ACL implementation in docman is called trustees. It's based on concept of trustees for Linux kernel by Vyacheslav Zavadsky <email@example.com>
Trustees are used to control access right, and special features (like notify on change)
For each path (which can be file or directory) all trustees are evaluated. However, deny has precedence over allow (which is default in no trustee is specified).
Comments are written using hash (#) as first character in line
# this is a comment
Group can be used instead of user-name in all ACL. You can't have user
which has same name as group or vice-versa. It's written using plus (+) as
first character in line.
ACL is defined
# dpavlin is administrator (grant all access to members of root group) +root:dpavlin /:root:RWB # give read-only access to all users /:*:R # anyone can write in this file /public_write.txt:*:w # let just joe access secret file /secret:joe:!CRW
There is major difference between deny and clear. If you want to deny access to one file except to use joe (which should have read-only access) you could write:
/secret.txt:*:DRWB:joe:RThat is wrong. deny rules will take precedence over allow read to joe. So, you should write:
/secret.txt:*:CRWB:joe:RWhich will work.
If you want to allow just one user (editor) to have write persmissions on file one_editor.txt while all others can read it, you could do something like:
/one_editor.txt:*:DW:editor:CRWBOrder of statements is not important. Trustees are always evaluated from universal ones (e.g. ones for all users; with *) to specific for this user (in this case, for user editor). However, this example wouldn't work without C for user editor because deny for write would have precidence.
FIX write more examples, better descriptions...
One of great advantages of using trustees is that you can allow anonymous access (without login). You should pay attention to access right, because you probably don't want anonymous users to see all files or folders in your repository.
First, you will have to add browse trustee to anonymous user on root directory -- docman will ignore all anonymous users if you don't do this.
/:anonymous:BOYou really want to use flags BO and not just B because if you specify just B anonymous users will be able to browse (see directory names) of your whole repository. This way you can explicitly allow (or deny) which sub-directories you want anonymous users to browse.
/pub:anonymous:RB /incoming:anonymous:RWBYou might also want to hide some directory from anonymous users, and you can do that using:
/private:anonymous:DBIf you would like to give all your users which are authenticated via login and password all access to all files (like in old docman v1.x) you also have to add
/:*:RWBHowever, that will not add all permission to anonymous users. If you want to add all that permission to anonymous users (which will create wiki-like community for sharing files) you must explicitly say that you allow that to anonymous users:
/:anonymous:RWBAll those setting will create environment which is very like docman v1.x, but with anonymous users allowed to see document in /pub and upload them in /incoming.
If none of trustee rules satisfy, default policy is deny. Basically, you have to explicitly allow all your users access to files (which can be as simple as /:*:RB to give read and browse to all users)
If you don't have realm/http_virtual_host.trustee you will fall-back to default docman v1.x behavior: whole group will have all right on all files except anonymous users (which won't be able to login anyway).
See also: Administration manual