Table of Contents


cmacl - list and edit SnapshotCM Access Control Lists (ACLs)


cmacl [options] [-eaclPattern] [path ...]


cmacl lists and edits SnapshotCM access control lists (ACLs). Specify the type of ACL to display with one of the -A (server administration ACL), -C (account ACL), -P path ... (project or snapshot path), or -F path ... (file path) options.

Only one type of ACL can be operated upon at a time, though multiple snapshot or file ACLs can be displayed or edited with one command.

Use the -e aclPattern option to edit an ACL. Use the -r option with the -e option to set an ACL to an explicit value (rather than editing the previous value).


The aclPattern specification is as follows:

aclPattern = <acctEdit>[,<acctEdit>][,...]
acctEdit = ["+" | "-" | "="]<account>[<bitEdit>...]
account = u:<name> | g:<name> | <name>
bitEdit = +[<bits>] | -[<bits>] | =[<bits>]
bits = [vmpcdrwb]...
name = user or group account name (g: or u: forces type)

The account name can begin with a g: or u: to signify the type of account. If omitted, a user account will be looked for first. If no user account of that name exists, then a group account will be looked for. If no user or group account of that name exists, an error will be reported.

The account name can be preceded by a plus, minus, equals or nothing, all of which have different meaning. A plus says to add the account entry to the ACL if not present. If an entry for that account already exists in the ACL, the edit pattern is ignored and no action is taken.

A minus says to remove any entry for the specified account from the ACL.

An equals says to edit any existing entry for the specified account. If no entry for the specified account exists, the ACL is not modified.

If none of these symbols precedes the account name, then the account entry is added to the ACL if not present, and edited if already present.


The permission bits can be specified in lower or upper case and may be preceded by a plus, minus, or equals. A plus means to incrementally add the bits to the account entry, a minus means to incrementally remove the bits from the account entry, and an equals means to absolutely set the bits for the account as specified.

The bits have the following meanings:

View or traverse projects and snapshots; view accounts (Administration, Project/Snapshot, Account).

Modify project, snapshot or accounts (Administration, Project/Snapshot, Account).

Edit ACL permissions (All).

Create child projects/snapshots (Administration, Project/Snapshot).

Delete projects, snapshots or accounts (Administration, Project/Snapshot, Account).

Read files in snapshot. (Administration, Project/Snapshot, File).

Write, create, delete files in snapshot (Administration, Project/Snapshot, File).

Allow backup access (Administration ACL).


Operate on the Administration ACL.

Operate on the Account ACL.

Operate on the specified File ACLs. The snapshot through which to operate must be specified with the -Spath option.

Operate on the specified Project, Project Folder or Snapshot ACLs.

Specify how to edit the selected ACLs. If omitted, the selected ACLs will be printed in a format compatible with this option.

Specify the server to access. The server on the current system is the default if omitted.

Suppress normal output.

Reset the ACL. All elements will be removed from the target ACL before the aclEditPattern is applied. Has no effect if the -e option is omitted.

Operate recursively. Valid only with the -P option.

Specify with -F to indicate the snapshot in which the file paths are valid.

Print internal command version.

Return Value

Exit status is 0 if the operation succeeded, 1 if there was an error performing the operation, and 2 if there was a bad option or network error.


To list the Administration ACL on server blue, enter:

cmacl -A -h blue

To remove the everyone group from the /Project ACL, enter:

cmacl -P -h blue -e-everyone /Project

To grant joe delete permissions on objects where he already has explicit permissions, enter:

cmacl -P -h blue -e=joe+D /Project

To set the ACL so michelle has all access, and everyone else has only view and read access:

cmacl -P -h blue -r -e michelle=VMPCDRW,everyone=vr /Project

To grant nathan all access on /file.txt and deny all other access, enter:

cmacl -F -h blue -r -e nathan=PRW -S /proj/Current /file.txt

See Also

cmaccount(1) , cmadmin(1) , cmconfig(1)

Table of Contents