setacl

set or remove an access control list entry

Usage

accurev setacl { depot <depot-name> | stream <stream-name> }
	{ anyuser | authuser | <user-name> | <group-name> }
	{ none | all | clear } [ inherit | noinherit ]
accurev setacl [ depot <depot-name> | stream <stream-name> ] clearall

Description

The setacl command changes the access control list (ACL) for a depot or stream. (For controlling ACLs on individual elements, see the eacl command.) For this command, “stream” includes dynamic streams, workspace streams, and snapshots. This command either creates an ACL entry (also called a permission), or deletes one or more ACL entries.

Each permission controls the rights of one or more users to access the data within the specified depot or stream. Permissions on a depot can be inherited by all of its streams; permissions on a stream can be inherited by lower-level streams.

By default, AccuRev is wide open: all users can access all depots and all streams within the depots.

ACL Permissions and Time Considerations

ACL permissions apply to a stream regardless of any basis time on the stream. Similarly, ACL permissions can be placed on a snapshot, even though such permissions are necessarily created after the snapshot is created.

Commands that Check Permissions

The following commands check ACL entries on one or more workspaces/streams before proceeding. For instance, if a user does not have access to the gizmo stream, then the command accurev cat -v gizmo myfile.c causes a not-authorized error.

If a version is being accessed from stream A, and that version is cross-linked to stream B, AccuRev checks the ACL permissions on stream A only, not on stream B.

In the following, “stream” can be a workspace stream, dynamic stream, or snapshot.

  • anchor, defunct, files, pop, purge, stat, and update check the current workspace.
  • annotate, cat, and co check the stream of the version being accessed. co also checks the current workspace.
  • promote checks the stream to which the version(s) are being promoted.
  • incl -b and clear check both streams involved in the cross-link.
  • diff checks the streams of both versions being compared.
  • merge checks the workspaces/streams of both contributor versions, but not the closest common ancestor version.
  • rmws, rmstream, reactivate wspace, and reactivate stream check the stream being changed.
  • mkws, mkstream, and mksnap check the specified backing stream for the workspace/stream/snapshot being created.
  • chws and chstream check the stream being changed (and, if appropriate, its new backing stream).
  • show streams checks the depot.
  • hist -s checks the stream.

Setting ACL Permissions

setacl commands that create permissions all follow the same pattern:

  • Specify the data structure:

    • depot <depot-name> sets a permission that controls access to all the data within a particular depot. This includes the AccuWork issues, if any, stored in the depot.
    • stream <stream-name> sets a permission that controls access to all the data within a particular stream hierarchy in a particular depot. (There is no need to specify the depot, because stream names are unique throughout the repository — i.e. across all depots.) A permission on either kind of data structure can be inheritable (see below). An inherited permission created at a given level can be overridden at a lower level.

  • Specify the user or set of users:

    • anyuser specifies all users who do not have a password.
    • authuser specifies all users who do have a password.
    • <user-name> specifies a particular AccuRev user.
    • <group-name> specifies all users in a particular AccuRev group.

  • Specify the access level to be granted:

    • all grants access to the data in the specified data structure to the specified users.
    • none prohibits access to the data in the specified data structure for the specified users.

    Section Commands that Check Permissions above details the meaning of “access”.

  • (optional) Specify a flag that specifies the inheritability of the permission:

    • Depot permission (default = inherit): noinherit specifies that the permission will apply only to the AccuWork issues in the depot. inherit specifies that the permission will also apply to all of the depot’s streams.
    • Stream permission (default = noinherit): noinherit specifies that the permission will apply only to the specified stream. inherit specifies that the permission will also apply to all streams below it.

Note: For a user with an AccuWork-only license, a depot-level determines whether that user can access the AccuWork issues in that depot. Such a user cannot access any of the depot’s version-controlled files, regardless of the stream-level permissions.

Conversion of Pre-Existing Permissions

Prior to AccuRev 4.5, permissions were not inheritable. When a pre-4.5 repository is upgraded to AccuRev 4.5 or later:

  • Each existing depot permission is assigned the inherit flag.
  • Each existing stream permission is assigned the noinherit flag.

Multiple and Conflicting Permissions

Any number of permissions can apply to the same depot or stream. For example, to grant three users access to stream kestrel_tst:

accurev setacl stream kestrel_tst tom all
accurev setacl stream kestrel_tst dick all
accurev setacl stream kestrel_tst harry all

Two or more permissions on a resource can apply to the same user, or to the same depot or stream. In such cases, an all permission overrides one or more none permissions. This makes it easy to implement “all but” access controls. For example, these permissions prevent everyone in the famgrp group — except for users justine and mary — from accessing stream spider_dvt:

accurev setacl stream spider_dvt famgrp none
accurev setacl stream spider_dvt justine all
accurev setacl stream spider_dvt mary all

An explicit permission on a lower-level stream overrides an inherited permission.

Removing ACLs

To delete an individual permission, use the clear keyword:

accurev setacl stream spider_dvt mary clear

To delete all the permissions for a particular depot or stream, use the clearall keyword:

accurev setacl stream spider_dvt clearall

To delete all the permissions for the entire repository, use the clearall keyword without specifying a depot or stream (use with caution!):

accurev setacl clearall

Examples

Grant access to depot gizmo only to users who have passwords: 

> accurev setacl depot gizmo anyuser none
> accurev setacl depot gizmo authuser all

Grant access to stream talon_tst only to user andy:

> accurev setacl stream talon_tst anyuser none
> accurev setacl stream talon_tst authuser none
> accurev setacl stream talon_tst andy all

Grant access to the entire stream hierarchy below gizmo_mnt to user mary:

> accurev setacl stream gizmo_mnt mary all inherit

Remove all ACL permissions on stream talon_tst:

> accurev setacl stream talon_tst clearall

See Also

chpasswd , eacl, lsacl, mkuser