Git ACLs are defined in the .gitacls file, which must exist in the {git_root} directory specified in the /etc/repo_shell.conf file. The file has three section types: [user_groups] [repo_groups] [repo ...] Multiple repo setions are allowed user_groups section defines userid's that denote groups of users. This can greatly simplify the configuration file contents. For example, all developers can be placed in one group, and all qa people placed in another, like so: [user_groups] devs = bob mike susan frank qa = denise tod repo_groups provide a similar functionality for repo names. Here, especially for repositories placed in a tree of subdirectories, the wildcard character (the asterisk, '*') can be used. In the example below, all repositories in the dev subdirectory are assigned to the group 'dev_repos', all repos in the qa subdirectory are assigned to the group 'qa_repos', and a select set of repositories are placed in the 'special' group: [repo_groups] dev_repos = dev/* qa_repos = qa/* special = git-utils.git deploy-utils.git repo_shell.git There should be one repo section for every repository or repository group to which users and user groups will be assigned permission. The format of the section is: [repo , but it may contain the wildcard character. The first example assigns permissions to repos in the dev_repos group,where users in the devs group have read-write access and all other users get read access. Except for mary, which has for some reason been denied all access. Note that the wildcard may also be used when specifying the userid. [repo dev_repos] mary = devs = rw * = r = The first match is the match used The acl file is scanned until a match for the requesting user and repo are found. Therefore, rules that are more specific should always be listed first. for example, if this repo rule were the first one listed, then no one would have access to any repository: [repo *] * = Similarly, the following repo section prevents all user access to the bash.git repository because the first user permissions assignment wildcard pattern will match any user, rendering the user permissions assignments after it irrevelevant: [repo bash.git] * = dvs = rw qa = r = Wildcards patterns are limited 1. The wildcard character can only be used at the end of a string, to denote that the rest of the string may contain zero or more valid characters. To this end the following wildcard patterns are valid: * (means all) st* (means all tokens starting with st) while these tokens are invalid: *.git mirrors/tinyos*.git */mirrors/* 2. Wildcard patterns are only valid in certain elements of the configuration file. - As a token on the right hand side of a group assignment. For example: [user_groups] group = * [repo_groups] group = mirrors/* - As the token defining in a repo section. For example: [repo qa/*] - As the left hand side of a user permissions assignment within a repo section. For example: [repo nesc.git] bill = rw * = r [repo repo_shell.git] a* = rw b* = r * = Note that while the last example above is valid, it seems an unlikely use case where one would want to define access permissions to a repsitory based upon the first letter of the username.