7.2.2 chacl

Modify the access control list (ACL) for a file.

Syntax

chacl [{ -w | --wallet } wallet-location ] [{ -T | --trace } trace-level ]
        file-name acl-string

Command Options

The options for the chacl command are:

• file-name: Specifies the name of the file that is the subject of the operation.

• acl-string: Specifies an ACL string having the following format.

  [+]userID1:acl-permission[;userID2:acl-permission] ...

  In the ACL string:

  • The optional plus (+) operator at the beginning of the ACL string indicates that the specified ACL string merges into the existing ACL. In this case, the changes only impact the users in the specified ACL string, and all other users in the existing ACL retain their permissions. Without the optional plus (+) operator, the ACL is completely overwritten by the specified ACL string.

  • userIDn: Specifies an Exascale user ID.

    Depending on the user creation method, the user ID may be a system-generated value (for example, 96a68014-5762-4579-86ee-29eb743decbd) or a user-specified value (for example, scott).

  • acl-permission: Specifies an ACL permission setting, which can be one of the following:

    • I | inspect: Specifies that the user can view attributes of the file, but not its contents.
    • R | read: Specifies that the user can read contents of the file. Also confers the inspect permission.
    • U | use: Specifies that the user can write to the file. Also confers all preceding permissions.
    • M | manage: Specifies that the user can manage the file. Also confers all preceding permissions.
    • 0 | none: Specifies that the user is removed from the ACL and loses all permissions. This setting can be used only in conjunction with the plus (+) operator to remove a user from an existing ACL.

• -w, --wallet: Optionally specifies the path to the Exascale wallet directory.

• -T, --trace: Optionally enables tracing and sets the trace level to 1 (minimum tracing), 2 (medium tracing), or 3 (maximum tracing).

  The trace file is written to the first accessible location in the following list:

  1. If the $ADR_BASE environment variable is set:

     $ADR_BASE/diag/EXC/xsh_<username>/<hostname>/trace/xsh_<date>.trc

  2. /var/log/oracle/diag/EXC/xsh_<username>/<hostname>/trace/xsh_<date>.trc

  3. /tmp/diag/EXC/xsh_<username>/<hostname>/trace/xsh_<date>.trc

Examples

Example 7-2 Replace a File ACL

In this example, the ACL string for the file is replaced with the new ACL string. Under the new ACL, scott is permitted to read and inspect the file. No other user can access this file unless permitted by the vault ACL.

$ xsh chacl @VAULT/file scott:R

Example 7-3 Change a File ACL

In this example, the plus sign (+) at the beginning of the ACL string indicates that the specified ACL string is merged into the existing file ACL. In this case, any pre-existing permissions for jason are overwritten, and jason is permitted to inspect, read, write, and manage the file. No other user permissions are changed.

$ xsh chacl @VAULT/file +jason:M

Example 7-4 Remove User Privileges from a File ACL

In this example, the plus sign (+) at the beginning of the ACL string indicates that the specified ACL string is merged into the existing file ACL. However, in this case, any pre-existing permissions for scott are removed. No other user permissions are changed.

$ xsh chacl @VAULT/file +scott:none

Example 7-5 Replace a File ACL using an ACL String that Specifies Multiple Users

In this example, the ACL string for the file is replaced with the new ACL string that specifies permissions for multiple users. Under the new ACL, scott can inspect the file, and jason can read and inspect the file. No other user can access this file unless permitted by the vault ACL.

$ xsh chacl @VAULT/file scott:inspect;jason:read