DQL: Getting the permission sets (basic and extended permissions)

The following DQL will retrieve all permission sets with the permission set names (object_name), accessor names (r_accessor_name), basic (r_accessor_permit) and extended permissions (r_accessor_xpermit). The object_name and r_accessor_name values are self-explanatory and human-readable.

select object_name, r_accessor_name, r_accessor_permit, r_accessor_xpermit from dm_acl order by object_name

The r_accessor_permit and r_accessor_xpermit values are however, integer values to be decoded. The r_accessor_permit can be decoded against this table (also available in Object Reference Manual).

0, for NULL
1, for None
2, for Browse
3, for Read
4, for Relate
5, for Version
6, for Write
7, for Delete

For r_accessor_xpermit, it is more complicated. The integer values are integer and has to be converted into binary before translating into the descriptions.

The first 16 bits (two bytes) represent the basic permissions for backward compatibility. The first 16 bits are valued with 0 as ON. The second 16 bits (two bytes) uses 1 to indicate that the permission is ON. The bit locations of the permissions are:

execute_proc = 1
change_location = 2
change_state = 17
change_permit = 18
change_owner = 19

For example:

  1. The r_accessor_xpermit is 393216.
  2. Change it to binary, you will get the following: 0000000000000110 0000000000000000
  3. Bits 1 and 2 are 0, means ON, hence, execute_proc and change_location are set.
  4. Bits 18 and 19 are ON, meaning change_permit and change_owner are granted too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: