Helix Core Server Administrator Guide: Fundamentals (2018.2)

How protections are implemented

This section describes the algorithm that Helix Server follows to implement its protection scheme. Protections can be used properly without reading this section; the material here is provided to explain the logic behind the behavior described above.

Users' access to files is determined by the following steps:

  1. The command is looked up in the command access level table shown in Access levels required by Helix Server commands to determine the minimum access level needed to run that command. In our example, p4 print is the command, and the minimum access level required to run that command is read.

  2. Helix Server makes the first of two passes through the protections table. Both passes move up the protections table, bottom to top, looking for the first relevant line.

    The first pass determines whether the user is permitted to know if the file exists. This search simply looks for the first line encountered that matches the user name, host IP address, and file argument. If the first matching line found is an inclusionary protection, the user has permission to at least list the file, and Helix Server proceeds to the second pass. Otherwise, if the first matching protection found is an exclusionary mapping, or if the top of the protections table is reached without a matching protection being found, the user has no permission to even list the file, and will receive a message such as File not on client.

    Example   Interpreting the order of mappings in the protections table

    Suppose the protections table is as follows:

    write       user        *        *      //...
read        user        edk      *      -//...
read        user        edk      *      //depot/elm_proj/...

    If Ed runs p4 print //depot/file.c, Helix Server examines the protections table bottom to top, and first encounters the last line. The files specified there don’t match the file that Ed wants to print, so this line is irrelevant. The second-to-last line is examined next; this line matches Ed’s user name, his IP address, and the file he wants to print; since this line is an exclusionary mapping, Ed isn’t allowed to list the file.

  3. If the first pass is successful, Helix Server makes a second pass at the protections table; this pass is the same as the first, except that access level is now taken into account.

    If an inclusionary protection line is the first line encountered that matches the user name, IP address, and file argument, and has an access level greater than or equal to the access level required by the given command, the user is given permission to run the command.

    If an exclusionary mapping is the first line encountered that matches according to the above criteria, or if the top of the protections table is reached without finding a matching protection, the user has no permission to run the command, and receives a message such as:

    You don't have permission for this operation
Additional product documentation
Perforce training portal
Perforce video library
Perforce knowledge base
Perforce customer support
Email us at: manual@perforce.com