Extended Permissions

I recently had to review a few dozen Permission Set Templates in a customer’s environment and validate that they were implemented as documented in the design spec.  That was relatively easy to do until it came to validating the extended permissions (r_accessor_xpermit) for each ACL member.  The design spec and the Documentum documentation list extended permissions as:

  • execute_proc
  • change_location
  • change_state
  • change_permissions
  • change_owner
  • extended_delete

But, they are implemented as integer conversions of 32-bit binary numbers where each permission is governed by the value of a bit in a particular place.  “1” signifies the permission is granted, “0” signifies it is not.  The places are defined like this:

  • bit 01 : execute_proc
  • bit 02 : change_location
  • bit 17 : change_state
  • bit 18 : change_permissions
  • bit 19 : change_owner
  • bit 20 : extended_delete

But wait, it gets even more interesting.  For some reason, execute_proc and change_location are reversed, “1” signifies the permission is not granted and “0” signifies it is granted.  Therefore, if a user has no extended permissions, the value of r_accessor_xpermit is 3 (binary places 0 and 1 contain 1s). For example, the binary string 00000000000001110000000000000000 signifies the following extended permissions:

  • execute_proc
  • change_location
  • change_state
  • change_permissions
  • change_owner

Following is a table with all 64 possible combinations of extended permissions, their decimal values and their binary equivalents.  Remember that the execute_proc and change_location bits mean just the opposite of the others.  Hopefully this will be helpful to someone else too.

