Helix Core Server Administrator Guide (2020.1)

User types

There are three types of Helix server users: standard users, operator users, and service users.

  • A standard user is a traditional user of Helix server.

    Standard users are the default, and each standard user consumes one Helix server license.

  • An operator user is intended for human or automated system administrators.

    An operator user does not require a Helix server license.

  • A service user is used for server-to-server authentication in the context of remote depots and multi-server environments. See Remote depots and multi-server development.

    Service users do not require licenses, but are restricted to automated inter-server communication processes in replicated and multi-server environments.

The following sections describe these types and how they need to be managed.

Important

Once you set the user type, you cannot change it.

Creating standard users

By default, Helix server creates a new user record in its database whenever a command is issued by a user who does not exist. Helix server superusers can also use the -f (force) flag to create a new user as follows:

$ p4 user -f username

Fill in the form fields with the information for the user you want to create.

The p4 user command also has an option (-i) to take its input from the standard input instead of the forms editor. To quickly create a large number of users, write a script that reads user data, generates output in the format used by the p4 user form, and then pipes each generated form to p4 user -i -f.

Service users

Creating a service user for each Perforce service you install can simplify the task of interpreting your server logs, and also improve security by requiring that any remote Perforce services with which yours is configured to communicate have valid login tickets for your installation. Service users do not consume Helix server licenses.

A service user can run the following commands:

p4 dbschema p4 export p4 info
p4 login p4 logout p4 logparse
p4 logschema p4 logstat p4 logtail
p4 passwd p4 servers p4 user
Note

Although a service user cannot run p4 pull directly on the command line, the service user on a replica automatically runs this command to retrieve metadata and archive content (versioned files) from the master.

To create a service user, run the command:

$ p4 user -f service1

The standard user form is displayed. Enter a new line to set the new user’s Type: to be service:

User:      service1
Email:     [email protected]
FullName:  Service User for remote depots
Type:      service

By default, the output of p4 users omits service users. To include service users, run p4 users -a.

Tickets and timeouts for service users

A newly-created service user that is not a member of any groups is subject to the default ticket timeout of 12 hours. To avoid issues that arise when a service user’s ticket ceases to be valid, create a group for your service users that features an extremely long timeout, or set the value to unlimited. On the master server, issue the following command:

$ p4 group service_users

Add service1 to the list of Users: in the group, and set the Timeout: and PasswordTimeout: values to a large value or to unlimited.

Group:            service_users
Timeout:          unlimited
PasswordTimeout:  unlimited
Subgroups:
Owners:
Users:
        service1

Permissions for service users

On your server, use p4 protect to grant the service user super permission. Service users are tightly restricted in the commands they can run, so granting them super permission is safe. If you are only using the service user for remote depots and code drops, you may further reduce this user’s permissions as described in Restricting access to remote depots.

Operator users

Organizations whose system administrators do not use Helix server versioning capabilities might be able to economize on licensing costs by using the operator user type.

The operator user type is intended for system administrators who, even though they have super or admin privileges, are responsible for the maintenance of the Helix Core server, rather than the development of software or other assets on the server.

An operator user does not require a Helix server license, and can run only the following commands:

p4 admin checkpoint 

p4 admin journal

p4 admin restart

p4 admin stop

p4 configure 

p4 counter (including -f)

p4 counters

p4 dbstat 

p4 dbverify 

p4 depots 

p4 diskspace

p4 info

p4 jobs (including -R)

p4 journaldbchecksums 

p4 lockstat

p4 login

p4 logout

p4 logappend

p4 logparse

p4 logrotate

p4 logschema

p4 logstat

p4 logtail

p4 monitor

p4 passwd

p4 ping

p4 pull (including -lj)

p4 serverid

p4 servers

p4 user

p4 verify