Mercurial > dovecot > core-2.2

view doc/man/doveadm-acl.1.in @ 22664:fea53c2725c0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
director: Fix director_max_parallel_moves/kicks type Should be uint, not time.
author Timo Sirainen <timo.sirainen@dovecot.fi>
date Thu, 09 Nov 2017 12:24:16 +0200
parents 2e2563132d5f
children cb108f786fb4
line wrap: on
line source

.\" Copyright (c) 2014-2017 Dovecot authors, see the included COPYING file
.TH DOVEADM\-ACL 1 "2015-05-09" "Dovecot v2.2" "Dovecot"
.SH NAME
doveadm\-acl \- Manage Access Control List (ACL)
.\"------------------------------------------------------------------------
.SH SYNOPSIS
.BR doveadm " [" \-Dv ]
[\fB\-f\fP \fIformatter\fP]
.BI acl \ command
.RI [ OPTIONS ]\ [ ARGUMENTS ]
.\"------------------------------------------------------------------------
.SH DESCRIPTION
The
.B doveadm acl
.I COMMANDS
can be used to execute various Access Control List related actions.
.\"------------------------------------------------------------------------
@INCLUDE:global-options-formatter@
.\" --- command specific options --- "/.
.PP
This command uses by default the output formatter
.BR table .
.PP
Command specific
.IR options :
.\"-------------------------------------
@INCLUDE:option-A@
.\"-------------------------------------
@INCLUDE:option-F-file@
.\"-------------------------------------
@INCLUDE:option-S-socket@
.\"-------------------------------------
@INCLUDE:option-u-user@
.\"------------------------------------------------------------------------
.SH ARGUMENTS
.TP
.I id
The id (identifier) is one of:
.RS
.RS
.TP 4
*
.BR group\-override =\c
.I group_name
.\"-----------------
.TP
*
.BR user =\c
.I user_name
.\"-----------------
.TP
*
.B owner
.\"-----------------
.TP
*
.BR group =\c
.I group_name
.\"-----------------
.TP
*
.B authenticated
.\"-----------------
.TP
*
.BR anyone " (or " anonymous ", which is an alias for anyone)"
.\"-----------------
.RE
.PP
The ACLs are processed in the precedence given above, so for example if you
have given read\-access to a group, you can still remove that from specific
users inside the group.
.br
Group\-override identifier allows you to override users\(aq ACLs.
Probably the most useful reason to do this is to temporarily disable
access for some users.
For example:
.PP
.nf
user=timo rw
group\-override=tempdisabled
.fi
.PP
Now if timo is a member of the tempdisabled group, he has no access to the
mailbox.
This wouldn\(aqt be possible with a normal group identifier, because the
.B user=timo
would override it.
.RE
.\"-------------------------------------
.TP
.I mailbox
The name of the mailbox, for which the ACL manipulation should be done.
It\(aqs also possible to use the wildcard characters
.RB \(dq * "\(dq and/or \(dq" ? \(dq
in the mailbox name.
.\"-------------------------------------
.TP
.I right
Dovecot ACL right name. This isn\(aqt the same as the IMAP ACL letters,
which aren\(aqt currently supported.
Here is a mapping of the IMAP ACL letters to Dovecot ACL names:
.RS
.RS
.TP 4
.B l \(-> lookup
.I Mailbox
is visible in mailbox list.
.I Mailbox
can be subscribed to.
.\"-----------------
.TP
.B r \(-> read
.I Mailbox
can be opened for reading.
.\"-----------------
.TP
.B w \(-> write
Message flags and keywords can be changed, except
.BR \(rsSeen " and " \(rsDeleted .
.\"-----------------
.TP
.B s \(-> write\-seen
.B \(rsSeen
flag can be changed.
.\"-----------------
.TP
.B t \(-> write\-deleted
.B \(rsDeleted
flag can be changed.
.\"-----------------
.TP
.B i \(-> insert
Messages can be written or copied to the
.IR mailbox .
.\"-----------------
.TP
.B p \(-> post
Messages can be posted to the
.I mailbox
by
.BR dovecot\-lda ,
e.g. from Sieve scripts.
.\"-----------------
.TP
.B e \(-> expunge
Messages can be expunged.
.\"-----------------
.TP
.B k \(-> create
Mailboxes can be created/renamed directly under this
.I mailbox
(but not necessarily under its children, see
.I ACL Inheritance
in the wiki).
.br
Note: Renaming also requires the delete right.
.\"-----------------
.TP
.B x \(-> delete
.I Mailbox
can be deleted.
.\"-----------------
.TP
.B a \(-> admin
Administration rights to the
.I mailbox
(currently: ability to change ACLs for
.IR mailbox ).
.RE
.RE
.\"------------------------------------------------------------------------
.SH COMMANDS
.SS acl add
.B doveadm acl add
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox id right
.RI [ right " ...]"
.PP
Add ACL rights to the
.IR mailbox / id .
If the
.I id
already exists, the existing rights are preserved.
.\"-------------------------------------
.SS acl debug
.B doveadm acl debug
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox
.PP
This command can be used to debug why a shared mailbox isn\(aqt
accessible to the user.
It will list exactly what the problem is.
.\"-------------------------------------
.SS acl delete
.B doveadm acl delete
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox id
.PP
Remove the whole ACL entry for the
.IR mailbox / id .
.\"-------------------------------------
.SS acl get
.B doveadm acl get
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.RB [ \-m ]
.I mailbox
.PP
Show all the ACLs for the
.IR mailbox .
.\"-------------------------------------
.SS acl recalc
.B doveadm acl recalc
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.PP
Make sure the
.IR user \(aqs
shared mailboxes exist correctly in the
.IR acl_shared_dict .
.\"-------------------------------------
.SS acl remove
.B doveadm acl remove
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox id right
.RI [ right " ...]"
.PP
Remove the specified ACL rights from the
.IR mailbox / id .
If all rights are removed, the entry still exists without any rights.
.\"-------------------------------------
.SS acl rights
.B doveadm acl rights
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox
.PP
Show the
.IR user \(aqs
current ACL rights for the
.IR mailbox .
.\"-------------------------------------
.SS acl set
.B doveadm acl set
[\fB\-u\fP \fIuser\fP|\fB\-A\fP|\fB\-F\fP \fIfile\fP]
[\fB\-S\fP \fIsocket_path\fP]
.I mailbox id right
.RI [ right " ...]"
.PP
Set ACL rights to the
.IR mailbox / id .
If the
.I id
already exists, the existing rights are replaced.
.\"------------------------------------------------------------------------
@INCLUDE:reporting-bugs@
.\"------------------------------------------------------------------------
.SH SEE ALSO
.BR doveadm (1),
.BR dovecot\-lda (1)
.\"-------------------------------------
.PP
Additional resources:
.IP "ACL Inheritance"
http://wiki2.dovecot.org/ACL#ACL_Inheritance