Access Control

A full ACL system is built directly into Apex providing the functionality to control exactly who has access to your various repositories.

Access Types

There are three different types of access:

  • manager - Full access to all repositories, plus the ability to grant and revoke access privileges to others.
  • package - Commit access to a single code repository.
  • branch - Commit access to a single branch on a single code repository.

Access Levels

This does not apply to the access type of manager, but if the access type is package or branch there are four different access levels:

  • admin - Full control over the repository including ability to grant / revoke access.
  • maintainer - Provides maintainer access according to the settings within the package.yml file.
  • team - Provides team access according to the settings within the package.yml file.
  • readonly - Provides read only access to the package / branch, but not commit access.

Grant Access

Due to the secure nature of the network via x.509 certificates in order to unilaterally grant access a user must already have an x.509 certificate signed by you. If the user does not already have one, then they must request access instead of you granting it.

A user can request access via either the acl request-manager, acl request-package, or acl request-branch CLI commands. Once requested, you may approve or deny the request using the acl pending CLI command by running:

apex acl pending

If granted, your SSH key will be used to sign the CSR within the request and grant the user a signed x.509 certificate, plus will provide the requested access. Once a user has a x.509 certificate signed by you, all future access can be unilaterally granted via the acl grant-manager, acl grant-package or acl grant-branch CLI commands.

For all available CLI commands, please visit the acl CLI commands section of the documentation.