KBEC-00283 - How to list acl of a project using script?


We have acl groups and projects. How do we generate list of acl related to a project in the following format (similar to Access Control UI under section Privileges for Project), 1 as allow, 0 inherit, etc.

For example,

TypeNameReadModifyExecuteChange Permissions
projectPreflight Builds1111


CloudBees CD (CloudBees Flow) API “getAccess” retrieves ACL information (access control list) associated with an object, including inherited ACLs.

You must specify object locators to find the object where you need to verify access.

Object LocatorDescription
applicationNameThe name of the application container of the property sheet which owns the property; must be unique among all projects.
applicationTierNameThe name of the application tier container of the property sheet which owns the property.
artifactNameThe name of the credential container of the property sheet which owns the property.The name of the artifact.
artifactVersionNameThe name of the artifact version. Note: An artifact version name is interpreted by the server as the artifactVersionName attribute for theartifactVersion in question. This name is parsed and interpreted as"groupId:artifactKey:version" and the object is searched either way you specify its name–the Flow server interprets either name form correctly.
componentNameThe name of the component container of the property sheet which owns the property.
configNameThe name of the emailConfig container that owns the property.
credentialNameThe name of the credential container of the property sheet which owns the property.credentialName can be one of two forms: relative (for example, “cred1” ) - the credential is assumed to be in the project that contains the request target object. absolute (for example, “/projects/BuildProject/credentials/cred1”) - the credential can be from any specified project, regardless of the target object’s project.
emulateRestoreInheritanceWhether or not to include one level of broken inheritance if it exists. Used for seeing what access would look like if the lowest level of broken inheritance was restored. <Boolean flag - 0|1|true|false> If set to 1, this argument returns ACL information to what it would be if inheritance were restored on this object.
environmentNameThe name of the environment container of the property sheet which owns the property; must be unique among all projects.
environmentTierNameThe name of the environment tier container of the property sheet which owns the property.
gatewayNameThe name of the gateway container of the property sheet.
groupNameThe name of the group container of the property sheet that owns the property.
jobIdThe unique Flow-generated identifier (a UUID) for a job, assigned automatically when the job is created. Also accepts a job name assigned to the job by its name template.
jobStepIdThe unique identifier for a job step, assigned automatically when the job step is created.
notifierNameThe name of the email notifier that contains the ACL.
objectIdThis is an object identifier returned by findObjects and getObjects.
pathProperty path string.
pluginNameThe name of the plugin that contains the ACL.
procedureNameThe name of the procedure containing the ACL. *Also requires *projectName
processNameThe name of the process, if the container is a process or process step.
processStepNameThe name of the process step, if the container is a process step.
projectNameThe name of the project that contains the ACL; must be unique among all projects.
propertySheetIdThe unique identifier for a property sheet, assigned automatically when the property sheet is created.
repositoryNameThe name of the repository for artifact management.
resourceNameThe name of the resource that contains the ACL.
resourcePoolNameThe name of a pool containing one or more resources.
scheduleNameThe name of the schedule containing the ACL. *Also requires *projectName
stateDefinitionNameThe name of the state definition.
stateNameThe name of the state.
stepNameThe name of the step containing the ACL. *Also requires *projectName and procedureName
systemObjectNameSystem objects include: admin|artifactVersions|directory|emailConfigs|log|plugins| server|session|workspaces
transitionDefinitionNameThe name of the transition definition.
transitionNameThe name of the transition.
userNameThe name of the user that contains the ACL.
workflowDefinitionNameThe name of the workflow definition.
workflowNameThe name of the workflow.
workspaceNameThe name of the workspace that contains the ACL.
zoneNameThe name of the zone.
Positional arguments

Arguments to specify the object, beginning with the top-level object locator.


One or more object elements, each consisting of one or more aclEntry elements. Each object represents
an object in the ACL inheritance chain starting with the most specific object. Each aclEntry identifies a user or
group and the privileges granted or denied by the entry, and includes a breakInheritance element if applicable.

and you should parse the return values to any format you’d like to generate.


{projectName =\> "Sample Project"}



ectool getAccess --projectName "Sample Project"

See Also

Add links to other pages here.

Applies to

  • Product versions: 4.2.x, 5.x, 6.x
  • OS versions: All

Have more questions?


Please sign in to leave a comment.