An attribute type's ACL manager set specifies the ACL manager type or types (by UUID) that control access to the object types to which attribute instances of this type can be attached. Attribute instances can be attached only to objects protected by the ACL manager types in the schema entry. For example, suppose an ACL manager set for an attribute type named MVSname lists only the ACL manager type for principals. Then, instances of the attribute type named MVSname can be attached only to principals and not any other registry objects.
Access to an attribute instance is controlled by the ACL on the object to which the attribute instance is attached and access control is implemented by the object's ACL manager type. For example, access to an attribute named MVSname on the principal object named delores is controlled by the ACL on the delores object.
Do not confuse access to an attribute type definition (a schema entry) with access to an attribute instance. As described previously, access to a schema entry is controlled by the ACL on the xattrschema object. Access to an attribute instance is controlled by the ACL on the object to which the attribute instance is attached.
In addition to the ACL manager types, the ACL manager set defines the permission bits needed to query, update, test, and delete instances of the attribute type. These bits are used by the object's ACL manager to determine rights to the object's attributes.
The ACL manager types and permissions defined for the attribute type apply to all instances of the attribute type.
Note that the ACL manager facility supports additional generic attribute type permissions (O through Z inclusive). Administrators can assign these permissions to attribute types of their choice. All uses of these additional permission bits are controlled by the cell's administrator. See the OSF DCE Administration Guide - Core Components for more information.