Administration Guide

This Admin Guide details the common procedures that you will need to follow in order to set up and use Access Control Plus.

3.1 Starting Up

To start Access Control Plus, follow these steps:

  1. Open a terminal window on the server and login with suitable file permissions.
  2. Run the scm-access-control-plus service, located in the /etc/init.d folder:
    lrwxrwxrwx  1 root root        65 Apr 24 11:43 scm-access-control-plus -> /opt/wandisco/scm-access-control-plus/bin/scm-access-control-plus
  3. Run the script with the start command:
    [root@localhost init.d]#  ./scm-access-control-plus start
    Starting scm-access-control-plus:. [ OK ]
  4. The Access Control Plus application will start. Read more about the svn-multisite init.d script

3.2 Shutting down

To shutdown:

  1. Open a terminal window on the server and login with suitable file permissions.
  2. Run the svn-multisite service, located in the init.d folder:
    lrwxrwxrwx  1 root root        65 Apr 24 11:43 scm-access-control-plus -> /opt/wandisco/scm-access-control-plus/bin/scm-access-control-plus
  3. Run the stop script, i.e.:
    [root@redhat6 init.d]#   ./scm-access-control-plus stop
    Stopping scm-access-control-plus:.                         [  OK  ]
  4. The process will shut down.

3.3 init.d Management Script

The 'start-up' script for persistent running of Access Control Plus can be found in the /etc/init.d folder. Run the script with the help command to list the available commands:

[root@redhat6 init.d]#  ./scm-access-control-plus help
usage: ./scm-access-control-plus (start|stop|restart|force-reload|status|version)

start         Start Access Control Plus services
stop          Stop Access Control Plus services
restart       Restart Access Control Plus services
force-reload  Restart Access Control Plus services
status        Show the status of Access Control Plus services
version       Show the version of Access Control Plus


Check the running status (with current process ID).

[root@redhat6 init.d]# ./scm-access-control-plus status
Checking scm-access-control-plus:running with PID 29516    [  OK  ]


[root@redhat6 init.d]# ./scm-access-control-plus version

3.4 Password change/recovery

This section explains what to do if an admin loses their password and needs to regain entry to Access Control Plus. Currently the method uses a script that resets Access Control Plus's authentication. If you have set up to use LDAP, this will be disabled, returning access to local users. A new administrator-level local users will be created with credentials that you supply when you run the script.

Disable LDAP/external authentication
In the event that you need to disable LDAP authentication and return your deployment to the default internally managed users, use the following procedure. Your LDAP authorites will not be deleted, only disabled. They can be re-enabled from the Settings screen.

  1. Open a terminal on your node. Navigate to the replicator directory.
    $  cd /opt/wandisco/scm-access-control-plus

  2. Run the following command-line utility.
    [root@redhat6 scm-access-control-plus]# java -jar scm-access-control-plus-resetSecurity.jar
    Enter full path to the replicator properties folder: /opt/wandisco/scm-access-control-plus/properties
    Enter your username: temporary
    Enter your new password:************
    Confirm your new password:************
    Enter your first name: Temorary
    Enter your last name: Account
    Enter your email address:
    A new user has been created, in order for this to take effect you will need to restart this node.
    [root@redhat6 scm-access-control-plus]#

  3. Respond to each prompt, then when you've entered everything, restart Access Control Plus to add the new users.

  4. Now login using the orginal authentication form:


An Account is a collection of information that tells Access Control Plus which resources the account holder can access and what level of access they should have. Accounts are the fundamental building blocks for Access Control, although the Access Control model actually handles permissions only on a per-team basis, not directly on individual accounts.

3.5 Create an Account

There are three methods for four routes to an account creation. This procedure follows the sequence that follows from clicking the Create User button, on the Accounts pane that appears on the master screen. You can also create an account from within the Create Team procedure. A more common approach is to add accounts by setting up a query to an available LDAP authority, to add accounts using LDAP, see Connect to LDAP.

Shortly it will be possible to create accounts using a REST API.

Access to nothing by default All accounts are created with no access to any resources. For an account to gain access to a repository it must first become a member of a team, then that team must have a rule set up that associates repository resources along with permission levels. For more details see the section about Rules

3.6 Edit an existing account

Use the following procedure to make changes to an existing account.

