CDS supports the following DCE permissions: read (r), write (w),
insert (i), delete (d), test (t), control (c), and administer (a).
Each permission has a slightly different meaning, depending on the
kind of CDS name with which it is associated. In general, the
permissions are defined as follows:
Read Allows a principal to look up a name and view the
attribute values associated with it.
Write Permission allows a principal to change the modifiable
attributes associated with a name, except the name's
access control list (ACL) entries.
Insert Permission (for use with directory entries only) allows a
principal to create new names in a directory.
Delete Permission allows a principal to delete a name from the
namespace.
Test Permission allows a principal to test whether an attribute
of a name has a particular value without being able to
actually see any of the values (that is, without having
read permission to the name).
Test permission provides application programs a more
efficient way to verify a CDS attribute value. Rather
than reading an entire set of values, an application can
test for the presence of a particular value.
Control Permission allows a principal to modify the ACL entries
associated with a name. (Note that read permission is
also necessary for modifying a CDS entry's ACLs;otherwise,
acl_edit will not be able to bind to the entry.) Control
permission is automatically granted to the creator of
a CDS name.
Administer
Permission (for use with directory entries only) allows
a principal to issue CDS control program commands that
control the replication of directories.
The creator of a name is automatically granted all permissions
appropriate for the type of name created. For example, a principal
creating an object entry is granted read, write, delete, test, and
control permission to the object entry. A principal creating a
directory is granted read, write, insert, delete, test, control,
and administer permission to the directory.