Article

(View Disclaimer)

Setting ACL entries aka trustees in Edirectory with IDM is possible but far from self-explaining. There is no DIrxmlScript token that translates the API bit codes into human readable ACL flag names, and setting special trustees like [Root] or [Public] requires a special syntax.

Here's what I found about this topic in the forums, compiled for easy reference (and my own lazyness :-) since Geoffrey did not write an article about it yet ;-)

ACL is a structured attribute, with three components: "protectedName", "trustee" and "privileges". Setting an ACL entry in DirXMLScript can be done this way:

<do-add-dest-attr-value class-name="User" name="ACL">
	<arg-value type="structured">
		<arg-component name="protectedName">
			<token-text xml:space="preserve">Internet Email Address</token-text>
		</arg-component>
		<arg-component name="trustee">
		<token-text xml:space="preserve">\VAULT-TREE\edu\acme\proxies\proxy</token-text>
		</arg-component>
		<arg-component name="privileges">
			<token-text xml:space="preserve">0</token-text>
		</arg-component>
	</arg-value>
</do-add-dest-attr-value>

The protectedName component can be the name of an attribute or something like [All Attributes Rights] or [Entry Rights].

The trustee component has to be a DN in slash form and can also be \[Root], \[Self], \[Inherited Rights Filter], \[Public] or \[This] (make sure to include the leading slash!).

The privileges component is coded bitwise:

Rights to attributes:

	 1	Compare
	 2	Read
	 4	Write
	 8	Add Self
	16	(unused)
	32	Supervisor
	64	Inheritance Control

Rights to entries:

	 1	Browse
	 2	Add
	 4	Delete
	 8	Rename
	16	Supervisor
	32	(unused)
	64	Inheritance Control

The meaning of the inheritance control bit (0 or 1 -> block or inherit) depends on Edirectory version and whether the protectedName is an individual attribute or [All Attribute Right] or [Entry Rights]. The following table is taken from http://developer.novell.com/documentation/ndslib/n...

I guess the NetWare 5.x row also covers all current eDirectory versions, even if they run on Linux, Windows or elsewhere ;-)

Thanks to Father Ramon for helping us all that much on the forums, without his input I wouldn't have been able to put this all together.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.