Setting ACL entries aka trustees in Edirectory with IDM is possible but far from self-explaining. There is no DIrxmlScript token that translates the API bit codes into human readable ACL flag names, and setting special trustees like [Root] or [Public] requires a special syntax.

Here's what I found about this topic in the forums, compiled for easy reference (and my own lazyness since Geoffrey did not write an article about it yet

ACL is a structured attribute, with three components: "protectedName", "trustee" and "privileges". Setting an ACL entry in DirXMLScript can be done this way:

<do-add-dest-attr-value class-name="User" name="ACL">
	<arg-value type="structured">
		<arg-component name="protectedName">
			<token-text xml:space="preserve">Internet Email Address</token-text>
		</arg-component>
		<arg-component name="trustee">
		<token-text xml:space="preserve">\VAULT-TREE\edu\acme\proxies\proxy</token-text>
		</arg-component>
		<arg-component name="privileges">
			<token-text xml:space="preserve">0</token-text>
		</arg-component>
	</arg-value>
</do-add-dest-attr-value>

The protectedName component can be the name of an attribute or something like [All Attributes Rights] or [Entry Rights].

The trustee component has to be a DN in slash form and can also be \[Root], \[Self], \[Inherited Rights Filter], \[Public] or \[This] (make sure to include the leading slash!).

The privileges component is coded bitwise:

Rights to attributes:

	 1	Compare
	 2	Read
	 4	Write
	 8	Add Self
	16	(unused)
	32	Supervisor
	64	Inheritance Control

Rights to entries:

	 1	Browse
	 2	Add
	 4	Delete
	 8	Rename
	16	Supervisor
	32	(unused)
	64	Inheritance Control

The meaning of the inheritance control bit (0 or 1 -> block or inherit) depends on Edirectory version and whether the protectedName is an individual attribute or [All Attribute Right] or [Entry Rights]. The following table is taken from http://developer.novell.com/documentation/ndslib/nds__enu/data/h12s89uj.html#h12s89uj:

NetWare Version

Object Right DS_ENTRY_INHERIT_CTL

[All Attributes Rights] DS_ATTR_INHERIT_CTL

Specific Attribute DS_ATTR_INHERIT_CTL

NetWare 4.x

NetWare 4.x does not support this functionality. Inheritance of object rights is always supported. NetWare 4.x requires this bit to be set to 0.

NetWare 4.x does not support this functionality. Inheritance of rights to [All Attributes Rights] is always supported. NetWare 4.x requires this bit to be set to 0.

NetWare 4.x does not support this functionality. Inheritance of ACLs to specific attributes is always blocked. NetWare 4.x requires this bit to be set to 0.

NetWare 5.x

NetWare 5.x supports this right. Set this bit to 0 (zero) to allow the inheritance of the rights in the ACL. Set this bit to 1 (one) to block the inheritance of the ACL rights.

NetWare 5.x supports this right. Set this bit to 0 (zero) to allow the inheritance of the rights granted to [All Attributes Rights]. Set this bit to 1 (one) to block the inheritance of the ACL rights.

NetWare 5.x supports this right. Set this bit to 1 (one) to allow the inheritance of the rights granted to the specific attribute. Set this bit to 0 to block the inheritance of the ACL rights.

I guess the NetWare 5.x row also covers all current eDirectory versions, even if they run on Linux, Windows or elsewhere

Thanks to Father Ramon for helping us all that much on the forums, without his input I wouldn't have been able to put this all together.