Exclusionary Protections

Info & Tags

Article #:
839
Created:
12/15/05
Modified:
12/09/08
Tags:
exclusionary, protections

Related Articles

  1. Preventing Accidental User Creation
  2. Resetting Protections
  3. Perforce Protections
  4. Protections and Obliterate

Links

  1. Exclusionary Protections
    Perforce System Adminstrator's Guide

PROBLEM

After editing your protections table you expected that a specified part of your depot is read-only for certain users, but they can still submit files. Why is file access not set to what you expected?


SOLUTION

One of the most misunderstood aspects of the protections table are exclusionary protections. These are the protections that deny access to the depot, as opposed to simply limiting access.

For example, if you have a basic protections table like the following: 
Protections: 
	write user * * //... 
	super user john * //...
These protections allow all users "write" access to all depots. When limiting all users so that they only have "read" access to a particular directory, the most common mistake is entering a line like the following: 
Protections: 
	write user * * //... 
	read user * * //depot/branch/... 
	super user john * //...
The "read" line, while limiting access to "//depot/branch", is overridden by the "write" line above it allowing access to the entire repository. To correctly limit access, two lines are needed to restrict access to this directory, like the following: 
Protections: 
	write user * * //... 
	write user * * -//depot/branch/... 
	read user * * //depot/branch/... 
	super user john * //...
The addition of the exclusionary line denies all previously granted access to that directory. The line following that exclusionary protect then permits "read" level access for all users.