Managing permissions

View permissions

The Permissions tab displays tabs under it for Users, Groups, and Depot Tree.

To display the files and folders to which a user has access, click the user on the Users tab.

To display the files and folders to which users in a group have access, click the group on the Groups tab.

To display the groups and users that have access to a file or folder, click the file or folder on the Depot Tree tab.

To see which lines of the protections table control access to a user, group, or area of the depot, click the user, group or folder. The corresponding line in the protections table is highlighted. (If a user or group is neither granted nor denied access to a path by means of any entries in the protections table, the depot path displays "no access" and the "granted to" field is blank.)

To filter out lines in the right-hand pane, use the Access Level sliders to set the lowest and highest levels. The areas of the depot associated with the highlighted range of access values are displayed.

To see only those permissions that apply to a user’s workstation, enter the IP address of the workstation in the Host IP filter field. For example, permissions lines with a host value of 92.168.*.* and 192.168.1.* both apply to a workstation at

To show files in the Depot Tree, click Show files.

Edit the protections table

The protections table is displayed in the bottom pane of the screen. It is a representation of the table used by the p4 protect command, with exclusionary lines shown in red. For more information on the p4 protect command, see p4 protect in the Helix Core Command-Line (P4) Reference.

To edit the protections table, use the built-in editor or click p4v admin table icon to edit the protections table as text.

To deny access to a specific portion of the depot to a user or group, use an exclusionary mapping. Place a dash (-) in front of the path in the Folder/File field. Exclusionary mappings apply to all access levels, even though only one access level can be selected in the Access Level field.

The following table describes the fields in the protections table.

Access Level

The permission being granted. Each permission level includes all lower-level permissions, except for review.

  • super: Grants access all commands and command options
  • admin: Permits those administrative commands and command options that don’t affect server security
  • write: Lets users submit open files
  • open: Lets users open files for add, edit, delete, and integrate
  • read: Lets users sync, diff, and print files
  • list: Lets users see names but not contents of files. Users can see all non-file related metadata, such as workspaces, users, changelists, and jobs.
  • review: Allows access to the p4 review command. This level is intended for automated processes. It implies read access.
  • ##: Adds a comment line to the protections table. For example:

    ## robinson crusoe
    write user * //depot/test/...

For stream specifications, you can use P4Admin to set stream spec access levels. For example, you can set an access level for a group or user, and then limit that access level to a subset of depots. Similarly, you can set an access level for a group and then remove it from a user in that group. The access levels for a stream spec are:

Access Level Meaning the group or user can ... Implies the lesser permission(s)
writestreamspec submit or modify openstreamspec and readstreamspec
openstreamspec revert, resolve, shelve, or open for edit readstreamspec
readstreamspec display  

The denial levels for a stream spec in the P4Admin built-in editor are:

  • nowritestreamspec
  • noopenstreamspec
  • noreadstreamspec

You can also work with these access levels in P4Admin as text, where:

=writestreamspec replaces nowritestreamspec

=openstreamspec replaces noopenstreamspec

=readstreamspec replaces noreadstreamspec

Before you limit or remove an access level, make sure this access level has been provided.

If you use =writestreamspec, =openstreamspec, or =readstreamspec, P4Admin requires that you also use an exclusionary mapping. For example:

writestreamspec user maria * //... ## maria has writestreamspec for all streams
=writestreamspec user maria * -//a2/... ## except streams in the a2 depot

Suppose that, for the specified depot, you want to the user to have only readstreamspec:

writestreamspec user maria * //... ## writestreamspec for all streams
=writestreamspec user maria * -//a2/... ## removing writestreamspec from that depot
=openstreamspec user maria * -//a2/... ## also removing openstreamspec from that depot

So, whereas granting an access level implicitly grants any implied access levels, denying an access level does not implicitly remove any other access level. All denials must be explicit.

IMPORTANT: The 2020.1 release added protections modes that are specific to stream specs. By default, these permissions can exist in the protection table, but will not be used until the dm.protects.streamspec configurable has been set to 1. If the dm.protects.streamspec configurable is set to 1 and any stream spec permissions exist in the protection table, the pre-2020.1 permissions no longer apply and all users who are not admin or super require explicit stream spec permissions.


Indicates whether this line applies to a Perforce user or group.


A Helix Server user name or group name; can be wildcarded.


The IP address of a client host; can be wildcarded.


The part of the depot to which access is being granted or denied. To deny access to a depot path, preface the path with a dash (-). Exclusionary mappings apply to all access levels, regardless of the access level specified in the first field.


Optional description of a table entry. Appends a comment at the end of a line using the ## symbols. For example: write user * //depot/test/... ## robinson crusoe

For details about how permissions work within Helix Server, see the Authoring access chapter of the Helix Core Server Administrator Guide.


When you look at the P4Admin Permissions tab for any particular user, you will see the depots specified in the protection table. If that user has no access to a restricted depot, it will not expand to show any files. In this example, user1 can only see depot1:

When user1 uses P4V, no depot will be visible except depot1.