accurev eacl [-fx] [-R] [-s <stream>] [-n <prin>:<priv> | -i <prin>:<priv>
| -r <prin>:<priv> | -a <prin>:<priv>] [-c <comment>] [-p <depot-name>]
{ <element-list> | -l <list-file> | -e <eid> }The eacl command enables you to configure security settings on individual elements. (For setting security on streams and depots, see the setacl and lsacl commands.) This gives you the ability to:
• Allow or deny access to all versions of an element, no matter what stream they are in, for a specified user or group. A user that is denied access to an element cannot see or view it.
• You do this by setting and modifying Access Control Lists (ACLs) and Access Control Entries (ACEs). An ACL is a list of security protections that applies to an element. An ACE is an entry in an ACL that defines a principal and a privilege.
•
•
•
• Full - the ability to see and view the element and to modify its ACL.
• Allow - the ability to see and view the element, but not modify its ACL.
• Readonly - prevents the user from modifying the element or its ACL during add, keep, move, defunct, and revert commands.
• Deny - the inability to see and view the element or modify its ACL.An ACL contains zero or more ACEs. An element can have only one ACL assigned to it at any point in time. You specify whether to set, add, or remove an ACE (principal and privilege) to an element, and AccuRev takes care of the ACLs automatically. Note that ACLs cannot be created or modified without an element.
• The -r option will fail if no matching ACE is found.
• The -R option must be used with either -n, -a or -r (or with no other option, to display the EACLs down the hierarchy). When used with no option, -R will not display EACLs for elements to which the user is denied access.
• Can only specify one element with the -R option.
• The -c option can be used to specify a comment for the transaction.
•
•
• The -i option takes only one ACE; you cannot specify individual elements (using -l, -e, or ., for example).
• Use the hist command to display the history of ACL changes on an element.
•
• You can specify multiple ACEs by separating each <prin>:<priv> pair with a comma. For example: all:allow,user1:deny.
• Only one ACE per principal is allowed on an ACL, so any previous ACE for that principal will be over written.
•
•
• To add an element to the depot and instantly make it inaccessible to other users, while assigning FULL access to the user adding the element, use the add -d command. You can then set the EACLs appropriately for elements added in this way.
• If a user is denied access to an element that is part of a change package, they can still promote that change package even though they cannot see the versions that they are denied.Note: For the examples below to work, you must either have FULL rights (not just ALLOW) to the elements, or be an Accurev EACL superuser. See the “AccuRev Security Overview” chapter of the AccuRev Administrator’s Guide for more details.To display all the elements that have the privilege for the principal specified in the ACE, in XML formatted output:Note: If you attempt to set or change an element ACL and do not have the appropriate (“FULL”) permission to do so, you will get the error “Full Access Denied: <element_name>”. When attempting to set a “DENY” access on an element, do not misinterpret this message as a confirmation that the “DENY” access has been set. A successful operation returns the message “Processed: <element_name>”.Element-based security in the AccuRev Administrator’s Guide.
AccuRev, Inc. |
Phone: 781-861-8700 |
Fax: 781-861-8704 |
support@accurev.com |