufficient, but Full Mailbox Permissions allows Out of Office enablement.
Full Mailbox also allows the user to add the Mailbox to the profile for easy filing which is a normally a key duty of a Personal Assistant.
Full Mailbox assigned to individuals also allows Outlook and Exchange to work together to implement the new auto-mapping feature whereby a Delegated User will automatically have the Owner Mailbox appear in their Outlook Profile.
Full Mailbox Access allows delegates to log in to that Mailbox via OWA.
Full Mailbox Permissions are required to set Out of Office for a Mailbox. You would need to create a Second Outlook Profile for this purpose or simply log in to OWA.
Full Mailbox Access can only be granted by an Exchange Administrator
Cascaded Folder sharing / Folder Permissions and Visibility
In Lotus Notes all Access and Delegation provides the recipient/delegate with Full Folder visibility from the root folder to all cascaded/nested folders with the exception of Lotus Notes Private Folders.
The ACL Exception to this is Depositor, but all others Author, Reader, Editor, Designer and Manager will see all folders and views in a Mailfile. except for Lotus Notes Private Folders – These can only be accessed by the Notes ID who created it.
A note on a Private Folders. Only the folder itself can’t be seen. Documents inside a Private Folder are able to be seen in other Shared Folders and Views including the All Documents View and Sent Items view
In Exchange/Outlook the Mailbox Owner needs to share out every folder explicitly. This can be a tedious and tiresome task if the user has a large amount of folders. Often resulting in the Mailbox Owner resorting to providing Full Mailbox Permissions – a far greater level of access than should be required.
However, in Exchange 2010 there is a way.
Prior to Exchange 2010 there was no simple way to assign MAPI permissions to all of these Outlook folders. Exchange 2010 has added the Add-MailboxFolderPermission cmdlet which allows an administrator to now complete this task from the Exchange Management Shell.
Send on Behalf and Send As
Send on Behalf and Send As are similar in fashion.
Send on Behalf will allow a user to send as another user while showing the recipient that it was sent from a specific user on behalf of another user. What this means, is that the recipient is cognitive of who actually initiated the sending message, regardless of who it was sent on behalf of. This may not be what you are looking to accomplish.
Send As. In many cases, you may want to send as another person and you do not want the recipient to be cognitive about who initiated the message. Of course, a possible downside to this, is that if the recipient replies, it may go to a user who did not initiate the sent message and might be confused depending on the circumstances. Send As can be useful in a scenario where you are sending as a mail-enabled distribution group or a Shared Mailbox. If someone replies, it will go to that Distribution Group or Shared Mailbox which ultimately gets sent to every user who is a part of that distribution group. This article will explains how to use both methods.
This is a good article explaining Send on Behalf and Send As
We would strongly recommend the use of Exchane Mailbox Auting with SendAs
Send on Beahlf of in Lotus Notes
In Lotus Notes, if you send a mail from another user’s mail file or Mail-In Database, using your own ID, the mail will be “send as on behalf of”
Send on Beahlf of in Exchange/Outlook 2010
To send mail from another user’s Exchange Mailbox you need to be granted “SendOnBehalfOf” rights, (and additional Sharing Properties if you want to add that Mailbox to your Logged in Outlook Profile)
Send As – aka impersonation
Lotus Notes Delegation applies Send On Behalf Of immediately to delegated users.
True SendAs capabilities in Lotus Notes is really only possible by switching ID or by changing the Mailfile Owner information, whereas in Exchange this feature can be applied at the Mailbox level.
Saving Sent Items
In Lotus Notes, Sent Items are saved directly in the Mail File from where they are sent.
Exchange/Outlook 2007/Outlook 2010
In Exchange/Outlook 2007 this is not the case by default. Exchange behaviour by design is that the actual Sender of the email is the user that has the Sent Item in their mailbox.
However a Registry Key fix can be deployed to mimic this behaviour.
As long as the users utilises the FROM option, and the Outlook Client is configured in cache mode, and the Shared/Delegated Mailbox is attached in your Profile then Sent Items will be saved in that Mailbox.
When you send an e-mail message from a shared mailbox in Outlook 2007, the sent message is not saved in the Sent Items folder of the shared mailbox
If using Exchange 2010 you can use the Set-MailboxSentItemsConfiguration cmdlet, click the following article number to view the article in the Microsoft Knowledge Base: 2632409
Note If you must use Outlook in Online mode and if your mailbox is located on an Exchange Server 2010 server, the Exchange administrator can configure similar behavior on the server.
Update Rollup 4 for Exchange Server 2010 Service Pack 2 introduces a new Exchange PowerShell cmdlet to configure which Sent Items folder a message is copied to. Because this new feature is handled by the Exchange server, Outlook can be configured for either Online or Cached Exchange mode.
However, the Exchange server feature only works if the Outlook DelegateSentItemsStyle registry value is disabled.
Deleted Items Storage
Deleted items are always stored in the Primary users Mailbox. i.e. the Peron “doing the deletion”
Outlook provides a Windows Registry setting to switch the destination of deleted items to the mailbox owner’s Deleted Items folder.
To Switch the Destination of Deleted Items
Setting Out of Office
Full Mailbox Permissions are required to set Out of Office for a Mailbox. Alternatively an Exchange 2010 Administrator can use the Set-MailboxAutoReplyConfiguration cmdlet to set Out of Office
To set up out of office messages by using Exchange 2010 PowerShell, run the following cmdlet in the Exchange PowerShell window to configure detailed information about the out of office message setup:
Set-MailboxAutoReplyConfiguration <alias> -AutoReplyState enabled -ExternalAudience all -InternalMessage <Message to internal senders> -ExternalMessage <Message to external senders>
Outlook – Delegate Access to Exchange Accounts (Sharing)
Setting Permissions on a Mailbox
Set Outlook Folder Permissions using PowerShell
How to set out of office messages by using Exchange 2010 PowerShell
Send on Behalf and Send As
Email that you send on behalf of someone is not saved in their Sent Items folder
Save in the Sent Items folder of the shared mailbox / Owner Mailbox
Enables an administrator to configure which Sent Items folder a message is copied to (Exchange 2010)
To Switch the Destination of Deleted Items
To Delegate access to your mail (Lotus Notes 8.5.x)
Versions used: IBM Lotus Notes Mailfile Template 8.5.3 to Microsoft Exchange & Outlook 2010.
Whilst permission types and delegation may hold true for previous versions, I have only used versions stated above for research and application purposes.
This blog does not seek to define best practice use of ACLs and Delegation especially the debate surrounding Groups or Individuals!