Attributes

{uuid queryset updateset testset deleteset}

Where the first is the UUID of the ACL manager, and the rest are the sets of permissions (concatenated permission strings as found in an ACL) required to perform each type of operation. The value of this attribute is actually a list of these lists. For example:

{8680f026-2642-11cd-9a43-080009251352 r w t D}
{18dbdad2-23df-11cd-82d4-080009251352 r w t mD}

This attribute is modifiable after creation, but only in a limited way. New ACL managers can be added, but existing ones cannot be removed or changed.

annotation string
A comment field used to store information about the schema entry. It is a Portable Character Set (PCS) string. The default is an empty string (that is, blank).

applydefs {yes | no}
Indicates that if this ERA does not exist for a given object on an attribute query, the system-defined default value (if any) for this attribute will be returned. If set to no, an attribute query returns an attribute instance only if it exists on the object named in the query. The value of this attribute must be yes or no. The default is no. This attribute is only advisory in DCE Version 1.1. Future versions of DCE will support this functionality.

encoding type
The type of the ERA. This attribute cannot be modified after creation and must be specified on creation. Legal values are one of the following:

any
The value of the ERA can take on any encoding. This encoding type is only legal for the definition of an ERA in a schema entry. All instances of an ERA must have an encoding of some other value.

attrset
The value of the ERA is a list of attribute type UUIDs used to retrieve multiple related attributes by specifying a single attribute type on a query.

binding
The value of the ERA contains authentication, authorization and binding information suitable for communicating with a DCE server. The syntax is a list of two elements.

The first element is a list of security information where the first element is the authentication type, either none or dce, followed by information specific for each type. The type none has no further information. The type dce is followed by a principal name, a protection level (one of default, none, connect, call, pkt, pktinteg, or pktprivacy), an authentication service (one of default, none, or secret), and an authorization service (one of none, name, or dce). Examples of three security information lists are:

{none}
{dce /.:/melman default default dce}
{dce /.:/melman pktprivacy secret dce}

The second element is a list of binding information, where binding information can be string bindings or server entry names. Two examples of binding information are:

{/.:/hosts/hostname/dce-entity
/.:/subsys/dce/sec/master}
{ncadg_udp_ip:130.105.96.3[1234]
ncadg_udp_ip:130.105.96.6[1234]}

byte
The value of the ERA is a string of bytes. The byte string is assumed to be pickle or is otherwise a self describing type.

It is unlikely that attributes of this type will be entered manually. The format of output is hexadecimal bytes separated by spaces with 20 bytes per line. For example, suppose the attribute name was bindata

{bindata
{00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13
22 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 12 11 12 13}}

The braces indicate that bindata has one value. On input all white spaces are compressed so that users can enter the data as bytes or words or any combination, whichever is more convenient. Therefore, a user could enter the following as input:

{bindata
{00010203 0405 06070809 0a0b 0c0d0e0f 10111213
22212223 2425 26272829 2a2b 2c2d2e2f 12111213}}

i18ndata
The value of the ERA is a string of bytes with a tag that identifies the (OSF-registered) codeset used to encode the data.

Although it is unlikely that administrators will enter attributes of this type manually, the DCE control program does support entering binary data with the following notations: \ddd where ddd can be one, two, or three octal digits, and \xhh where hh can be any number of hexadecimal digits.

integer
The value of the ERA is a signed 32 bit integer.

printstring
The value of the ERA is a printable IDL character string using PCS.

stringarray
An array of PCS strings; represented as a Tcl list of strings.

uuid
The value of the ERA is a UUID.

void
The ERA has no value. It is a marker that is either present or absent.

intercell value
Specifies the action that should be taken by the privilege server when reading ERAs from a foreign cell. Possible values are:

accept
Accepts ERAs from foreign cells. The only check applied is uniqueness if indicated by the unique attribute.

reject
Discards ERAs from foreign cells.

evaluate
Invokes a trigger function to a server that would decide whether the ERA should be kept, discarded or mapped to another value.

The default is reject.

This attribute is only advisory in DCE Version 1.1. Future versions of DCE will support this functionality.

multivalued {yes | no}
Indicates that ERAs of this type can be multivalued (that is, multiple instances of the same attribute type may be attached to a single registry object). The value of this attribute must be yes or no. This attribute is not modifiable after creation. The default is no.

reserved {yes | no}
If set then this schema entry cannot be deleted through any interface by any user. The value of this attribute must be yes or no. The default is no.

scope string
Indicates the name of a security directory or object in the registry. If it is an object, instances of this ERA can be attached only to this object. If it is a directory, instances of this ERA can be attached only to descendants of this directory. The default is an empty string, which does not limit which objects ERAs may be attached to. For example, if this attribute is set to principal/org/dce, only principals with a prefix of org/dce in the name may have this type of ERA. You cannot modify this attribute after it is created. The default is the empty string (that is, blank).

This attribute is only advisory in DCE Version 1.1. Future versions of DCE will support this functionality.

trigtype type
Identifies if there is a trigger and if so what type it is. The possible values are: none, query, and update. If this attribute is anything other than none, then trigbind must be set. This attribute is not modifiable after creation. The default is none.

trigbind binding
Contains binding information for the server that will support the trigger operations. This field must be set if trigtype is not none or if intercell is set to evaluate. The value of this attribute is of the format described by the binding encoding type. The default is the empty string (that is, blank).

unique {yes | no}
Indicates that each instance of the ERA must have a unique value within the cell for a particular object type (for instance, principal). The value of this attribute must be yes or no. This attribute is not modifiable after creation. The default is no.

This attribute is only advisory in DCE 1.1. Future versions of DCE will support this functionality.

uuid uuid
The internal identifier of the ERA. The value is a UUID. This attribute is not modifiable after creation. If not specified on the create operation, a value is generated by the system.

See the OSF DCE Administration Guide - Core Components for more information about xattrschema attributes.