CLI Reference > CLI Usage Overview > ACL (Access Control List)
 
ACL (Access Control List)
Permissions for Integrity Lifecycle Manager Server ACL interaction.
Description
The ACL (Access Control List) permissions control user access to Integrity Lifecycle Manager Server functions (Configuration Management, Workflow and Documents) by associating development objects and operations with specific permissions. For example, whenever a user initiates an operation such as checking a file in or out, Integrity Lifecycle Manager checks the ACL permissions to determine whether the user is allowed to perform the operation. This reference page is provided as a guide to the ACL permissions.
By default, the following server level ACLs are included:
mks—This ACL controls root level access to Integrity Lifecycle Manager Server operations. This allows you to set administrative permissions for the Integrity Lifecycle Manager Server in one place. However, you can override these permissions for the Workflow and Documents, and Configuration Management separately. For example, if the permission AdminServer is denied for a given Principal at ACL mks, it can still be granted to the same Principal at ACL mks:si. This means that Principal can administer only Configuration Management.
mks:aa—This ACL controls the Login access to the AA application for managing the ACLs.
mks:aa:mks—This ACL controls Read and Update access to the ACLs.
mks:im—This ACL controls access to Workflow and Document operations.
mks:si—This ACL controls access to Configuration Management operations.
mks:patch—This ACL controls the Download permission required for service pack management.
mks:system:viewsets—This ACL controls access to publishing new ViewSets.
mks:system:mksdomain—This ACL controls access to administering the MKS domain.
Mostly, it is sufficient to manage permissions with Project level ACLs. However, member level ACLs can also be created for finer control. But this adds to the administrative tasks.
The ACL name itself follows a specific hierarchical format:
The Configuration Management root ACL is mks:si. All project and member ACLs will inherit permissions from this one.
Project-level ACL names include a specific prefix, taking the format mks:si:project:id:<project directory>. The project directory is relative to the root of the Integrity Lifecycle Manager Server.
For example, for a top level project called TopProject/project.pj, the respective ACL is mks:si:project:id:TopProject.
Subproject ACLs have the same format as projects, simply appending the subdirectories using colons (:) instead of slashes.
For example, for a subproject called TopProject/Sub1/project.pj, the respective ACL is mks:si:project:id:TopProject:Sub1.
Variant project ACLs have a slightly different prefix, taking the format mks:si:project:devpath:<devpathname>:id.
For example, a development path DP1 is created for /TopProject/project.pj. Then the respective ACLs are mks:si:project:devpath:DP1:id:TopProject and mks:si:project:devpath:DP1:id:TopProject:Sub1.
Member ACLs simply specify the file name in the ACL name, such as mks:si:project:id:<project directory>:<member file name>.
For example, if a subproject Sub1 has member called m1.txt, the corresponding member permission is mks:si:project:id:TopProject:Sub1:m1.txt.
An ACL can also be specified for a given archive. Such archive ACLs take the format mks:si:archive:<archive path>.
For example, an ACL for an archive representing m1.txt in the above example is mks:si:archive:TopProject:Sub1:m1.txt.
ACL Permissions
You must have the appropriate ACL permissions before you can perform configuration management, and workflow and document operations. For details on configuring ACLs, see the online help.
Integrity Lifecycle Manager Server Permissions
The following summarizes the Integrity Lifecycle Manager Server permissions available under mks:
AdminProxy
For PTC Technical Support only. Allows a user to perform administrative functions on the proxy
Prerequisites: none.
AdminServer
For PTC Technical Support only. Allows a user to perform administrative functions on the server.
Prerequisites: none.
DebugProxy
For PTC Technical Support only. Allows a user to perform diagnostic functions on the proxy.
Prerequisites: none.
DebugServer
For PTC Technical Support only. Allows a user to perform diagnostic functions on the server.
Prerequisites: none.
Login
Allows a user to log in to Integrity Lifecycle Manager.
Prerequisites: none.
Configuration Management Server Permissions
The following summarizes the configuration management server-related permissions available under mks:si:
AdminProxy
For PTC Technical Support only. Allows a user to perform administrative functions on the proxy
Prerequisites: none.
AdminServer
For PTC Technical Support only. Allows a user to perform administrative functions on the server.
Prerequisites: none.
