After creating a CDS directory using the cdscp command, your first step is usually to run the acl_edit command to set up the new directory's ACLs the way you want them. (The new directory will have inherited its ACLs and its templates from the directory in which it was created, as explained in Creation of ACLs.) You may want to modify not only the directory's own ACLs, but also its two templates. To edit the latter, you can specify the -ic option (for the Initial Container template) or the -io option (for the Initial Object template); otherwise, you will edit the object ACL.
You can modify a directory's ACL templates from an application, assuming that you have control permission for the object, with the same combination of sec_acl_lookup( ) and sec_acl_replace( ) calls as for the object ACL. An option to these routines lets you specify which of the three possible ACLs on a directory object you want the call applied to. The ACLs themselves are in identical format.
The -e (entry) option to acl_edit can be used to make sure that you get the ACL for the specified namespace entry object, and not the ACL (if any) for the object that is referenced by the entry. This distinction has to be made clear to acl_edit because it finds the object (and hence the ACL) in question by looking it up in the namespace and binding to its ACL manager. Essentially, the -e option tells acl_edit whether it should bind to the CDS ACL manager (if the entry ACL is wanted), or to the manager responsible for the referenced object's ACL. This latter manager would be a part of the server application whose binding information the entry contained.
An example of such an ambiguous name would be a CDS clearinghouse entry, such as the cdshostname_ch entry discussed previously. With the -e option, you would edit the ACL on the namespace entry, as follows:
acl_edit -e/.:/cdshostname_ch
Without the -e option you would edit the ACL on the clearinghouse itself, which you presumably do not want to do.
Similarly, there is a bind_to_entry parameter by which the caller of sec_acl_bind( ) can indicate whether the entry object's ACL or the ACL to which the entry refers is desired.