Understanding CLI Changes for ACL

With the new ACL security model in place, the CLI has updated permissions. This section describes the changes made to the CLI tool to import and export the new ACL model can be imported and exported.

Working with CLI

Only an Admin or spatial-admin can run the CLI utility. In 12.2, you can export with minimum permissions - just VIEW permission on a resource and import with just CREATE permissions on target folder. However, in general, only admin and sub-admin should be able to import and export within 12.2.

A user can export the resources if they have the permission to VIEW.
A user can import the resources if they have the permission to CREATE to the folder in the repository.

Export

The exporter must have VIEW (resource) permissions on all resources to be exported otherwise an Access denied exception is thrown and the export process is stopped.

When you export with --a option, after all the resources are exported successfully, the ACL of all exported resources will also be exported (including entities of all other Users/Roles).

Import

A user must have CREATE (resource) permissions on the target folder in the repository otherwise an Access denied exception is thrown and import process is stopped.

When you import with --a option, all ACL will be merged into existing ACL registered in the system (same as in earlier versions).

When you import resources exported from an older version with --a specified, the ACL will be upgraded based on the following rules before merge into existing ACL in the system:

All permissions on folders will be ignored.
All permissions on resources will be ignored.
The EXECUTE permission will be added if a resource had VIEW permission.
All DENY permissions will be ignored.
All dataset permissions will be merged as before.