DebugProxy
For PTC Technical Support only. Allows a user to perform diagnostic functions on the proxy.
Prerequisites: none.
DebugServer
For PTC Technical Support only. Allows a user to perform diagnostic functions on the server.
Prerequisites: none.
EditPolicy
Allows a user to modify and create configuration management policies on the Integrity Lifecycle Manager Server. The Edit Policy permission should be restricted to administrators and configuration management project managers
Prerequisites: Login.
Login
Allows a user to log in to Integrity Lifecycle Manager.
Prerequisites: none.
ViewPolicy
Allows a user to view configuration management policies on the Integrity Lifecycle Manager Server. The View Policy permission should be restricted to administrators and configuration management project managers.
Prerequisites: Login.
Configuration Management Member Permissions
The following summarizes the configuration management member-related permissions available under mks:si:
ApplyLabel
Allows a user to add labels to revisions or move labels between revisions.
Prerequisites: Login, OpenProject.
CheckIn
Allows a user to check in working files as new revisions of members.
Prerequisites: Login, OpenProject, ApplyLabel, Lock, ModifyAuthor, ModifyMemberRev, ModifyMemberAttribute.
DeleteLabel
Allows users to delete a label from a revision.
Prerequisites: Login, OpenProject.
DeleteRevision
Allows a user to delete revisions from the member history.
* 
This permission allows users to irrevocably delete revisions from the member history. Administrators should assign this permission carefully.
Prerequisites: Login, OpenProject.
Demote
This permission allows a user to change the promotion state of revisions from a higher setting to a lower one, when the States= configuration option defines a sequence of promotion states. For details, see the online help.
Prerequisites: Login, OpenProject.
DowngradeOtherUserLock
Allows a user to downgrade exclusive locks held by other users to non-exclusive locks.
Prerequisites: Login, OpenProject.
ResolveOtherUserPermissions
Allows a user to resolve permissions for other users for the specified project or member.
Prerequisites: Login, OpenProject.
FetchRevision
Allows a user check out member revisions.
Prerequisites: Login, OpenProject, Lock, ModifyMemberRev.
Freeze
Allows a user to freeze members. When a member is frozen, all configuration management operations are run on the frozen member revision.
Prerequisites: Login, OpenProject.
Lock
Allows a user to lock revisions.
Prerequisites: Login, OpenProject.
ModifyAuthor
Allows a user to change the author name associated with a revision.
Prerequisites: Login, OpenProject.
ModifyMemberAttribute
Allows a user to set an attribute for a member that can be used later in a search.
Prerequisites: Login, OpenProject.
ModifyMemberRule
Allows a user to configure a member revision rule that can be applied to one or more members.
Prerequisites: Login, OpenProject.
MoveLabel
Allows a user to move a member label to another revision within the member history.
Prerequisites: Login, OpenProject, ApplyLabel.
Promote
This permission specifies that a user may promote revisions from the current promotion state to a higher state, when the States= configuration option defines a sequence of promotion states. For details, see the online help.
Prerequisites: Login, OpenProject.
ShareArchive
Allows sharing of member archives between two or more members.
* 
Archive sharing is not recommended. Instead, creating variant Sandboxes is considered a better practice.
Prerequisites: Login, OpenProject, Checkpoint, CheckIn, Lock.
Thaw
Allows a user to thaw frozen members.
Prerequisites: Login, OpenProject.
Configuration Management Change Package Permissions
The following summarizes the configuration management change package-related permissions available under mks:si:
BypassChangePackageMandatory
Allows the user to bypass the Change Packages Mandatory policy, permitting the user to perform configuration management operations without change packages.
Prerequisites: none.
ChangePackageAdmin
Allows a user to edit, discard, close, and submit change packages; as well as move or discard change package unties, regardless of any documented user restrictions.
Prerequisites: none.
CreateChangePackage
If you are using configuration management functionality only, this permission allows a user to create change packages.
If you are using configuration management, and workflow and document functionality, this permission allows a user to create change packages based on the Change Package Creation Policy for the type that they want to create change packages for.
Prerequisites: Login, OpenProject.
ManageEmptyChangePackage
Allows a user to discard or close empty change packages of other users, even if the user is not assigned the ChangePackageAdmin permission.