LDAP-based users

3.7 Remove an account

Use this procedure to completely remove an account from Access Control Plus. Be aware that it is often better to disable accounts, should the holder need to get their access back in future.

If you need to check the accounts particulars to ensure that you are removing the correct account, go to the accounts details screen, you'll find a Delete button at the bottom. This does the same thing as the remove link on the main management screen.

3.8 Disable an account

Disable accounts remain stored in Access Control Plus, they are, however, unable to login or interactive with any repository resources. A disabled account can be added back at a moments notice by re-enabling them.

Disabled accounts are not counted towards the licensed number of users so it is possible to store users in a disabled state even if you are needing to make room for additional users within the limit of your current license.

Currently this isn't working for me.


Teams are intended to make organizing account permissions much simpler as they allow you to apply rules en mass, rather than have to detail permissions for each individual account. There are.

3.9 Create a Team

Use this procedure to set up a new Access Control Team. This method follows the method for adding accounts manually, it is also possible to manager your team structure through LDAP, setting up a query that will filter for the specific account holders that you need for a particular team. For more about this see Adding an LDAP-based team

Adding an LDAP-based team

Follow this procedure to create a team that is populated from an LDAP authority.

Warning It's currently not possible to remove LDAP settings once applied to a team. We'll address this issue as a matter of urgency.

Mix and match Once LDAP-based accounts have been added to Access Control Plus, they'll appear within the Accounts pane and can be added to any team. However, it's easier to track and manage LDAP users if they're enabled through their own team, where the team is setup to get its members from an authority (although, so longas you tick the checbox Allow local users you can also added local users to an LDAP-managed team.

3.10 Edit a Team

3.11 Delete a Team


Resources are the available repository data, they can be in the form of full repositories or small portions of a repositories file tree. It's only possible to add Resources to Access Control Plus when there is at least one account assigned to a team.

3.12 Create a Resource

Use this procedure to create additional resources, when not syncing with WANdisco's MultiSite products. If you are connecting to MultiSite then resources are selected from whatever repositories that are automatically added. See Create a Resource in a MultiSite Environment

Create a Resource in a MultiSite Environment

Use this procedure to create additional resources, if syncing with WANdisco's MultiSite products. If you are connecting to MultiSite then resources are selected from whatever repositories that are automatically added.

Repositories (w/o templates) currently can't be deleted until they are assigned a template.

3.13 Edit a Resource

You can easily edit resources by clicking on the resource's name.

3.14 Remove a Resource

You can remove the resource from the main screen:


Rules are used to define the parameters for what resources and what permission levels are applied to accounts, strickly through the account's team membership - rules are not applied directly to accounts. Accounts can only have rules applied to them if they are first assigned to a team.

3.15 Using Rule lookup

The Rule lookup tool provides administrators with a means of testing what access and permissions apply to specific accounts. Given that Accounts can belong to multiple teams and have multiple rules applied, the Rule lookup tool can useful tool.

If you have two repositories with the same name (also of the same SCM type) then currently a rule lookup that will display them will currently only show one of the repositories (chosen randomly). We'll address this issue in a future release.

3.16 Create a Rule

Use this procedure to create a new rule

3.17 Edit a Rule

You can edit a rule by clicking on its name on the main screen. This will open up the Rule from where you can modify any of its settings.

3.18 Delete a Rule

You can delete a rule by clicking on it's corresponding check box and then clicking on the - Remove button.


This section deals with the changing and modifying the application settings.

3.19 Connecting your nodes

If you are deploying multiple Access Control Plus node, you'll need to do the following steps to get the nodes talking to each other correctly.

Nodes that are not the state machine creator will be locked-down until they're inducted
You won't be able to create any objects (accounts, teams, rules etc) on the non-state machine creator nodes until you have completed the following procedure.

3.20 Enable SSL Encryption

Access Control Plus supports the use of Secure Socket Layer encrytion (SSL) for securing network traffic. Currently SSL properties are not exposed through the admin console, instead you need to make edits to Access Control Plus's applications properties file.

If you plan to use SSL you need to run through the following steps before going into production.

