eacl

configure element access control list security

Usage

accurev eacl [-fx] [-R] [-s <stream>] [-n <prin>:<priv> | -i <prin>:<priv>
| -r <prin>:<priv> | -a <prin>:<priv>] [-c <comment>] [-p <depot-name>]
{ <element-list> | -l <list-file> | -e <eid> }

Description

The eacl command enables you to configure security settings on individual elements. (For setting security on streams and depots, see the setacl and lsacl commands.) This gives you the ability to:

  • Allow or deny access to all versions of an element, no matter what stream they are in, for a specified user or group. A user that is denied access to an element cannot see or view it.
  • Specify who can modify the access to an element. This is a higher privilege than just being allowed access.

You do this by setting and modifying Access Control Lists (ACLs) and Access Control Entries (ACEs). An ACL is a list of security protections that applies to an element. An ACE is an entry in an ACL that defines a principal and a privilege.

A principal can be:

  • a user
  • a group
  • all

A privilege can be:

  • Full - the ability to see and view the element and to modify its ACL.
  • Allow - the ability to see and view the element, but not modify its ACL.
  • Readonly - prevents the user from modifying the element when using add, keep, move, defunct, and revert commands, and from modifying the element's ACL.
  • Deny - the inability to see and view the element or modify its ACL.

An ACL contains zero or more ACEs. An element can have only one ACL assigned to it at any point in time. You specify whether to set, add, or remove an ACE (principal and privilege) to an element, and AccuRev takes care of the ACLs automatically. Note that ACLs cannot be created or modified without an element.

Options

-a

Add an ACE to the specified element.

-c

Comment for the transaction.

-e

Specify an element id.

-fx

XML formatted output.

-i

Displays all the elements that have the privilege for the principal specified in the ACE.

-l

Specify a file with a list of element paths.

-n

Set a new ACL on the specified element(s).

-p

Specify a depot if not in a workspace; used with -e.

-r

Remove an ACE from the specified element.

-R

Recurse down the element(s) hierarchy.

-s

Specify a stream for path name lookup when not in a workspace.

-y

Force an ACL change (even if it would remove full access for the user).

<prin> principal(s) — either all, <user>, or <group>

<priv> privilege — either allow, deny, full, or readonly

Notes:

  • If no privilege changes are specified, then the current EACL list is displayed.
  • The -r option will fail if no matching ACE is found.
  • The -R option must be used with either -n, -a or -r (or with no other option, to display the EACLs down the hierarchy). When used with no option, -R will not display EACLs for elements to which the user is denied access.
  • Can only specify one element with the -R option.
  • The -c option can be used to specify a comment for the transaction.
  • The -p option requires the -e option.
  • The -s option is required when you are not in a workspace and specifying element paths.
  • The -i option takes only one ACE; you cannot specify individual elements (using -l, -e, or ., for example).
  • Use the hist command to display the history of ACL changes on an element.
  • Use ‘-e all’ with ‘-p <depot-name>’ to change ACLs on all elements in the depot.
  • You can specify multiple ACEs by separating each <prin>:<priv> pair with a comma. For example: all:allow,user1:deny.
  • Only one ACE per principal is allowed on an ACL, so any previous ACE for that principal will be over written.
  • Specifying -n overwrites any existing ACL. If you wish to modify ACL, use -a or -r.
  • User cannot remove full access for the current user unless the -y option is specified.
  • To add an element to the depot and instantly make it inaccessible to other users, while assigning FULL access to the user adding the element, use the add -d command. You can then set the EACLs appropriately for elements added in this way.
  • If a user is denied access to an element that is part of a change package, they can still promote that change package even though they cannot see the versions that they are denied.

Examples

Note: For the examples below to work, you must either have FULL rights (not just ALLOW) to the elements, or be an AccuRev EACL superuser. See AccuRev Security Overview in the AccuRev Admin Help for more details.

To display the ACL for the specified element(s):

   eacl { <element-list> | -l <list-file> | -e <eid> }

To set an ACL on the specified element(s):

   eacl -n <prin>:<priv> { <element-list> | -l <list-file> | -e <eid> }

To add an ACE to the specified element(s):

   eacl -a <prin>:<priv>  { <element-list> | -l <list-file> | -e <eid> }

To remove an ACE from the specified element(s):

   eacl -r <prin>:<priv> { <element-list> | -l <list-file> | -e <eid> }

To set an ACL on the specified directory and all its children:

   eacl -R -n <prin>:<priv> { <dir-list> | -l <dir-list-file> | -e <dir-eid> }

To display all the elements that have the privilege for the principal specified in the ACE, in XML formatted output:

   eacl -i <prin>:<priv> -fx

Note: If you attempt to set or change an element ACL and do not have the appropriate (“FULL”) permission to do so, you will get the error “Full Access Denied: <element_name>”. When attempting to set a “DENY” access on an element, do not misinterpret this message as a confirmation that the “DENY” access has been set. A successful operation returns the message “Processed: <element_name>”.

See Also

add , lsacl, setacl

Element-Level Security (EACLs) in the AccuRev Admin Guide.