Perforce 2005.2 Command Reference
<< Previous Chapter
p4 print
Table of Contents
Index
Perforce on the Web
Next Chapter >>
p4 rename

p4 protect

Synopsis

Control users' access to files, directories, and commands.

Syntax

p4 [g-opts] protect
p4 [g-opts] protect -o
p4 [g-opts] protect -i

Description

Use p4 protect to control Perforce permissions. You can use p4 protect to:

Perforce provides seven levels of access. The access levels are:

Access Level
What the User Can Do

list

The user can access all Perforce metadata, but has no access to file contents. The user can run all the commands that describe Perforce objects, such as p4 files, p4 client, p4 job, p4 describe, p4 branch, etc.

read

The user can do everything permitted with list access, and also run any command that involves reading file data, including p4 print, p4 diff, p4 sync, and so on.

open

This gives the user permission to do everything she can do with read access, and gives her permission to p4 add, p4 edit, and p4 delete files. However, the user is not allowed to lock files or submit files to the depot.

write

The user can do all of the above, and can also write files with p4 submit and lock them with p4 lock.

review

This permission is meant for external programs that access Perforce. It gives the external programs permission to do anything that list and read can do, and grants permission to run p4 review and p4 counter. It does not include open or write access.

admin

Includes all of the above, including administrative commands that override changes to metadata, but do not affect server operation.

These include p4 branch -f, p4 change -f, p4 client -f, p4 job -f, p4 jobspec, p4 label -f, p4 obliterate, p4 typemap, p4 unlock -f, and p4 verify.

super

Includes all of the above, plus access to the superuser commands such as p4 admin, p4 counter, p4 triggers, p4 protect, and so on.

Form Fields

When you run p4 protect, Perforce displays a form with a single field, Protections:. Each permission is specified in its own indented line under the Protections: header, and has five values:

Column
Description

Access Level

One of the access levels list, read, open, write, review, or super, as defined above.

User or Group

Does this protection apply to a user or a group? The value of this field must be user or group.

Group Name or User Name

The name of the user or the name of the group, as defined by p4 group. To grant this permission to all users, use the * wildcard.

Host

The IP address. Use the * wildcard to refer to all IP addresses.

Depot File Path

The depot file path this permission is granted on, in Perforce depot syntax. The file specification can contain Perforce wildcards.

To exclude this mapping from the permission set, use a dash (-) as the first character of this value.

When exclusionary mappings are not used, a user is granted the highest permission level listed in the union of all the mappings that match the user, the user's IP address, and the files the user is trying to access. In this case, the order of the mappings is irrelevant.

When exclusionary mappings are used, order is relevant: the exclusionary mapping overrides any matching protections listed above it in the table. No matter what access level is being denied in the exclusionary protection, all the access levels for the matching users, files, and IP addresses are denied.

If you use exclusionary mappings to deny access to an area of the depot to members of group1, but grant access to the same area of the depot to members of group2, a user who is a member of both group1 and group2 is either granted or denied access based on whichever line appears last in the protections table.

Options

-i

Read the form from standard input without invoking an editor.

-o

Write the form to standard output without invoking an editor.

g-opts

See the Global Options section.

Usage Notes

Can File Arguments Use
Revision Specifier?

Can File Arguments Use
Revision Range?

Minimal Access Level Required

No

No

super

a This command doesn't operate on specific files. Thus, permission is granted to run the command if the user has the specified access to at least one file in the depot.
b The -o flag to this command, which allows the form to be read but not edited, requires only list access.
c list access is required to view an existing counter's value; review access is required to change a counter's value or create a new counter.
d To run p4 integrate, the user needs open access on the target files and read access on the donor files.
e The -f flag to override existing metadata or other users' data requires admin access.
f admin access required to terminate or clear processes.
g admin access required to use p4 fix -d.
It is possible to deny yourself super access; if you accidentally deny yourself super access, you will subsequently be unable to run p4 protect. To get around this, remove the db.protect table under P4ROOT of the Perforce server.

Examples

Suppose that user joe is a member of groups devgroup and buggroup, as set by p4 group, and the protections table reads as follows:

super     user      bill       *              //...
write     group     devgroup   *              //depot/...
write     group     buggroup   *              -//depot/proj/...
write     user      joe        192.168.100.*  //...

Joe attempts a number of operations. His success or failure at each is described below:

From IP address...
Joe tries...
Results

10.14.10.1

p4 print //depot/misc/...

Succeeds. The second line grants Joe write access on these files; write access includes read access, and this protection isn't excluded by any subsequent lines.

10.14.10.1

p4 print //depot/proj/README

Fails. The third line removes all of Joe's permissions on any files in this directory. (If the second protection and the third protection had been switched, then the subsequent protection would have overridden this one, and Joe would have succeeded).

192.168.100.123

p4 print //depot/proj/README

Succeeds. Joe is sitting at an IP address from which he is granted this permission in the fourth line.

192.168.100.123

p4 verify //depot/misc/...

Fails. p4 verify requires super access; Joe doesn't have this access level no matter which IP address he's coming from.

Related Commands

To create or edit groups of users

p4 group

To list all user groups

p4 groups


Perforce 2005.2 Command Reference
<< Previous Chapter
p4 print
Table of Contents
Index
Perforce on the Web
Next Chapter >>
p4 rename
Please send comments and questions about this manual to [email protected].
Copyright 1999-2005 Perforce Software. All rights reserved.
Last updated: 12/15/05