Hello,

I would like expose here some explanations concerning the Extended Permissions or Xpermit or r_accessor_xpermit of ACL.
 
For example, below the détails of an dm_ACL:

r_accessor_name         [0]: dm_world 	[1]: dm_owner	[2]: grp_adm	[3]: docu
r_accessor_permit       [0]: 3		[1]: 1		[2]: 6		[3]: 7
r_accessor_xpermit      [0]: 1048576	[1]: 3		[2]: 0		[3]: 0
r_is_group              [0]: F		[1]: F		[2]: T		[3]: T
r_permit_type           [0]: 0		[1]: 0		[2]: 0		[3]: 0
r_application_permit    [0]: 		[1]: 		[2]: 		[3]: 

 
Reminder:

  • dm_world = This is an alias for all of the users in a docbase.
  • dm_owner = This is an alias for the current owner of the document.
  • ACL is a regular ACL (acl_class=0 ; case of ‘dm_45%’), a template (acl_class=1) or an instance of a template (acl_class= 2). The default is zero.
  • ACLs owned by users other than the repository owner are called user ACLs. User ACLs can be public (acl_class=3) or private (acl_class=0).
  • Private ACLs can only be used by the ACL owner. User ACLs are managed by the object owner (repository owner) or superusers.


 

Presentation of Extended permissions
Extended permissions are a feature only available in version 4i and later. They greatly enhance the security capabilities of the server by letting certain users access admin functions on a per-document basis. For example, in pre-4i docbases, only two types of users could change the permissions on a document: the owner of that document and a superuser. In 4i, you can use the extended permissions to allow certain normal users to change the permissions.
For example, an ACL for the Marketing department might allow the marketing_managers group to change the permissions on the document.

 
The extended permissions are described below:

  • execute_proc: Allows the user to execute the procedure (if it is a procedure)
  • change_location: Allows the user to change the location of the document.
  • change_state: Allows the user to change the state of the document using the document lifecycle.
  • change_permit: Allows the user to change the object’s permissions.
  • change_owner: Allows the user to change the owner of the object.
  • delete_object: Delete permission. Delete Object extended permission does not grant Browse, Read, Relate, Version, or Write permission.
  • change_folder_links: Allows the user to create a document in a folder without having the write right on this folder.

 
More the Extended permissions are stored in the r_accessor_xpermit attribute of an dm_ACL. The value of this attribute is an integer that has been converted from a 4-bytes binary number (or 32-bits binary number) to a decimal number. Each permission is governed by the value of a bit in a particular place: 1 : signifies the permission is granted, 0 : signifies it is not.
Warning : For some reason, execute_proc and change_location are reversed, “1” signifies the permission is not granted and “0” signifies it is granted.
 
The bit locations of the extended permissions are defined like this (from right):

  • bit 01 : execute_proc
  • bit 02 : change_location
  • bit 17 : change_state
  • bit 18 : change_permissions
  • bit 19 : change_owner
  • bit 20 : extended_delete
  • bit 21 : change_folder_links

 
For conversion decimal<->binary, use the site http://www.binaryhexconverter.com/decimal-to-binary-converter.
 
 
Examples
dm_acl.r_accessor_xpermit=0:

0 => 00000000 -> 32 bits : 00000000000000000000000000000000
	- bit 01 : execute_proc ("0" warning : reverse for this permission)
	- bit 02 : change_location ("0" warning : reverse for this permission)

 
dm_acl.r_accessor_xpermit=3:

3 => 00000011 -> 32 bits : 00000000000000000000000000000011
	- none

 
dm_acl.r_accessor_xpermit=1048576:

1048576 => 100000000000000000000 -> 32 bits : 00000000000100000000000000000000
	- bit 01 : execute_proc ("0" warning : reverse for this permission)
	- bit 02 : change_location ("0" warning : reverse for this permission)
	- bit 21 : change_folder_links ("1")

 
dm_acl.r_accessor_xpermit=1048579:

1048579 => 100000000000000000011 -> 32 bits : 00000000000100000000000000000011
	- bit 21 : change_folder_links ("1")

 
 

That’s all!!!

Huseyin OZVEREN