XCP2 vs ACLs

Yesterday another my skypemate asked me whether I know something about following XCP error:

An error occurred while performing the requested operation. Please try again.

  Details 
    Error in operation Object create failure type=jorm1_nomupis

Error code: E_ECM_OPERATION_ERROR
[DM_SYSOBJECT_E_INVALID_ACL_DOMAIN]error: 
    "The <object_type> '<object_name>' is given an invalid ACL domain 'dmadmin'."

EMC published ridiculous solution for this error, fortunately I did know the root cause of this error. Three cases:

user’s ACL:

API> retrieve,c,dm_acl where owner_name=USER
...
4501fd088003ad00
API> get,c,l,object_name
...
dm_4501fd088003ad00
API> create,c,dm_document
...
0901fd0880792c3e
API> set,c,l,acl_name
SET> dm_4501fd088003ad00
...
OK
API> set,c,l,acl_domain
SET> test01
...
OK
API> save,c,l
...
OK

repository owner’s ACL:

API> retrieve,c,dm_acl where owner_name='ssc_dev'
...
4501fd088002ec25
API> get,c,l,object_name
...
sample_acl
API> create,c,dm_document
...
0901fd0880792c3d
API> set,c,l,acl_name
SET> sample_acl
...
OK
API> set,c,l,acl_domain
SET> dm_dbo
...
OK
API> save,c,l
...
OK

foreign ACL:

API> retrieve,c,dm_acl where owner_name='dmadmin'
...
4501fd088000020a
API> get,c,l,object_name
...
dm_4501fd088000020a
API> create,c,dm_document
...
0901fd0880792c3c
API> set,c,l,acl_name
SET> dm_4501fd088000020a
...
OK
API> set,c,l,acl_domain
SET> dmadmin
...
OK
API> save,c,l
...
[DM_SYSOBJECT_E_INVALID_ACL_DOMAIN]error:  
   "The dm_document '' is given an invalid ACL domain 'dmadmin'."

Documentation (fundamentals guide, bit confusing but previous listing makes it clear):

  • Public ACLs are available for use by any user in the repository. Public ACLs created by the repository owner are called system ACLs. System ACLs can only be managed by the repository owner. Other public ACLs can be managed by their owners or a user with Sysadmin or Superuser
    privileges.
  • Private ACLs are created and owned by a user other than the repository owner. However, unlike public ACLs, private ACLs are available for use only by their owners, and only their owners or a superuser can manage them.

The problem was: by default XCP objects inherit ACLs from target folder:

and somebody decided to grant additional permissions on folder – strange that XCP does not have any foolproof.