5.18 eDirectory Access Control Rights

eDirectory uses two types of rights: object rights and attribute rights. The object that receives the rights is called a trustee. Except for the Inheritance Control rights (DS_ENTRY_INHERIT_CTL and DS_ATTR_INHERIT_CTL), set the right in the bit mask to 1 (one) to grant the right and to 0 (zero) to deny the right. For the Inheritance Control rights, see Table 5-3 for the correct settings.

eDirectory uses the following rights in an ACL to grant rights to the object as a whole. These rights are ORed together into a bit mask.

Table 5-1 Object Rights

Flag Name

C Value

Description

DS_ENTRY_BROWSE

0x00000001L

Allows a trustee to discover objects in the eDirectory tree.

DS_ENTRY_ADD

0x00000002L

Allows a trustee to create child objects (new objects that are subordinate to the object in the tree).

DS_ENTRY_DELETE

0x00000004L

Allows a trustee to delete an object. This right does not allow a trustee to delete a container object that has subordinate objects.

DS_ENTRY_RENAME

0x00000008L

Allows a trustee to rename the object.

DS_ENTRY_SUPERVISOR

0x00000010L

Gives a trustee all rights to an object and its attributes.

DS_ENTRY_INHERIT_CTL

0x00000040L

Allows a trustee to inherit the rights granted in the ACL and exercise them on subordinate objects.

For information on setting the bit values, see Table 5-3.

eDirectory uses the following rights in an ACL to grant rights to individual attributes and to [All Attributes Rights] of an object. These rights are ORed together into a bit mask.

Table 5-2 Attribute Rights

Flag Name

C Value

Description

DS_ATTR_COMPARE

0x00000001L

Allows a trustee to compare a value with an attribute’s value. This allows the trustee to see if the attribute contains the value without having rights to see the value.

DS_ATTR_READ

0x00000002L

Allows a trustee to read an attribute value. This right confers the Compare right.

DS_ATTR_WRITE

0x00000004L

Allows a trustee to add, delete, or modify an attribute value. This right also gives the trustee the Self (Add or Delete Self) right.

DS_ATTR_SELF

0x00000008L

Allows a trustee to add or delete its name as an attribute value on those attributes that take object names as their values.

DS_ATTR_SUPERVISOR

0x00000020L

Gives a trustee all rights to the object’s attributes.

DS_ATTR_INHERIT_CTL

0x00000040L

Allows a trustee to inherit the rights granted in the ACL and exercise these attribute rights on subordinate objects.

For information on setting the bit values, see Table 5-3.

The bit settings for the Inheritance Control rights use values that ensure compatibility with NetWare 4.x.

Table 5-3 Inheritance Control Settings

NetWare Version

Object Right DS_ENTRY_INHERIT_CTL

[All Attributes Rights] DS_ATTR_INHERIT_CTL

Specific Attribute DS_ATTR_INHERIT_CTL

NetWare 4.x

NetWare 4.x does not support this functionality. Inheritance of object rights is always supported.

NetWare 4.x requires this bit to be set to 0.

NetWare 4.x does not support this functionality. Inheritance of rights to [All Attributes Rights] is always supported.

NetWare 4.x requires this bit to be set to 0.

NetWare 4.x does not support this functionality. Inheritance of ACLs to specific attributes is always blocked.

NetWare 4.x requires this bit to be set to 0.

NetWare 5.x

NetWare 5.x supports this right. Set this bit to 0 (zero) to allow the inheritance of the rights in the ACL.

Set this bit to 1 (one) to block the inheritance of the ACL rights.

NetWare 5.x supports this right. Set this bit to 0 (zero) to allow the inheritance of the rights granted to [All Attributes Rights].

Set this bit to 1 (one) to block the inheritance of the ACL rights.

NetWare 5.x supports this right. Set this bit to 1 (one) to allow the inheritance of the rights granted to the specific attribute.

Set this bit to 0 to block the inheritance of the ACL rights.