Grantable permissions
Each metatype has a specific set of operation-based individual permissions, specific to each metatype.
Individual and generic permissions
Certain types of objects have individual permissions. For example, HCL VersionVault elements have a specific mod-checkout permission that covers operations that make new versions (checkout, checkin); the VOB object has permissions for making new objects, and so on. Besides individual permissions, you can also use generic permissions (predefined groupings of permissions). Each metatype has a Read, Change, and Full generic permission. These are mapped to an appropriate subset of the metatype's specific permissions. You can think of these as levels of permission, with Change incorporating all of Read and adding in additional permitted operations, and Full enabling yet more operations.You can grant principals generic permissions, or specific permissions, or a combination of both. You can also grant multiple permissions to the same principal. If you grant all the specific permissions that make up a generic grouping, the entry will be displayed showing just that generic name. For example, an access control entry granting read-info,lookup-dir,AclRead on an element will be displayed as Read.
For rolemaps and policies, read-name is required to see an object's name in a list or collection; read-info is required to see the object's properties.
For elements, it is the containing directory's permissions that govern visibility of the element's file name; the reading process needs read-info on a versioned directory to see the list of elements catalogued in any version of the directory. The process also needs read-info permission on the element to access the contents of a version of a plain file element.
For the VOB object, read-info stands for the basic permission to open VOB for any operation.
Generic permissions applicable to multiple object types
- AclRead
- Permission to read the dbid of the object's rolemap
- AclWrite
- Permission to reprotect the object with a new rolemap
- chmaster
- Permission to change mastership of the object
- delete
- Permission to remove an object
- lock
- Permission to lock an object
- mod-props
- Permission to modify properties of an object (owner, group, fstat permission, event record, and so on.)
- read-info
- Permission to read properties of an object
- read-name
- Permission to read name of an object
Generic and individual permissions
Below are listed, for each object meta-type, the individual permissions that are included in each of the generic permissions.
| Generic permission | Individual permissions |
|---|---|
| VOB object permissions | |
| Read | read-info, read-name, AclRead |
| Change | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink |
| Full | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, mkpolicy, mkrolemap, rmelem, lock, AclWrite, Delete |
| Policy object permissions | |
| Read | read-info, read-name, AclRead |
| Change | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink |
| Full | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, lock, AclWrite, Delete |
| Rolemap object permissions | |
| Read | read-info, read-name, AclRead |
| Change | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink |
| Full | read-info, read-name, AclRead, mod-props, mod-attr, mod-hlink, chmaster, lock, AclWrite, Delete |
| Element object generic permissions | |
| Read | read-info, lookup-dir, AclRead |
| Change | read-info, lookup-dir, AclRead, mod-props, mod-checkout, mod-branch, write-dir, mod-task, mod-attr, mod-hlink, mod-trig |
| Full | read-info, lookup-dir, AclRead, mod-props, mod-checkout, mod-branch, write-dir, mod-task, mod-attr, mod-hlink, mod-trig, chmaster, rmver, mod-label, lock, AclWrite, Delete |