permissions decimal value binary string
execute_proc,
change_location
0 00000000000000000000000000000000
execute_proc 1 00000000000000000000000000000001
change_location 2 00000000000000000000000000000010
none 3 00000000000000000000000000000011
execute_proc,
change_location,
change_state
65536 00000000000000010000000000000000
change_location,
change_state
65537 00000000000000010000000000000001
execute_proc,
change_state
65538 00000000000000010000000000000010
change_state 65539 00000000000000010000000000000011
execute_proc,
change_location,
change_permissions
131072 00000000000000100000000000000000
change_location,
change_permissions
131073 00000000000000100000000000000001
execute_proc,
change_permissions
131074 00000000000000100000000000000010
change_permissions 131075 00000000000000100000000000000011
execute_proc,
change_location,
change_state,
change_permissions
196608 00000000000000110000000000000000
change_location,
change_state,
change_permissions
196609 00000000000000110000000000000001
execute_proc,
change_state,
change_permissions
196610 00000000000000110000000000000010
change_state,
change_permissions
196611 00000000000000110000000000000011
execute_proc,
change_location,
change_owner
262144 00000000000001000000000000000000
change_location,
change_owner
262145 00000000000001000000000000000001
execute_proc,
change_owner
262146 00000000000001000000000000000010
change_owner 262147 00000000000001000000000000000011
execute_proc,
change_location,
change_state,
change_owner
327680 00000000000001010000000000000000
change_location,
change_state,
change_owner
327681 00000000000001010000000000000001
execute_proc,
change_state,
change_owner
327682 00000000000001010000000000000010
change_state,
change_owner
327683 00000000000001010000000000000011
execute_proc,
change_location,
change_permissions,
change_owner
393216 00000000000001100000000000000000
change_location,
change_permissions,
change_owner
393217 00000000000001100000000000000001
execute_proc,
change_permissions,
change_owner
393218 00000000000001100000000000000010
change_permissions,
change_owner
393219 00000000000001100000000000000011
execute_proc,
change_location,
change_state,
change_permissions,
change_owner
458752 00000000000001110000000000000000
change_location,
change_state,
change_permissions,
change_owner
458753 00000000000001110000000000000001
execute_proc,
change_state,
change_permissions,
change_owner
458754 00000000000001110000000000000010
change_state,
change_permissions,
change_owner
458755 00000000000001110000000000000011
execute_proc,
change_location,
extended_delete
524288 00000000000010000000000000000000
change_location,
extended_delete
524289 00000000000010000000000000000001
execute_proc,
extended_delete
524290 00000000000010000000000000000010
extended_delete 524291 00000000000010000000000000000011
execute_proc,
change_location,
change_state,
extended_delete
589824 00000000000010010000000000000000
change_location,
change_state,
extended_delete
589825 00000000000010010000000000000001
execute_proc,
change_state,
extended_delete
589826 00000000000010010000000000000010
change_state,
extended_delete
589827 00000000000010010000000000000011
execute_proc,
change_location,
change_permissions,
extended_delete
655360 00000000000010100000000000000000
change_location,
change_permissions,
extended_delete
655361 00000000000010100000000000000001
execute_proc,
change_permissions,
extended_delete
655362 00000000000010100000000000000010
change_permissions,
extended_delete
655363 00000000000010100000000000000011
execute_proc,
change_location,
change_state,
change_permissions,
extended_delete
720896 00000000000010110000000000000000
change_location,
change_state,
change_permissions,
extended_delete
720897 00000000000010110000000000000001
execute_proc,
change_state,
change_permissions,
extended_delete
720898 00000000000010110000000000000010
change_state,
change_permissions,
extended_delete
720899 00000000000010110000000000000011
execute_proc,
change_location,
change_owner,
extended_delete
786432 00000000000011000000000000000000
change_location,
change_owner,
extended_delete
786433 00000000000011000000000000000001
execute_proc,
change_owner,
extended_delete
786434 00000000000011000000000000000010
change_owner,
extended_delete
786435 00000000000011000000000000000011
execute_proc,
change_location,
change_state,
change_owner,
extended_delete
851968 00000000000011010000000000000000
change_location,
change_state,
change_owner,
extended_delete
851969 00000000000011010000000000000001
execute_proc,
change_state,
change_owner,
extended_delete
851970 00000000000011010000000000000010
change_state,
change_owner,
extended_delete
851971 00000000000011010000000000000011
execute_proc,
change_location,
change_permissions,
change_owner,
extended_delete
917504 00000000000011100000000000000000
change_location,
change_permissions,
change_owner,
extended_delete
917505 00000000000011100000000000000001
execute_proc,
change_permissions,
change_owner,
extended_delete
917506 00000000000011100000000000000010
change_permissions,
change_owner,
extended_delete
917507 00000000000011100000000000000011
execute_proc,
change_location,
change_state,
change_permissions,
change_owner,
extended_delete
983040 00000000000011110000000000000000
change_location,
change_state,
change_permissions,
change_owner,
extended_delete
983041 00000000000011110000000000000001
execute_proc,
change_state,
change_permissions,
change_owner,
extended_delete
983042 00000000000011110000000000000010
change_state,
change_permissions,
change_owner,
extended_delete
983043 00000000000011110000000000000011

A spreadsheet that helped me figure all of this out is here.

Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

7 Responses to Extended Permissions

  1. doquent says:

    It does give you a feeling of “Aha!” the first time you discover it. When you need to decode it, you do need to know these details. This post also shares some code for decoding xperms.

    Like

    • Scott says:

      Thanks! That is excellent info to have as well. Between the two posts, hopefully everyone will have the info they need to deal with xprems, whether directly or programmatically.

      Cheers,

      Like

  2. Vinod says:

    Great info! Thanks for sharing

    Like

  3. Pingback: One Year Ago « dm_misc: Miscellaneous Documentum Tidbits and Information

  4. anindya pal says:

    as we know grant(String accessorname, int basicpermission, String extendedpermission). How to set nothing in Exteneded permission. if we set it as null or “” , setting the acl with extended permission change location and execute proc. Please help

    Like

    • Scott says:

      As explained in the DFC JavaDocs, a null or “” will apply system default xperms: change location and execute procedure. If you want to change these xperms, you will need to change the value of the r_accessor_xpermit property on the dm_acl object manually using IDfACL.setInteger(“r_accessor_xpermit”,3).

      Like

  5. Hector says:

    Thanks for this info.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: