eDirectory uses two types of rights: object rights and attribute rights. The object that receives the rights is called a trustee. Except for the Inheritance Control rights (DS_ENTRY_INHERIT_CTL and DS_ATTR_INHERIT_CTL), set the right in the bit mask to 1 (one) to grant the right and to 0 (zero) to deny the right. For the Inheritance Control rights, see Table 5-3 for the correct settings.
eDirectory uses the following rights in an ACL to grant rights to the object as a whole. These rights are ORed together into a bit mask.
Table 5-1 Object Rights
Flag Name |
C Value |
Description |
---|---|---|
DS_ENTRY_BROWSE |
0x00000001L |
Allows a trustee to discover objects in the eDirectory tree. |
DS_ENTRY_ADD |
0x00000002L |
Allows a trustee to create child objects (new objects that are subordinate to the object in the tree). |
DS_ENTRY_DELETE |
0x00000004L |
Allows a trustee to delete an object. This right does not allow a trustee to delete a container object that has subordinate objects. |
DS_ENTRY_RENAME |
0x00000008L |
Allows a trustee to rename the object. |
DS_ENTRY_SUPERVISOR |
0x00000010L |
Gives a trustee all rights to an object and its attributes. |
DS_ENTRY_INHERIT_CTL |
0x00000040L |
Allows a trustee to inherit the rights granted in the ACL and exercise them on subordinate objects. For information on setting the bit values, see Table 5-3. |
eDirectory uses the following rights in an ACL to grant rights to individual attributes and to [All Attributes Rights] of an object. These rights are ORed together into a bit mask.
Table 5-2 Attribute Rights
Flag Name |
C Value |
Description |
---|---|---|
DS_ATTR_COMPARE |
0x00000001L |
Allows a trustee to compare a value with an attribute’s value. This allows the trustee to see if the attribute contains the value without having rights to see the value. |
DS_ATTR_READ |
0x00000002L |
Allows a trustee to read an attribute value. This right confers the Compare right. |
DS_ATTR_WRITE |
0x00000004L |
Allows a trustee to add, delete, or modify an attribute value. This right also gives the trustee the Self (Add or Delete Self) right. |
DS_ATTR_SELF |
0x00000008L |
Allows a trustee to add or delete its name as an attribute value on those attributes that take object names as their values. |
DS_ATTR_SUPERVISOR |
0x00000020L |
Gives a trustee all rights to the object’s attributes. |
DS_ATTR_INHERIT_CTL |
0x00000040L |
Allows a trustee to inherit the rights granted in the ACL and exercise these attribute rights on subordinate objects. For information on setting the bit values, see Table 5-3. |
The bit settings for the Inheritance Control rights use values that ensure compatibility with NetWare 4.x.
Table 5-3 Inheritance Control Settings