Permissions management
This section describes Perforce IPLM permissions and how to configure them. Permissions can be assigned on a user or group basis, and can be applied to the Library, IP, and Line objects. Permissions can be set using IPLM Web, IPLM CLI, or the Perforce IPLM API, and can be set per object or by IP Hierarchy.
Permissions overview
Perforce IPLM implements permissions at the following object levels:
Permissions are administered using named users and groups.
Named users and groups can be created from Perforce IPLM (internal users and groups) or imported into Perforce IPLM from external sources such as LDAP or Active Directory (external users and groups). Please refer to External User Synchronization and Authorization for more information on importing users and from external sources.
Perforce IPLM users and groups
Perforce IPLM supports both internal and external users and groups simultaneously. Customers can define users and groups that are defined in Perforce IPLM only, and import additional users and groups using a synchronization script.
-
Local groups can have local or external users as members.
-
External groups can only have external users as members.
-
A user can belong to any number of groups
- Authentication: External users will only be authenticated using the external authentication mechanism. Local users will only be authenticated using the built-in authentication mechanism (username + password)
Administrative users and the 'admin' group
A special 'admin' user is created during the installation of Perforce IPLM. This 'admin' user bypasses permission checks to all objects in the Perforce IPLM database. In addition, this user also has access to certain admin-only CLI commands. These commands can be used to configure Perforce IPLM behavior for all users.
Perforce IPLM also creates a special 'admin' group. All users added to the admin group have the same capabilities as the 'admin' user. Any user can be added or removed from the admin user group by any other member of the admin group. The 'admin' user is always part of the 'admin' group. The 'admin' user and the 'admin' group cannot be deleted, and neither can be imported or changed from sync from an external source.
Object permissions
Perforce IPLM has four permissions - view, read, write and owner (abbreviated as 'v', 'r', 'w' and 'o'). The below table describes each of these permissions. Note that while permissions are independent of each other (except view and read), in some cases setting one permission implies a second permission is also applied. The implied permissions are listed in the 'Implied' column in the table below. For example, giving 'w' permission to a user for an IP automatically implies that user also has 'r' permissions on that IP (there is no way to write to an IP before also reading it). In addition, the user will be granted read permissions on the Library as well, since the IP cannot be read without a read permission on the Library.
In general, view (v) permissions allow users to list an object but not load it into a workspace or use it as a resource in releases, and read (r) permissions allow users to list the object, load it into a workspace, and use it as a resource in releases. Write (w) permissions allow users to modify the object and/or create new versions of the object. Owner (o) permissions allow users to modify the permissions on an object.
You can grant users the ability to view libraries that they have write permissions to.
View permission details
View permissions are supported only on IP Lines. If a view permission is set in a Library or IP context it is interpreted as ‘read’ permission on the Library or IP. If, for example, view permission is set on an IP, the IP itself will receive ‘read’ permission, however the ‘view’ permission will propagate to the default ‘TRUNK’ Line of the IP.
If a user who is also a member of one or more groups is assigned both ‘read’ and ‘view’ permission on a particular Line through their user and/or group memberships, then that user is considered by the system to have the higher ‘read’ permission on that Line. This allows, for example, granting ‘view’ permission to a particular Line for a large group and then providing smaller groups of users, or individual users the higher-level ‘read’ permission.
On any given Line, 'view' permission is mutually exclusive with read permission on that same Line. If a Line has existing ‘read’ permissions for a given user or group and view permissions are set for that same user or group on the same Line, the existing read permissions will be removed. In the same way, if a Line has existing ‘view’ permissions for a given user or group and read permissions are set for that same user or group on the same Line, then the existing view permissions will be removed.
Tip: As described above, ‘read’ and ‘view’ permissions can be acquired by the same user on the same Line through a combination of the permissions set on their user, and/or the permissions set on their various groups. In this case, the user will be considered to have ‘read’ permission.
Refer to the table below for specifics.