SSL is enabled for both UI and the underlying Rest API (the administrator's access to HTTP port will automatically redirect to HTTPS) AND for internal communication between nodes on application.port. For this reason the switch over needs to be done on all nodes at once, otherwise those nodes that delayed their switch will no longer be able to talk to those nodes running with SSL.

Using stronger and faster encryption
Java's default SSL implementation is intentionally weak so as to avoid the import regulations associated with stronger forms of encryption. However stronger algorithms are available to install, placing the legal responsibility for compliance with local regulation on the user.

See Oracle's page on the Import limits of Cryptographic Algorithms.

If you need stronger algorithms, I.E., AES which supports 256-bit keys, then you can download JCE Unlimited Strength Jurisdiction Policy Files that can be installed with your JDK/JRE.

See Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7

SSLv3 Support SSLv3 is support (though not enforced). If your browser setting has SSLv3 disabled, you will get a handshake error message. If it has both SSLv3 and TLS enabled, then, depending on the browser, it will try to switch from TLS to SSLv3 during the handshake. If you receive a handshake error message in your browser, make sure that TLS is disabled and only SSLv3 is enabled. All current browsers support SSLv3.

Setting the server key

In the keystore, the server certificate is associate with a key. By default, we look for a key named server to validate the certificate. If you use a key for the server with a different name, enter this in the SSL settings.

SSL Troubleshooting

A complete debug of the SSL logging will be required to diagnose the problems. To capture the debugging, run the java process with:

'' flag.

To enable the logging of SSL implemented layer, turn the logging to FINEST for '' package.

3.21 Node Repair

The Node Repair tool is used to recover from the loss of one or more nodes. Once replication is set up.

Important: The Node Repair tool provides an effective method of returning a failed node back into production. However, its misuse can worsen the situation. Until we place blocks against potentially destructive actions we strongly recommend that you don't use the Repair Tool unless under direct instruction from WANdisco's support team.

3.22 Connect to MultiSite

In this section we connect Access Control Plus to an existing Git or SVN MultiSite setup.

Return to the Getting Set up

3.23 Connect to LDAP

This section explains how to configure Access Control Plus to query one or more LDAP authorities in order to pull in accounts for your Git or Subversion users.

LDAP Settings

The settings tell Access Control Plus how to use any available LDAP Authorities that you connect up.

Synchronisation Period (minutes)
Access Control Plus will rerun your LDAP queries with this frequency, picking up any changes that may have occurred within the LDAP service.

Don't set the period to 0. You shouldn't need to constantly hit your LDAP authority.

If you perform an import from an earlier version of Access Control you must ensure that Access Control Plus does not poll the LDAP authorities during the process. You can do this by setting the Synchronisation Period to 999 (minutes) - Just for the duration of the import

Allow Local Users (checkbox)
Ticked by default. When ticked it is possible to field both LDAP-controlled and manually entered Accounts. Some organizations don't permit manually entered accounts, they need to be sure that all accounts are managed through their LDAP. If this is the case, untick the check box once you're LDAP accounts have been successfully imported.

TIP Should you be running with Local Users disabled and your LDAP service fails, you can re-enable local users as part of the account password recovery process. This process will automatically re-enable local users, allowing you to gain access to the admin console.

Entering LDAP Authority details

This is the entry form for adding any number of LDAP Authorities. Multiple Authorities are checked in the order that matches their order number (see below). The lower the order number, the earlier the authority is checked.

The priority given to the LDAP URL. e.g. A Location Order of 1 means that Access Control will look within that defined authority for a user first. If unsuccessful then Access Control will then check the authority with the next order number (e.g. 2).
Regular Expression:
Enter a regular expression to set a pattern for matching against available LDAP authorities. The expression, is applied locally to limit unnecessary queries against available LDAP authorities. For instance, setting an expression that specifies a top-level domain can ensure that authentication of a user (whose username is their email address) doesn't need to run through all LDAP authorities, but instead can be checked only against those servers that match the the regular expression - in this case, the same top-level domain.

