1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
===================
openvpn3-config-acl
===================
---------------------------------------------------------
OpenVPN 3 Linux Management - Configuration Access Control
---------------------------------------------------------
:Manual section: 1
:Manual group: OpenVPN 3 Linux
SYNOPSIS
========
| ``openvpn3 config-acl`` ``-o DBUS-PATH`` | ``--path DBUS-PATH`` | ``--config CONFIG-NAME`` ``[OPTIONS]``
| ``openvpn3 config-acl`` ``-h`` | ``--help``
DESCRIPTION
===========
Each configuration profile has its own Access Control List associated with it.
This enables a configuration profile to be shared by more users in a more
controlled way, where specific or all users can be granted access to start
new VPN sessions of pre-loaded configurations. It can also be used to restrict
users from viewing the contents of the configuration profile while still being
able to start VPN sessions.
All options below can be used together. If the ``--show`` option is used, it
will list the current Access Control List after any changes has been performed.
OPTIONS
=======
-h, --help Print usage and help details to the terminal
-o DBUS-PATH, --path DBUS-PATH
D-Bus configuration path to the configuration to manage
the ACL. This can be found in
``openvpn3 configs-list``.
--config-path DBUS-PATH
Alias for ``--path``.
-c CONFIG-NAME, --config CONFIG-NAME
Can be used instead of ``--path`` where the
configuration profile name is given instead. Available
configuration names can be found via
`openvpn3 configs-list``.
-s, --show Show the currently active ACL.
-G USER, --grant USER
Grant the given user read-only access to this
configuration profile. The USER argument can be either
UID or username belonging to the system.
-R USER, --revoke USER
Revoke access on this configuration profile for the
given user. The USER argument can be either UID or
username belonging to the system.
--public-access BOOL
Grant all users on the system read-only access to
this configuration profile. This effectively disables
the more fine-grained access control provided via
``--grant``. Valid argument values: :code:`true`,
:code:`false`
-T BOOL, --transfer-owner-session BOOL
If another user is granted access to the configuration
profile, that user will be the owner of the VPN session
when started. Setting this flag to true will transfer
the ownership back to the profile owner while granting
the user starting the session rights to also manage the
session. See ``openvpn3-session-acl``\(1) for details
on the session ACLs.
--lock-down BOOL
Locks down the configuration profile so it can only
be used to start new VPN sessions by users granted
access. Only the configuration profile owner can now
show the profile contents via ``openvpn3 config-dump``.
Valid argument values: :code:`true`, :code:`false`
-S, --seal This seals the configuration profile for everyone,
making the configuration profile effectively read-only,
even for the owner. A configuration profile *cannot* be
unsealed.
SEE ALSO
========
``openvpn3``\(1)
``openvpn3-config-import``\(1)
``openvpn3-config-manage``\(1)
``openvpn3-config-dump``\(1)
``openvpn3-configs-list``\(1)
``openvpn3-session-acl``\(1)
|
