I would like expose here some explanations concerning the Extended Permissions or Xpermit or r_accessor_xpermit of ACL.
For example, below the détails of an dm_ACL:
r_accessor_name : dm_world : dm_owner : grp_adm : docu r_accessor_permit : 3 : 1 : 6 : 7 r_accessor_xpermit : 1048576 : 3 : 0 : 0 r_is_group : F : F : T : T r_permit_type : 0 : 0 : 0 : 0 r_application_permit : : : :
- dm_world = This is an alias for all of the users in a docbase.
- dm_owner = This is an alias for the current owner of the document.
- ACL is a regular ACL (acl_class=0 ; case of ‘dm_45%’), a template (acl_class=1) or an instance of a template (acl_class= 2). The default is zero.
- ACLs owned by users other than the repository owner are called user ACLs. User ACLs can be public (acl_class=3) or private (acl_class=0).
- Private ACLs can only be used by the ACL owner. User ACLs are managed by the object owner (repository owner) or superusers.
Presentation of Extended permissions
Extended permissions are a feature only available in version 4i and later. They greatly enhance the security capabilities of the server by letting certain users access admin functions on a per-document basis. For example, in pre-4i docbases, only two types of users could change the permissions on a document: the owner of that document and a superuser. In 4i, you can use the extended permissions to allow certain normal users to change the permissions.
For example, an ACL for the Marketing department might allow the marketing_managers group to change the permissions on the document.
The extended permissions are described below:
- execute_proc: Allows the user to execute the procedure (if it is a procedure)
- change_location: Allows the user to change the location of the document.
- change_state: Allows the user to change the state of the document using the document lifecycle.
- change_permit: Allows the user to change the object’s permissions.
- change_owner: Allows the user to change the owner of the object.
- delete_object: Delete permission. Delete Object extended permission does not grant Browse, Read, Relate, Version, or Write permission.
- change_folder_links: Allows the user to create a document in a folder without having the write right on this folder.
More the Extended permissions are stored in the r_accessor_xpermit attribute of an dm_ACL. The value of this attribute is an integer that has been converted from a 4-bytes binary number (or 32-bits binary number) to a decimal number. Each permission is governed by the value of a bit in a particular place: 1 : signifies the permission is granted, 0 : signifies it is not.
Warning : For some reason, execute_proc and change_location are reversed, “1” signifies the permission is not granted and “0” signifies it is granted.
The bit locations of the extended permissions are defined like this (from right):
- bit 01 : execute_proc
- bit 02 : change_location
- bit 17 : change_state
- bit 18 : change_permissions
- bit 19 : change_owner
- bit 20 : extended_delete
- bit 21 : change_folder_links
For conversion decimal<->binary, use the site http://www.binaryhexconverter.com/decimal-to-binary-converter.
0 => 00000000 -> 32 bits : 00000000000000000000000000000000 - bit 01 : execute_proc ("0" warning : reverse for this permission) - bit 02 : change_location ("0" warning : reverse for this permission)
3 => 00000011 -> 32 bits : 00000000000000000000000000000011 - none
1048576 => 100000000000000000000 -> 32 bits : 00000000000100000000000000000000 - bit 01 : execute_proc ("0" warning : reverse for this permission) - bit 02 : change_location ("0" warning : reverse for this permission) - bit 21 : change_folder_links ("1")
1048579 => 100000000000000000011 -> 32 bits : 00000000000100000000000000000011 - bit 21 : change_folder_links ("1")