Metaacls are a special for of ACL's which define the access to metadata.
Lists which metaoperations (call) are allowed for an action as user action type call meta constr tuple.
A * matches anything and a ! in front of something reverses the match.
Any item in that list can be a comma separated suublist (without spaces).
A user, group or role.
The name of an action.
The type in effect for the operation (path).
The metacall to be executed (set, get, lookup, erase, …).
The metadata type involved (without the leading '_').
| * (all) | - No path check is done. |
| exact | - Must exactly match the given metadata path. |
| recursive | - Matches also the parent dirs (metalookup). |
| deny | - Explicitly forbids access. |
| Admin acl * acl * | — Admins can acl-admin |
| Admin metaedit * !metaacl,* * | — Admins can edit any metadata except metaacls |
| Blacklisted * * * deny | — Anyone in group blacklisted gets anything denied |
| * create set * exact | — the create action may set any metadata for the file it operates on |
| * account * users recursive | — the account action has full access to the user account data |
| * * lookup !acl,!metaacl,!groups,!users,!roles,* * | — anyone and any action may lookup any non security related metadata |