The ACL private extension for providing fine-grained access control is
implemented.  The commands are:

   tag SETACL MAILBOX mailbox identifier rights

      Changes the access control list on the specified mailbox so that
      the specified identifier is granted the permissions enumerated
      in rights.

      Identifier has implementation-defined semantics.  Possible
      variations of identifier interpretation include:

      * User names, as specified in the LOGIN command.

      * Named groups of users, presumably managed by some
        authorization service.

      * Only allowing identifiers supported by the operating system
	(e.g. ``user'', ``group'', and ``other'' for the Unix filesystem)

      * Whether rights granted to other mailboxes in an
        implementation-defined hierarchy are inherited

      * A portion of the identifier specifying an "authentication
        type".

	As an example, an implementation may control posting to a group
        based on the contents of the From: header:

        from$user		p

      * Whether the union of rights for matching identifiers are granted
        to a user or whether the rights for the most specific matching
        identifier is granted.

	As an example, for a mailbox with the following ACL:

	user			lrsa
        group-user-is-in	lrsw

	One implementation may grant the user 'lrswa' rights, another
        may only grant the user 'lrsa'.

      * A prefix to an identifier name specifying the listed rights
	are to be removed from users who match the prefixed identifier.

	As an example, for a mailbox with the following ACL:

	group-user-is-in	lrsw
	-user			w

	An implementation may grant the user 'lrs' rights.


      Rights is a string listing a (possibly empty) set of alphanumeric
      characters, each character listing a set of operations which is
      being controlled.  Letters [lowercase?] are reserved for
      ``standard'' rights, listed below.  Digits are reserved for
      implementation or site defined rights.  The standard rights are:

      l - lookup (folder is visible to FIND commands)
      r - read (SELECT the mailbox, perform CHECK, FETCH, PARTIAL,
          SEARCH, COPY from mailbox)
      s - keep seen/unseen information across sessions (STORE \SEEN flag)
      w - write (STORE flags other than \SEEN and \DELETED)
      i - insert (perform APPEND, COPY into mailbox)
      p - post (send mail to submission address for mailbox, not
          enforced by IMAP2/IMSP itself)
      c - create (CREATE new sub-folders in any implementation-defined
          hierarchy)
      d - delete (STORE \DELETED flag, perform EXPUNGE)
      a - administer (perform SETACL)

      An implementation may tie rights together or may force rights to
      always or never be granted.  For example, in an implementation
      that uses unix mode bits, the rights "wisd" are tied.  The "a"
      right is always granted to the owner and is never granted to
      another user.  If rights are tied in an implementation, it
      should be conservative in granting rights in response to SETACL
      commands--unless all rights in a tied set are specified, none
      should be used.  Numeric rights may not be tied.

   tag DELETEACL MAILBOX mailbox identifier

      Removes any portion of the access control list for mailbox for
      the specified identifier.

   tag GETACL MAILBOX mailbox

      Returns the access control list for mailbox in some set of
      unsolicited ACL replies.  There may not be more than one ACL
      reply specifying any given identifier.

      EXAMPLE:  A002 GETACL MAILBOX INBOX
                * ACL MAILBOX INBOX Fred rwipslda
		A002 Ok Getacl complete

   tag MYRIGHTS MAILBOX mailbox

      Returns the set of rights that the user has to mailbox in an
      unsolicited MYRIGHTS reply.


   Responses

   * ACL MAILBOX string string string

      This response occurs as a result of a GETACL MAILBOX command.
      The first string is the mailbox name for which this ACL entry
      applies.  The second string is the identifier for which this
      entry applies.  The third string is the set of rights that the
      identifier has.

   * MYRIGHTS MAILBOX string string

      This response occurs as a result of a MYRIGHTS MAILBOX command.
      The first string is the mailbox name for which this ACL entry
      applies.  The third string is the set of rights that the client
      has.

The current ACL implementation has the following properties:

* The union of all the rights for matching identifiers are granted to a user.

* A prefix of "-" to an identifier specifies that the listed rights are
to be removed from users who match the prefixed identifier.  Such a union
of "negative rights" are removed after the union of positive rights are
calculated.

* The delivery program enforces the 'p' right, except for insertion into
a user's INBOX.

* When a mailbox is created, it inherits its ACL from the closest
parent mailbox.  If no such mailbox exists, it gets an ACL of 
"anyone rls".  If the created mailbox is a user's INBOX, it gets an
ACL that assigns all rights to the user and no rights to anyone else.

The identifiers that are usable in ACL's depend on whether the Cyrus
IMAP server is compiled for Kerberos or Unix authentication.  In
either case, "anonymous" refers to the anonymous user and "anyone"
refers to all logged-in users, including the anonymous user.

If the server is compiled for Unix authentication, then an identifier
may be either a unix username or the string "group:" followed by a
unix group name.

If the server is compiled for Kerberos authentication, then an
identifer may be any Kerberos principal.  The principal may optionally
include an instance or realm.  Any of the principal, instance, or
realm fields may be '*' which is treated as a wild-card.  For example,
an identifier "*" indicates any user with a null instance at the local
realm.  An identifier of "*.*@CS.CMU.EDU" indicates any user with any
instance in the realm CS.CMU.EDU.  An identifier of "*.*@*" indicates
any Kerberos-authenticated user and differs from "anyone" in that it
does not include the anonymous user.

