6.2.4.1 chacl

Change an access control list (ACL).

Purpose

The chacl command allows you to change the ACL for an Exascale vault or file.

Syntax

chacl  { file-name | vault-name } acl-string

Command Options

The options for the chacl command are:

• { file-name | vault-name }: Specifies the name of the file or vault that is the subject of the operation. Only one file or vault name is permitted (no wildcards).

• acl-string: Specifies an ACL string having the following format.

  [+]user-ID1:acl-permission[+][;user-ID2:acl-permission[+]]...

  In the ACL string:

  • An optional plus (+) operator at the beginning of the ACL string indicates that the specified ACL string merges into the existing ACL. In this case, the changes only impact the users in the specified ACL string, and all other users in the existing ACL retain their permissions. Without this optional plus (+) operator, the ACL is completely overwritten by the specified ACL string, enabling permissions only for the users in the specified ACL string.

  • user-IDn: Specifies an Exascale user ID.

    Depending on the user creation method, the user ID may be a system-generated value (for example, 96a68014-5762-4579-86ee-29eb743decbd) or a user-specified value (for example, scott).

  • acl-permission: Specifies an ACL permission setting, which can be one of the following:

    • I | inspect: Specifies that the user can view attributes of the file or vault, but not its contents.
    • R | read: Specifies that the user can read contents of the file, or list files in the vault. Also confers the inspect permission.
    • U | use: Specifies that the user can write to the file, or use the vault. Also confers all preceding permissions.
    • M | manage: Specifies that the user can manage the file or vault. Also confers all preceding permissions.
    • 0 | none: Specifies that the user is removed from the ACL and loses all permissions. This setting can be used only in conjunction with the initial plus (+) operator to remove a user from an existing ACL.

    Starting with Oracle Exadata System Software release 26.1.0, an optional plus (+) operator following an acl-permission value guarantees that the user has at least that privilege level. For example, R+ ensures the user has at least the R (read) privilege. If the user already has a higher privilege, such as M (manage), their privileges remain unchanged. You can only use this option when updating an ACL and you cannot use this option with the 0 (none) privilege.

Examples

Example 6-28 Replace a File ACL

In this example, the ACL string for the file @my-vault/my-file is replaced with the new ACL string. Under the new ACL, scott is permitted to read and inspect the file. Any other users included in the previous ACL effectively lose all previously held permissions.

@> chacl @my-vault/my-file scott:R

Example 6-29 Change a File ACL

In this example, the plus sign (+) at the beginning of the ACL string indicates that the specified ACL string is merged into the existing file ACL. In this case, any pre-existing permissions for jason are overwritten, and jason is now permitted to inspect, read, write, and manage the file. Also, scott is removed from the ACL and loses all previously held permissions. No other ACL permissions are changed.

@> chacl @my-vault/my-file +jason:manage;scott:none

Example 6-30 Replace a File ACL using an ACL String that Specifies Multiple Users

In this example, the ACL string for the file is replaced with the new ACL string that specifies permissions for multiple users. Under the new ACL, scott can inspect the file, and jason can read and inspect the file. Any other users included in the previous ACL effectively lose all previously held permissions.

@> chacl @my-vault/my-file scott:inspect;jason:read