URL: the URL for the LDAP authority, using the format ldap(s)://hostport/basedn?attribute
Bind User DN:
Bind Password:
First Name Attribute:
Last Name Attribute:
Email Address Attribute:
Public Key Attribute:
(Optional) Used with the LDAP service is encrypted, requiring Access Control Plus to be setup with an SSH key pair. As with any public key entry, make sure that no line breaks are introduced to the key, it should be one long string, no breaks.
Case Insensitive Usernames?
Tick this checkbox if you need MultiSite to stop distinguishing between usernames that differ only by their case pattern.
For example, with the "Case Insensitive Usernames?" unticked (it is by default), MultiSite will treat username "MelissaJones" and username "melissajones" as two distinct users. Support for username case insensitivity is a feature that may be required when Active Directory
System Administrator Group?:
Tick this checkbox if the authority will return users who are System Administrators (able to access the MultiSite admin console).

We strongly recommend that you guard against the adding of LDAP-based accounts that use the same account name. Currently there's no guard against having two accounts with the same name - as accounts can be distributed accross any number of authorities. In the event that you attempt to add two accounts that use the same account name, their addition will fail and an error message will appear in the logs that warns you of an "Incorrect result size: expected 1, actual 2".

3.24 Email Notification

The mail notification system lets you connect Access Control Plus to an email gateway server, which enables it to send alert email concerning important system events. It's possible to add as many email gateways as you like, so that the loss of a single mail server need to result in the halting of notifications.

The following procedure shows you have to set up an email gateway.

Notifiable events

The following events currently trigger notifications (when suitably configured)

3.25 Create a Repository Template

In Access Control Plus's backend, there's a mechanism or managing and replicating the core password and or authz files. This mechanism needs a template creating which will contain the path location for these files, as well as a number of optional parameters. Once setup, Repositories that are added to Access Control can be assigned the template, telling Access Control Plus how to handle the repository's necessary files.

Follow this procedure for adding a Repository Template:

3.26 Enable/Disable Batch updates

Follow this procedure to enable Batch mode. Make sure you understand what it does and how it works before you do though.

Batch updates is a mechanism that can improve performance in large deployments that field large numbers of accounts holders, accross a number of nodes. There's a section in the Reference Guide that explains more about Batch Updates Mode.

See Access Control Updates for more details.

3.2.7 Example Configuration

Per-repository Authz via SVNServe and SSH

The following details map out an example setup that sets up authorization using Authz on a per-repository basis, running on SVNServe with SSH encryption. This is only intended as an illustration, so you shouldn't follow it as an actual set up procedure.

Repository Template

Access Control Plus Login

The setting set the target location of the authz file and the common path segment of the SVN repositories:

Target Location:
Common Repository Path Segment:


svnserve.conf controls the behavior of the svnserve daemon on a per-repository basis. It is located in the conf subdirectory of the repository, e.g. /opt/svn/repo/conf/svnserve.conf.

anon-access = none 
auth-access = write
authz-db = authz
Determines the access level for unauthenticated users. "write" allows all repository operations. "read" allows all operations except committing and changing revision properties. "none" allows no unauthenticated access. The default level is "read".
Determines the access level for authenticated users, using the same access levels as above. The default level is "write".
The authz-db option controls the location of the authorization rules for path-based access control. filename may be relative to the repository conf directory. There is no default value. If you don't specify an authz-db, no path-based access control will be set.


The following configuration is required on the server:


The following configuration is required for clients:

Access Control Plus Admin Console settings

An Authz file should be generated, here:

It should look like this: Example (Team: team1, Account Name: user1, Resource: repo0, Perms: RW)
# Generated by Access Control Plus, WANdisco.
# ACP Node Name            : node1
# ACP Node Hostname        :
# Generation Audit number  : abab31d2-a266-426b-a578-336b58419130
# Generation Serial number : 187
# Template Id              : 97e47269-4b20-40e8-b1a0-fa052d74ecb9
# Template Name            : svn
# Template Description     : svn
# Assignment Type          : svn-authz
# Assignment Id            : 1de6a9c6-c8ec-4eaa-9391-0a7cd55f8ab3
# Assignment Modified at   : 2014-05-27 23:32:16.346

virtual_team_team1_rule_rule1_88b17a89-157b-48ab-a9dd-364912f20b25 = user1

* = 

@virtual_team_team1_rule_rule1_88b17a89-157b-48ab-a9dd-364912f20b25 = rw	

Client-side access

Access the repository using:

svn co svn+ssh://wandisco@<ip address>/repo