3.5.2 Modify an ACL

To modify an access control list (ACL) for an Exascale vault or file, use the ESCLI chacl command and specify:

  1. The vault or file for which you are modifying the ACL.

  2. The ACL string, which defines the modification to the ACL.

    The ACL string has the following format:

    [+]user-ID1:acl-permission[+][;user-ID2:acl-permission[+]]...

    In the ACL string:

    • An optional plus (+) operator at the beginning of the ACL string indicates that the specified ACL string merges into the existing ACL. In this case, the changes only impact the users in the specified ACL string, and all other users in the existing ACL retain their permissions. Without this optional plus (+) operator, the ACL is completely overwritten by the specified ACL string, enabling permissions only for the users in the specified ACL string.

    • user-IDn: Specifies an Exascale user ID.

      Depending on the user creation method, the user ID may be a system-generated value (for example, 96a68014-5762-4579-86ee-29eb743decbd) or a user-specified value (for example, scott).

    • acl-permission: Specifies an ACL permission setting, which can be one of the following:

      • I | inspect: Specifies that the user can view attributes of the file or vault, but not its contents.
      • R | read: Specifies that the user can read contents of the file, or list files in the vault. Also confers the inspect permission.
      • U | use: Specifies that the user can write to the file, or use the vault. Also confers all preceding permissions.
      • M | manage: Specifies that the user can manage the file or vault. Also confers all preceding permissions.
      • 0 | none: Specifies that the user is removed from the ACL and loses all permissions. This setting can be used only in conjunction with the initial plus (+) operator to remove a user from an existing ACL.

      Starting with Oracle Exadata System Software release 26.1.0, an optional plus (+) operator following an acl-permission value guarantees that the user has at least that privilege level. For example, R+ ensures the user has at least the R (read) privilege. If the user already has a higher privilege, such as M (manage), their privileges remain unchanged. You can only use this option when updating an ACL and you cannot use this option with the 0 (none) privilege.

Following are various use-cases for modifying an ACL, along with accompanying examples:

  • To set the ACL for a vault, use the chacl command and specify the vault and the new ACL string.

    For example, to make jenny the sole manager of @vault1 use: 

    @> chacl @vault1 jenny:manage

  • To set the ACL for a file, use the chacl command and specify the file and the new ACL string.

    For example, to make jenny the manager and jill a reader of @vault1/file1 use: 

    @> chacl @vault1/file1 jenny:manage;jill:read

  • To modify an existing ACL, use the chacl command, specify the vault or file name, and specify an ACL string beginning with a + operator.

    For example, the following command enables peter as a user of @vault1: 

    @> chacl @vault1 +peter:use

    In this example, if peter is not listed in the existing ACL, an entry for peter is added to the ACL. Otherwise, if the existing ACL already includes an entry for peter, the existing entry is modified. In either case, all other users in the existing ACL retain their permissions.

  • To modify an existing ACL to ensure at least a specified privilege level, use the chacl command, specify the vault or file name, and specify an ACL string beginning with a + operator that also contains ACL privileges with trailing + operators.

    For example, the following command ensures that both peter and jason have at least the read privilege on @vault1: 

    @> chacl @vault1 +peter:read+;jason:read+

    In this example, if jason previously had inspect privilege and peter had use privilege, the command would upgrade jason to read, while peter would retain the more powerful use privilege.

    If either peter or jason were not previously in the ACL, then they would be added with the read privilege. In any case, all other users in the existing ACL would retain their permissions.

    The option to specify a minimum privilege level using a trailing + operator is only available starting with Oracle Exadata System Software release 26.1.0.

  • To remove a user from an ACL, use the chacl command, specify the vault or file name, and specify an ACL string that begins with + and contains 0 or none as the ACL privilege.

    For example, to remove jill from the ACL for @vault1/file1 use: 

    @> chacl @vault1/file1 +jill:none

Parent topic: Administer Access Control Lists