SelfReview
Allows user to accept change packages under review that were created by that user.
SuperReview
Allows a user to accept or reject a change package under review regardless of the reviewer rules.
* 
This permission supersedes the SelfReview permission.
Configuration Management Project Permissions
The following summarizes the configuration management project-related permissions available under mks:si:
AddMember
Allows a user to add new members to projects through a Sandbox.
Prerequisites: Login, OpenProject, Lock, ShareArchive, ModifyAuthor.
AddProject
Allows a user to re-add a dropped project.
Prerequisites: Login, OpenProject.
AddSubproject
Allows a user to re-add dropped subprojects to a project.
Prerequisites: Login, OpenProject.
ApplyProjectLabel
Allows a user to add labels to projects or move labels between revisions of the project.
Prerequisites: Login, OpenProject.
CheckPoint
Allows a user to check in a new revision of a project (that is, checkpoint the project).
Prerequisites: Login, OpenProject, ApplyLabel, Promote, PromoteProject, ApplyProjectLabel.
ConfigureSubproject
Allows a user to configure a subproject's type. A subproject can be configured as a Normal, Variant, or Build subproject.
Prerequisites: Login, OpenProject.
CreateDevPath
Allows a user to create new development paths for variants of a project.
Prerequisites: Login, OpenProject.
CreateProject
Allows a user to create new projects.
Prerequisites: Login, OpenProject.
CreateSubproject
Allows a user to create new subprojects below existing projects.
Prerequisites: Login, OpenProject.
DeleteProjectLabel
Allows a user to delete a label from a project checkpoint.
Prerequisites: Login, OpenProject.
DemoteProject
This permission specifies that a user may demote projects from a higher promotion state to a lower state, when the States= configuration option defines a sequence of promotion states. For details, see the online help.
Prerequisites: Login, OpenProject.
DropDevPath
Allows a user to drop a development path, also known as "dropping variants" from a project.
Prerequisites: Login, OpenProject.
DropMember
Allows a user to remove members from projects. The member archive remains, but the member is no longer treated as part of the project.
Prerequisites: Login, OpenProject.
DropProject
Allows a user to drop one or more top-level, registered projects from the server. The projects then become unregistered projects.
Prerequisites: Login, OpenProject.
DropSubProject
Allows a user to drop one or more subprojects from the server. The projects then become unregistered projects.
Prerequisites: Login, OpenProject.
ImportProject
This permission is for legacy functionality that no longer exists in the product.
Metrics
Allows metrics to be tracked for a project. Allows a user to define metrics to be tracked for projects.
Prerequisites: Login, OpenProject.
ModifyManualProjectMergeLine
Allows a user to create or delete a manual merge line. For more information on manual merge lines, see Integrity Lifecycle Manager Help Center.
Prerequisites: Login, OpenProject.
ModifyMemberRev
Allows a user to make changes to the member revision of members.
Prerequisites: Login, OpenProject.
ModifyProjectAttribute
Allows a user to set an attribute for a project, which can be used later in a filter or search.
Prerequisites: Login, OpenProject.
MoveProjectLabel
Allows a user to move a project label to another project checkpoint within the project history.
Prerequisites: Login, OpenProject, ApplyProjectLabel.
OpenProject
Allows a user to open existing registered projects. This is required for most actions.
* 
When OpenProject is granted or denied on a project, clients accessing the project must disconnect and then reconnect in order to get the new permission set. If you do not disconnect and reconnect your client, you may see unexpected behavior due to out-of-date permissions.
Prerequisites: Login.
PromoteProject
This permission specifies that a user may promote projects from the current promotion state to a higher state, when the States= configuration option defines a sequence of promotion states. For details, see the online help.
Prerequisites: Login, OpenProject.
RestoreProject
Allows a user to restore a project to a particular checkpointed version.
Prerequisites: Login, OpenProject, Checkpoint.
SnapshotSandbox
Snapshot creates and records the state of the user’s Sandbox as as a project checkpoint that you can create a build Sandbox or a development path from.
Prerequisites: Login, OpenProject, Checkpoint, AddMember, DropMember.
