2. AccuRev® Command-Line Reference : eacl

eacl
configure element access control list security
Usage
accurev eacl [-fx] [-R] [-s <stream>] [-n <prin>:<priv> | -i <prin>:<priv>
| -r <prin>:<priv> | -a <prin>:<priv>] [-c <comment>] [-p <depot-name>]
{ <element-list> | -l <list-file> | -e <eid> }
Description
The eacl command enables you to configure security settings on individual elements. (For setting security on streams and depots, see the setacl and lsacl commands.) This gives you the ability to:
You do this by setting and modifying Access Control Lists (ACLs) and Access Control Entries (ACEs). An ACL is a list of security protections that applies to an element. An ACE is an entry in an ACL that defines a principal and a privilege.
A principal can be:
A privilege can be:
Full - the ability to see and view the element and to modify its ACL.
Allow - the ability to see and view the element, but not modify its ACL.
Readonly - prevents the user from modifying the element when using add, keep, move, defunct, and revert commands, and from modifying the element's ACL.
Deny - the inability to see and view the element or modify its ACL.
An ACL contains zero or more ACEs. An element can have only one ACL assigned to it at any point in time. You specify whether to set, add, or remove an ACE (principal and privilege) to an element, and AccuRev takes care of the ACLs automatically. Note that ACLs cannot be created or modified without an element.
Options
-a
Add an ACE to the specified element.
-c
Comment for the transaction.
-e
Specify an element id.
-fx
XML formatted output.
-i
Displays all the elements that have the privilege for the principal specified in the ACE.
-l
Specify a file with a list of element paths.
-n
Set a new ACL on the specified element(s).
-p
Specify a depot if not in a workspace; used with -e.
-r
Remove an ACE from the specified element.
-R
Recurse down the element(s) hierarchy.
-s
Specify a stream for path name lookup when not in a workspace.
-y
Force an ACL change (even if it would remove full access for the user).
<prin>
principal(s) — either all, <user>, or <group>
<priv>
privilege — either allow, deny, full, or readonly
Notes:
The -r option will fail if no matching ACE is found.
The -R option must be used with either -n, -a or -r (or with no other option, to display the EACLs down the hierarchy). When used with no option, -R will not display EACLs for elements to which the user is denied access.
The -c option can be used to specify a comment for the transaction.
The -p option requires the -e option.
The -s option is required when you are not in a workspace and specifying element paths.
The -i option takes only one ACE; you cannot specify individual elements (using -l, -e, or ., for example).
Use the hist command to display the history of ACL changes on an element.
Use ‘-e all’ with ‘-p <depot-name>’ to change ACLs on all elements in the depot.
You can specify multiple ACEs by separating each <prin>:<priv> pair with a comma. For example: all:allow,user1:deny.
Specifying -n overwrites any existing ACL. If you wish to modify ACL, use -a or -r.
User cannot remove full access for the current user unless the -y option is specified.
Examples
Note: For the examples below to work, you must either have FULL rights (not just ALLOW) to the elements, or be an Accurev EACL superuser. See the “AccuRev Security Overview” chapter of the AccuRev Administrator’s Guide for more details.
To display the ACL for the specified element(s):
eacl { <element-list> | -l <list-file> | -e <eid> }
To set an ACL on the specified element(s):
eacl -n <prin>:<priv> { <element-list> | -l <list-file> | -e <eid> }
To add an ACE to the specified element(s):
eacl -a <prin>:<priv> { <element-list> | -l <list-file> | -e <eid> }
To remove an ACE from the specified element(s):
eacl -r <prin>:<priv> { <element-list> | -l <list-file> | -e <eid> }
To set an ACL on the specified directory and all its children:
eacl -R -n <prin>:<priv> { <dir-list> | -l <dir-list-file> | -e <dir-eid> }
To display all the elements that have the privilege for the principal specified in the ACE, in XML formatted output:
eacl -i <prin>:<priv> -fx
Note: If you attempt to set or change an element ACL and do not have the appropriate (“FULL”) permission to do so, you will get the error “Full Access Denied: <element_name>”. When attempting to set a “DENY” access on an element, do not misinterpret this message as a confirmation that the “DENY” access has been set. A successful operation returns the message “Processed: <element_name>”.
See Also
add, lsacl, setacl
Element-based security in the AccuRev Administrator’s Guide.

Micro Focus