Printout Header

LEX Online Manual Content

Editor for Novell Object ACL Attributes

This editor is used to show, edit or create Novell acces control list (ACL) attribute values. This LDAP attribute syntax is used quite exclusively in Novell eDirectory environments for the attribute which is called ACL: This specifies permissions on directory objects.

Editor for Novell object ACL attributes

In the top area of this dialog, you see the distinguished name and type icon for the object whose attribute your are editing. In the line beneath, the attribute name is shown.

There are several sub-values contained in a Novell object CL attribute:


This is the object which has the regarding permission. The Trustee text box can be used to enter a distinguished name directly - or you use the Browse button and choose an object from a object select browser.

In addition to normal distinguished names, the following generic trustee strings are allowed: [Root], [Public], [Creator], [Self], [Inheritance Mask]. If you want to set the Trustee to one of these generic entries, you can chose them from the pulldown list Choose wellknown entry or browse.

he text box for the trustee's name has also the ability to quick-search objects when you enter names are parts of names which can be used to find them. When the Check Names button Check Names button is active, you just have to enter a string and LEX will automatically search for directory objects which match to this string. If more than one objects match to the search string, then an additional dialog lets you choose the object from a list:

DN edit with auto check names select list

The search for this objects is done with the same criteria as in the simple search function when you use the Directory Search dialog. If you chose the object from the list, or if you entered directly the full distinguished name of an object, then LEX realizes that the string in the text box is a real DN, it is underline to show that LEX matches this information internally. If the Check Names button is inactive, you can always try to resolve the string you entered into an objects DN by pressing F5.

If you want to see the distinguished name in the text box in a shorter, more readable form, you can activate the Show friendly object names button Friendly Names button. This is the same feature which is used also in the LEX main windows object list.

DN edit with friendly names


This is the scope of the permission. Where s the permission valid? For a certain attribute (->attribute name), all attributes (-> [All Attribute Rights]) or the object itself (-> [Entry Rights]). you can choose the value for this text box from a simple dialog with the Select Button:

Choosing the permission scope


These are the permission flags which are granted to the trustee. Depending on the scope (Attribute text box ), there are two different sets of permission flags possible:

  • Attribute permissions: These permission can be set when the scope is set to one or all attributes. Possible values are Read, Compare, Super(visor), Write, AddSelf and InerhitCTL.The Inherit Control flag can be set to specify an inherited rights mask filter.

    eDirectory permissions for attributes

  • Object permissions: These permission can be set when the scope is set to [Entry Rights]. Possible values are Browse, Rename, Super(visor), Create, Delete and InerhitCTL.The Inherit Control flag can be set to specify an inherited rights mask filter.

    eDirectory permissions for objects


This is a flag which controls whether the ACL permission entry is valid only for the regarding object or if it is propagated to all child objects beneath the regarding object.

Multivalued attributes

Please note that the editor for Novell object ACL attributes only shows one value of an attribute which may consist of several values. This is very often the case when you deal with object ACLs:

Multivalued object ACL attribute

Editing the raw data

If you opened a Novell object ACL attribute with this editor dialog, you can also display and edit the data in it's basic form if you want: Just press on the Raw label in the bottom left corner of the dialog. The editor is switched to an text editor then:

Editing the raw Novell data

The Novell object ACL attribute syntax describes basically a string value which defines one permission entry in an objects access control list:

<privileges> # <scope> # <object DN> # <attribute>

The privilege value depends on the setting for the attribute string (see one of the next paragraphs). For [Entry Rights] permissions, the following bits are important: 1-Browse, 2-Create, 4-Delete, 8-Rename, 16-Supervisor, 64-Inheritance Control. For normal attribute permissions, the following bits are important: 1-Compare, 2-Read, 4-Write, 8-Add Self, 32-Supervisor, 64-Inheritance Control.

The scope determines if the regarding permission is to be inherited to child objects. If the permission is only set for the object itself, the string 'entry' is used, otherwise the string 'subtree' is used.

The object distinguish name is the DN of the trustee which has the regarding permission. In addition to normal DNs, the following generic trustee strings are allowed: [Root], [Public], [Creator], [Self], [Inheritance Mask].

The attribute string specifies the attribute for which the permission is set. In addition to attribute names, the following to generic strings are allowed: [All Attributes Rights], and [Entry Rights] (which means that the permission is set according to the entire object.

When will the Novell ACL editor will be used?

The Novell object ACL editor is used whenever LEX has valid schema information and detects the following official attribute syntax:


Object ACL {Nov}