Workflow and Document Permissions
The following summarizes the workflow and document permissions available under mks:im:
Admin
Allows access to administrative functions related to workflows and documents. For super administrator whose tasks include managing users, groups, projects, states, types, and fields. Assign project administrators and type administrators. Customize permissions for change package types. Close change package initiated by another user. Create admin reports, dashboards, charts, and queries. Share reports, dashboards, charts, and queries created by another user, if shared to you. If the object is shared to you, you can also delete it. Create and clear Integrity Lifecycle Manager Server alert messages.
Prerequisites: Login.
AdminProxy
For PTC Technical Support only. Allows a user to perform administrative functions on the proxy
Prerequisites: none.
AdminServer
For PTC Technical Support only. Allows a user to perform administrative functions on the server.
Prerequisites: none.
CreateChart
Allows the assigned user or group to create a chart. Denying permission restricts the user or group to using only those charts already on system. For information on charts, see your Integrity Lifecycle Manager Help Center.
Prerequisites: Login.
CreateCPType
Allows the assigned user or group to create a custom change package type. For information on custom change package types, contact PTC Technical Support.
Prerequisites: Login.
CreateDashboard
Allows the assigned user or group to create a dashboard. Denying permission restricts the user or group to using only those dashboards already on system. For information on dashboards, see your Integrity Lifecycle Manager Help Center.
Prerequisites: Login.
CreateProject
Allows the assigned user or group to create a new top level project for workflows and documents, and assign another Project Administrator. This permission can be used to extend the capability of the Project Administrator. Denying this permission means the user cannot create a new top level project or assign another Project Administrator.
Prerequisites: Login.
CreateQuery
Allows a user to create a new query. Denying this permission restricts the user to using only those queries that already exist on the system.
Prerequisites: Login.
CreateReport
Allows the assigned user or group to create a report. Denying permission restricts the user or group to using only those reports already on system. For information on reports, see your Integrity Lifecycle Manager Help Center.
Prerequisites: Login.
CreateSharedAdmin
Allows a user to specify if a query, dashboard, report, or chart is a system provided object.
Prerequisites: Login.
CreateType
Allows the assigned user or group to create a new type or assign another Type Administrator. This permission can be used to extend the capability of the Type Administrator. Denying this permission means the user cannot create any new types or assign another Type Administrator.
Prerequisites: Login.
DeleteItem
Delete items of any type.
Prerequisites: Login.
Login
Allows a user to login to Integrity Lifecycle Manager.
Prerequisites: none.
ModifyDeleteItemRule
Allows a user to set a type rule that specifies which users and groups can delete items of that type.
Prerequisites: Login, CreateType.
ModifyMyNotification
Allows a user to modify personal e-mail notification preferences.
Prerequisites: Login, ViewMyNotification.
PurgeTestResult
Allows a user to purge test results for the test cases in a test session.
Prerequisites: Login.
ShareToEveryone
Allows a user to share queries, charts, and reports to the Everyone group.
Prerequisites: Login.
TimeTrackingAdmin
Allows a user to create, edit, and delete time entries on behalf of other users. The ability to create, edit, and delete time entries is governed by normal issue permissions.
Prerequisites: Login.
ViewAdmin
Allows a user to view administrative information related to workflows and documents.
Prerequisites: Login.
ViewChangePackage
By controlling the user’s ability to view change packages when working in Integrity Lifecycle Manager, the ViewChangePackage permission provides an additional level of control for accessing information in projects.
ViewMyNotification
Allows a user to view personal e-mail notification preferences.
Prerequisites: Login.
Available MKS Domain Permissions
The following summarizes the MKS Domain permissions available under mks:system:mksdomain to perform specific commands:
AdminServer
Allows a user to administer the MKS Domain.
Prerequisites: none.
RestrictGroup
Allows a principal to mark any MKS Domain group as restricted or administer a restricted MKS Domain group.
Prerequisites: AdminServer permission.
Available ViewSets Permissions
The following summarizes the ViewSets permissions available under mks:system:viewsets to perform specific commands:
PublishNewViewSet
Allows a user to publish ViewSets to the Integrity Lifecycle Manager Server.
Prerequisites: Login.
See Also
Commands: aa acls, aa addaclentry, aa availablepermissions, aa deleteacl, aa deleteaclentry, aa groups, aa users, aa viewacl
Miscellaneous: diagnostics