# Data Leakage Protection (DLP)

This 'dlp' directory contains prototype broker filter scripts to make P4D more secure and suitable for multi-tenant silo operation. In this mode, different users and groups working on the server (tenants) shouldn't know that the other users/groups exist, and shouldn't be able to easily learn what they are doing.

## DLP Behaviors

Behavior changes from stock p4d:

### Must Be Super

The following commands require super access:
    - p4 groups
    - p4 users

### Stay In Your Lane
The following commands to list specs are rewritten so the last args are always '-u <you>', so you can list only your own specs.
    - p4 branches
    - p4 clients
    - p4 labels
    - p4 remotes
    - p4 workspaces

### Must Be Owener
* The following commands to edit/output a spec only allow it if you own it.
    - p4 branch
    - p4 client
    - p4 label
    - p4 remote
    - p4 user
    - p4 workspace

# DLP Files

The following scripts support this:

* broker_imply-u.pl
* broker_must_be_super.pl
* broker_must_be_owner.pl

# To Do

* Think about what to do with 'p4 job' and 'p4 jobs'.
* Think about what to do with 'p4 fix' and 'p4 fixes'.
* Think about what to do with 'p4 repos'.