Construct XML to Update Access Control Lists

To update the Access Control Lists of files in a file system, you must construct some XML that specifies the identifiers of the files to update, and provides information about how to change the ACL.

<identifiersXML>
   <identifier value="...">
     <acl_update>
       ...
     </acl_update> 
   </identifier> 
 </identifiersXML>

In the identifier value attribute, replace "..." with the document identifier of the file that you want to update. A document identifier can be found in the AUTN_IDENTIFIER field of an indexed document.

You can update the ACLs of several files by including more than one identifier element in your XML:

<identifiersXML>
   <identifier value="...">
      <acl_update>
         ...
      </acl_update>
   </identifier>
   <identifier value="...">
      <acl_update>
         ...
      </acl_update>
   </identifier>
</identifiersXML>

The following table describes the XML elements that you can use in the acl_update element to specify how to change the ACL:

XML Element Description Permitted Occurrences
<break_inheritance/>

Add this element to your XML to prevent ACL settings being inherited from the parent object in the file system.

If specified, this element must be the first child of acl_update.

0 or 1

<enable_inheritance/>

Add this element to your XML to inherit ACL settings from the parent object in the file system.

If specified, this element must be the first child of acl_update.

This element accepts an optional revert_acl attribute that specifies whether to remove all non-inherited entries in the ACL. Set this attribute to true or false (which is the default). For example:

<enable_inheritance revert_acl="true" />

0 or 1

<ace action="...">

Add or remove an entry from the ACL. The action attribute must be specified and accepts the value add or remove.

The following child elements must all appear exactly once:

  • principal - the user or group whose permissions you want to modify in the ACL. You can specify a domain user name or an SID.
  • principalType - the type of principal specified by the principal element

    • DomainUser
    • SID
  • level - a comma-separated list of permissions to add or remove.

    • All (equivalent to "full control")
    • Read
    • Write
    • Execute
    • Delete
    • DenyAll
    • DenyRead
    • DenyWrite
    • DenyExecute
    • DenyDelete
0 or more

The following example demonstrates how to change the ACL for a file:

<identifiersXML> 
   <identifier value="..."> 
     <acl_update> 
       <break_inheritance/> 
       <ace action="add">
         <principal>MYDOMAIN\user1</principal> 
         <principalType>DomainUser</principalType> 
         <level>Read</level> 
       </ace> 
       <ace action="add">
         <principal>MYDOMAIN\user2</principal> 
         <principalType>DomainUser</principalType> 
         <level>Read, Write, Execute, Delete</level> 
       </ace> 
       <ace action="remove"> 
         <principal>MYDOMAIN\user3</principal> 
         <principalType>DomainUser</principalType> 
         <level>All</level> 
       </ace> 
     </acl_update> 
   </identifier> 
 </identifiersXML> 

The following example demonstrates how to change the ACL for a file, so that ACL entries are inherited from the parent object in the file system and all non-inherited entries are removed:

<identifiersXML> 
   <identifier value="..."> 
     <acl_update> 
       <enable_inheritance revert_acl="true"/> 
     </acl_update> 
   </identifier> 
 </identifiersXML>

Note: When you update an ACL the file's last change time is updated to the current time (unless you provide a value for the LASTCHANGED metadata field, in which case that value is used instead). For more information about changing the last change time, see Construct XML to Update Dates.


_HP_HTML5_bannerTitle.htm