---
title: CLI ACL editor
sidebar_label: CLI ACL editor
---

The `dhconfig acls` command-line tool allows administrators to manage users, groups, passwords, keys, and table ACLs. This page covers common tasks; see the [dhconfig acls reference](../configuration/dhconfig/acls.md) for complete documentation.

## Quick reference

| Task              | Command                                                             |
| ----------------- | ------------------------------------------------------------------- |
| List users        | `dhconfig acls users list`                                          |
| Create user       | `dhconfig acls users add --name username`                           |
| Delete user       | `dhconfig acls users delete --name username`                        |
| Set password      | `dhconfig acls users set-password --name username`                  |
| List groups       | `dhconfig acls groups list`                                         |
| Add user to group | `dhconfig acls groups add-member --name username --group groupname` |
| Import public key | `dhconfig acls publickeys import -f /path/to/key.txt`               |
| Export all ACLs   | `dhconfig acls export --file /tmp/acls.xml`                         |

All commands should be run as `irisadmin`:

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls <command>
```

## User management

### Create a user

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls users add --name username
```

Create a user and add to groups:

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls users add \
  --name username \
  --group traders analysts
```

### List users

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls users list
```

### Delete a user

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls users delete --name username
```

> [!NOTE]
> System users (`iris`, `merge`, `tdcp`) cannot be deleted.

### Set a password

Interactive (prompts for password):

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls users set-password --name username
```

Non-interactive (using hashed password):

```bash
HASHED_PW=$(openssl passwd -apr1 'yourpassword')
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls users set-password \
  --name username \
  --hashed-password "$HASHED_PW"
```

> [!WARNING]
> Specifying passwords on the command line may store them in shell history.

### Remove a password

Removes local password, requiring external authentication (LDAP/SAML):

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls users remove-password --name username
```

## Group management

### List groups

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls groups list
```

### Add users to groups

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls groups add-member \
  --name user1 user2 \
  --group traders analysts
```

### Remove users from groups

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls groups remove-member \
  --name user1 \
  --group traders
```

### Delete a group

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls groups delete --group groupname
```

## Table ACLs

### Add a row ACL

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls rows add \
  --namespace Market \
  --table Trades \
  --group traders \
  --acl "new GroupFilterGenerator(\"Region\")"
```

> [!NOTE]
> Use shell quoting for ACL expressions containing special characters.

### Add a column ACL

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls columns add \
  --namespace Market \
  --table Trades \
  --group traders \
  --columns Price Size \
  --acl "*"
```

### List table ACLs

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls rows list
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls columns list
```

See [Table ACLs](./table-acls.md) for detailed information on row and column access control.

## Import and export

### Export ACL data

Export all ACLs to XML:

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls export --file /tmp/acls-backup.xml
```

Export specific types:

```bash
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls export \
  --file /tmp/users.xml \
  --type passwd \
  --type usergroup
```

### Import ACL data

Import with different conflict handling:

```bash
# Fail on conflicts (default)
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls import --file /tmp/acls.xml

# Overwrite existing entries
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls import --file /tmp/acls.xml --overwrite

# Skip existing entries
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls import --file /tmp/acls.xml --ignore-existing

# Replace entire ACL database (requires --direct)
sudo -u irisadmin /usr/illumon/latest/bin/dhconfig acls import --file /tmp/acls.xml --replace-all --direct
```

> [!WARNING]
> The `--replace-all` option deletes all existing ACL data before importing.

## Related documentation

- [dhconfig acls reference](../configuration/dhconfig/acls.md) - Complete command reference
- [Authentication keys](./authentication-keys.md) - Key-based authentication
- [Web ACL editor](./web-acl-editor.md) - Web-based ACL management
- [Table ACLs](./table-acls.md) - Row and column access control
- [Permissions overview](./permissions-overview.md)