Permissions during IP editing
During the pi ip edit command there are various blocks with settings that can be modified. These blocks are indicated by the "[ ]" syntax. The table below shows each of these blocks and the permissions that apply to them.
| Block | Permissions |
|---|---|
| [IP] | IP permissions |
| [Hooks] | IP permissions |
| [Line] | IP Line permissions |
| [IPV] | IP Line permissions |
Permission details for Libraries
Only members of the 'admin' group can add or delete Libraries.
| Permission | Allows | Implied permissions |
|---|---|---|
|
Read (r) |
List a Library (not its IP) View its metadata including permissions |
None |
| Write (w) |
Edit Library fields (excluding permissions) Create new IP Delete existing IP (also requires at least Read permission on the IP to be deleted) |
Library Read (r) |
| Owner (o) |
Edit Library permissions Attach and detach Property Sets to and from a Library |
Library Read (r) |
Permission details for IPs
| Object | Permission | Allows | Implied permissions |
|---|---|---|---|
| IP | Read (r) |
List the IP (not its Lines) View the IP's metadata, including permissions |
Library Read (r) |
|
|
Write (w) |
Edit an IP's fields (the [IP] and [Hooks] blocks) (excluding permissions) Create new Lines of the IP Delete existing Lines of the IP (also requires at least Read permission on the Line to be deleted) Applying Write (w) permission to an IP also propagates Write (w) permission to the TRUNK Line of that IP. The permission auto-applied to the
TRUNK Line can subsequently be independently removed. Deleting a permission from the IP also propagates, deleting the same permission from the IP@.TRUNK |
Library Read (r) IP Read (r) |
|
|
Owner (o) |
Edit IP Permissions Attach and detach Property Sets to and from an IP Configure the allowed and restricted geos of the IP Delete existing latest release IPVs on the Line IPV delete capability with owner permission is reserved for admin users by default, and it is a feature that can be enabled. See pi-admin global configuration for more details.
Applying Owner (o) permission to an IP also propagates Owner (o) permission to the TRUNK Line of that IP. The permission auto-applied to the TRUNK Line can
subsequently be independently removed. Deleting a permission from the IP also propagates, deleting the same permission from the IP@.TRUNK |
Library Read (r) IP Read (r) |
Permission details for IP Lines
| Permission | Allows | Implied permissions |
|---|---|---|
| View (v) |
List the Line and all the IPVs on the Line and their contents View Line permissions |
Library Read (r) IP Read (r) |
| Read (r) |
List the Line and all the IPVs on the Line and their contents View Line permissions Load a release of the IP (an IPV) into a workspace (either standalone or as part of another IP's hierarchy) Use a release of the IP (an IPV) as a resource in another IP Perform an IP copy with one of the IPVs on the Line as the source Perform an IP merge with one of the IPVs on the Line as a source |
Library Read (r) IP Read (r) |
| Write (w) |
Create new releases (IPVs) on the Line Delete existing latest release IPVs on the Line. IPV delete capability with write permission is reserved for admin users by default, and it is a feature that can be enabled. See pi-admin global configuration for more details.
|
Library Read (r) IP Read (r) Line Read (r) |
| Owner (o) |
Edit Line permissions Delete existing latest release IPVs on the Line IPV delete capability with owner permission is reserved for admin users by default, and it is a feature that can be enabled. See pi-admin global configuration for more details.
|
Library Read (r) IP Read (r) Line Read (r) |
Specifying permissions
Permission specifications are formatted in the following way: [<type>]:[<user_or_group_name>]:[<perm>]
Where:
- <type> is either:
- u for a user
- g for a group
- <user_or_group_name> is the name of an existing user or group
- <perm> is any combination of:
- r for read permission OR v for view permission – Only one can be specified in each permission specification.
- w for write permission
- o for owner permission
Examples:
| Command | Permission |
|
|---|---|---|
| pi perm set | u:bob:rwo | Give user 'bob' read, write and owner permission |
| pi perm add 1 | g:yosemite:r | Give group 'yosemite' read permissions on the object |
| pi perm list | u:bob: 2 | Show all the permissions that user 'bob' has across all the objects in the database |
- Adding permissions extends the existing permissions on the object. Setting permissions will replace existing permissions on the object.
- When listing permissions, any missing portion of the specification implies all. For example, 'u::' means all users, ':bob:' means users or groups named bob, '::r' means all read permissions and '::' means all permissions.