Perforce: Protections table order

Question

Does order in perforce's protection table matters ? I mean does it matter if I have some write permissions then read then super then list again then write then admin ?

write       user       *           *       //...
read        user       emily       *       //depot/elm_proj/...
super       user       joe         *       -//...
list        user       lisag       *       -//...
write       user       lisag       *       //depot/elm_proj/doc/...
admin       user       admin       *       //...
=write      user       joe         *       -//depot/build/...

or it has to be systematic like this:

list        user       lisag       *       -//...
read        user       emily       *       //depot/elm_proj/...
write       user       *           *       //...
write       user       lisag       *       //depot/elm_proj/doc/...
=write      user       joe         *       -//depot/build/...
admin       user       admin       *       //...
super       user       joe         *       -//...

I am new to perforce and when I read Administering Perforce: Protections I do not see any reference to ordering mentioned here (Unless I overlooked something and missed it completely).

I got this question because thinking the way CSS work, if two entries are mentioned for same html element, then the last entry is the one which is taken into action. Similarly, does it matter here with perforce protection table also ?

Answer 1

If you're using exclusionary mappings, like the ones where the depot path begins with a '-' character in your example above, then order is significant. From the Perforce online documentation:

When exclusionary mappings are not used, a user is granted the highest permission level listed in the union of all the mappings that match the user, the user's IP address, and the files the user is trying to access. In this case, the order of the mappings is irrelevant. When exclusionary mappings are used, order is relevant: the exclusionary mapping overrides any matching protections listed above it in the table. No matter what access level is being denied in the exclusionary protection, all the access levels for the matching users, files, and IP addresses are denied. If you use exclusionary mappings to deny access to an area of the depot to members of group1, but grant access to the same area of the depot to members of group2, a user who is a member of both group1 and group2 is either granted or denied access based on whichever line appears last in the protections table.