Permissions
This training page describes adding, setting, and listing permissions on IPLM CLI, as well as how permission specifications are constructed.
Permissions overview
Permissions are applied to a Library, IP, and IP Line to grant a set of users/groups various levels of access to those design objects. The 'admin' user or a user from admin group has read/write/owner permission to all objects in the database. The view (v) permissions level allows users to list IP Lines but not load their releases (IPVs) into workspaces. The read (r) permissions level allows users to list the object and load it into a workspace. Write (w) permissions allow users to modify the object and/or create new versions of the object. Owner (o) permissions allow users to modify the permissions on an object.
The specifics of what each permission level applies varies somewhat between each object, and the full details are covered in Permissions Management.
View permissions are only supported on IP Lines, because for IPs and Libraries the functionality is the same as read permissions. Setting view permissions on IPs or Libraries is interpreted as setting read permissions.
View permissions and Read permissions are mutually exclusive, which means, for example, setting view permission on a line for a particular user or group will clear any read permissions set on the line for that user or group.
Permission specifications are formatted in the following way: [<type>]:[<user_or_group_name>]:[<perm>]
Where:
- <type> is either:
- u for a user
- g for a group
- <user_or_group_name> is the name of an existing user or group
- <perm> is any combination of:
- r for read permission OR v for view permission. Read and View permissions cannot be applied to the same object.
- w for write permission
- o for owner permission
Examples:
| Command | Permission |
|
|---|---|---|
| pi perm set | u:bob:rwo | Give user 'bob' read, write and owner permission |
| pi perm add | g:yosemite:r | Give group 'yosemite' read permissions on the object |
| pi perm list | u:bob: | Show all the permissions that user 'bob' has across all the objects in the database |
The 'pi perm add' command is different from the 'pi perm set' command in that 'pi perm set' will remove any other permissions not included in it's permission specification for that user on that object. Setting permission means that after the command no other permissions for that user/group on that object will remain after the set. In the case of adding permission, any other permission levels already set for the user/group on the object will remain as they were before the command was run.
Adding permissions
To add permission to an object, the user should be either an admin user (or be in the admin group) or have ownership permission on the object already. User would need to user the following command to add permissions to an object:
> pi perm add <permission> <identifier>
Libraries are specified as <library_name>. where the period (.) suffix is required.
IPs are specified as <library_name>.<ip_name> and Lines are specified as <library_name>.<ip_name>@.<line_name>
> pi perm add u:user1:rw tutorial.digital_top
Above is an example of how a read and write permission is given to an IP (tutorial.digital_top) for a user (user1)
The next example shows how to give owner permission to a group (dig_grp) on an IP (tutorial.digital_top)
> pi perm add g:dig_grp:o tutorial.digital_top
Deleting a permission
The command to delete permission is the same as adding the permission, except for the del keyword instead of add:
> pi perm del <permission> <identifier>
Below is the example of removing the same permissions we had given earlier:
> pi perm del u:user1:rw tutorial.digital_top > pi perm del g:dig_grp:o tutorial.digital_top
List permissions
To see all the permissions applied to design objects, use:
> pi perm list
The examples below show the permission on the library followed by the permission on the IP
> pi perm list tutorial. ┌───────────────┬──────────┬──────────┬──────────┬──────────┐ │ │ OWNER │ WRITE │ READ │ VIEW │ ╞═══════════════╪══════════╪══════════╪══════════╪══════════╡ │ tutorial. │ u:mdxtut │ u:mdxtut │ u:mdxtut │ │ └───────────────┴──────────┴──────────┴──────────┴──────────┘ > pi perm list tutorial.digital_top ┌──────────────────────────┬──────────┬──────────┬──────────┬──────────┐ │ │ OWNER │ WRITE │ READ │ VIEW │ ╞══════════════════════════╪══════════╪══════════╪══════════╪══════════╡ │ tutorial.digital_top │ u:mdxtut │ u:mdxtut │ u:mdxtut │ │ └──────────────────────────┴──────────┴──────────┴──────────┴──────────┘
Set permission
Setting a permission will overwrite the previous existing permissions for that individual user or group. Use the following command for this:
> pi perm set <permission> <identifier>
> pi perm list tutorial.digital_top ┌──────────────────────────┬──────────┬──────────┬──────────┬──────────┐ │ │ OWNER │ WRITE │ READ │ VIEW │ ╞══════════════════════════╪══════════╪══════════╪══════════╪══════════╡ │ tutorial.digital_top │ u:mdxtut │ u:mdxtut │ u:mdxtut │ │ └──────────────────────────┴──────────┴──────────┴──────────┴──────────┘ > pi perm set u:mdxtut:rw tutorial.digital_top > pi perm list tutorial.digital_top ┌──────────────────────────┬──────────┬──────────┬──────────┬──────────┐ │ │ OWNER │ WRITE │ READ │ VIEW │ ╞══════════════════════════╪══════════╪══════════╪══════════╪══════════╡ │ tutorial.digital_top │ │ u:mdxtut │ u:mdxtut │ │ └──────────────────────────┴──────────┴──────────┴──────────┴──────────┘