The Project Security feature was added to IBM® Rational® Change Version 5.3 to manage user privileges. It introduces projects as a way to group CRs and roles as a way to group and organize privileges. Privileges are assigned dynamically, based on a grouping of Change Requests (CRs). When you enable project security, rather than assigning users static privileges that apply to all change requests (CRs) and tasks within a particular database, users are assigned dynamic privileges within the context of a set of related CRs.
This article explains how to get started and then how to create and maintain project rules.
User interface for managing project security
A new Project Security tab is in the Administrator panel under the User Management action panel. This new tab has the following sub-tabs:
- Helps in enabling or disabling the project security feature on the Rational Change server
- Helps in managing roles for project security
- Global Assignments
- Helps in managing global roles or privileges for users
- Helps in managing projects
- Provides a way to report on project security
The sections that follow provide detailed information on each of these sub-tabs.
Using this panel, a Rational Change administrator can perform two actions:
- Turn on (or turn off) dynamic privileges.
- Designate a CR-only database.
Turn on (or turn off) dynamic privileges
By default the Traditional Database Privilege option is selected, which means that the Rational Change server will manage user privileges as it did in previous versions. To turn on dynamic privileges on the Rational Change server:
- Select the Configuration tab within Project Security (Project Security > Configuration).
- Select the Dynamic privileges with Project Security radio button, as shown in Figure 1.
Designate a CR-only database
If the Rational Change server is running in stand-alone mode, you can use this interface to choose a CR-only database for this server.
You can manage CR-only databases through Add and Remove links. Clicking Remove with one or more databases selected removes them from the list.
Figure 1. Turning dynamic privileges on or off
This section provides a way to manage roles for project security on the Rational Change server. An administrator can use it to create new roles or edit existing roles.
Figure 2. The Roles tab
To create a role:
- In the next open row, enter a name in the Role Name column (see Figure 3).
- Click the Add button at the end of any row to add a new role.
- Provide the role name.
- To add privileges to this role, click the icon next to the Privileges text field. Choose the privileges from the menu, and click Update to save your selections.
- Be sure to click Save to preserve what you added.
Figure 3. Adding a role
You can modify an existing role in the same way. Don't forget to save your changes.
This tab helps in making global assignments, such as global privileges or roles. You can assign roles or privileges to either groups or users. These global assignments are not bound to any single project and they apply to all CRs across all databases.
To add a global assignment for a user or multiple users:
- In the Users tab, select the users.
- Click the Add link to add the user to the list.
- After the user is added the list, select that user and specific either Role or Privileges by clicking the check boxes from those respective lists.
- When you have finished, click Save.
You can handle global assignments for groups similarly by selecting the Groups tab, instead.
Figure 4. Managing global assignments
To remove global assignment for a user:
- Within the Users tab, select the user.
- Click the Remove.
- Click Save at the bottom.
A project is the basic element of a dynamic privilege. A project defines a logical grouping for CRs and the users or groups that are members of this project. For these members, rules for the project are applied.
A project has several sections:
- Name of the project
- Administrators are the normal users who has been given full administrator rights for this specific project. An administrator of a project can edit any section of the project including deleting project and creating a sub project under this projects.
- Editors are special administrators of the project with restricted administrative rights. An editor can modify only the Members and Privileges section of the project.
- Contents (CRs Included in this Project)
- This is the section where you can define logical grouping of the CRs for this project.
- Members and Privileges
- This is the section where roles or privileges are assigned to a user or to a group. These apply only to the CRs that are grouped by the section "Contents (CRs Included in this Project)" section of this project. For all other CRs, these roles or privileges might not be applicable.
Figure 5. Project definition
Logical grouping of change requests
The Contents (CRs Included in this Project) section defines the logical grouping of the CRs that are included in a project. This section has Attribute and Value columns. The combination of the attributes and values defined here forms a query, and the result of the query is the logical grouping of the CRs for this project.
How the attributes and values form a query
The admin can add attributes by using multiple rows, one attribute in each row. The attributes and their values that the admin defines in each row form an AND type of Boolean query. You can add a new row by clicking the Add link.
All attributes and their values defined in a row form an OR type of query. You can add a new values to an attribute in a single row by using + (plus sign) next to the attribute value.
This scenario is illustrated in Figure 6, using a project with few rules defined.
Figure 6. Sample query to group change requests for a project
According to these settings, the query to group CRs will be formed as:
(cvtype='problem') and ((product_name= 'Product A)' or product_name= 'Product B' )) and (release='1.0')
A sub-project is like a project, but it is subordinate to and an extension of, another project. Rules for creation and modification are the same as for any other project. Remember these points while working on a sub-project:
- A sub-project inherits Administrators and Editors from its parent project.
- A sub-project adds an extension to the parent project query and makes it more specific.
- Privileges or roles assigned to members apply only to the CRs grouped by this sub-project query. The users will not have access to any of the CRs that belong to the parent project.
Projects tab menu
- Main menu listing all top level projects
Figure 7. Main menu lists top-level projects
Figure 8. Main menu with a sub-project
This tab section helps you generate useful reports on the dynamic privileges for a Rational Change 5.3 administrator. Two types of reports are included:
- Users and Roles shows the selected users' roles and privileges in all projects.
- Project Membership shows the members of the selected projects and includes their roles and privileges.
Users and Roles
This report takes user IDs as the input and generates a report that lists all of the projects that selected users have access to. If a user has a global assignment, all of the relevant projects defined will be listed.
To run this report:
- Click the Reports tab.
- Notice that in the Report On drop-down menu, Users and Roles is selected by default.
- Find the users, and select one or more users from the list.
- Click the Run Report button at the bottom (see Figure 9).
Results will be displayed in the section on the right side of the page.
This report takes a project name as an input and lists all of the users who are members of selected projects.
To run this report:
- Click the Reports tab.
- Check the Report On drop-down menu to see whether Project Membership is selected. Select it if it is not.
- Find the projects, and select one or more projects from the list.
- Click the Run Report button at the bottom.
Results will be displayed at the section at the right side of the page.
Figure 9. Reports tab view
Perl API support for project security (data migration)
Project security data such as roles, projects, and global assignments are stored in the Rational Directory Server. Multiple Rational Change servers connected to a common directory server can share project security data. If two or more Rational Change servers are connected to different directory servers but need to work with the same project security data, a couple of Perl APIs are exposed by Rational Change 5.3 to migrate data between Rational Directory Servers:
For help with these APIs, see the Perl API help in Rational Change 5.3.
- Start at the Rational Change page on developerWorks to learn about features and benefits, get product details and information on related Rational products, and to find more technical articles and where to get support. Get more details in the Managing project security section of the Rational Change 5.3 information center.
- Explore the Rational software area on developerWorks for technical resources, best practices, and information about Rational collaborative and integrated solutions for software and systems delivery.
- Stay current with developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
- Improve your skills. Check the Rational training and certification catalog, which includes many types of courses on a wide range of topics. You can take some of them anywhere, any time, and many of the Getting Started ones are free.
Get products and technologies
- Get the free Trial Download or check the Trials and Demos page for Rational software.
- Evaluate IBM software in the way that suits you best: Download it for a trial, try it online, use it in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement service-oriented architecture efficiently.
- Join the Enterprise Change Management with Rational Change forum to ask questions and participate in discussions.
- Join the Rational Synergy forum to ask questions and participate in discussions.
- Rate or review Rational software. It's quick and easy.
- Share your knowledge and help others who use Rational software by writing a developerWorks article. Find out what makes a good developerWorks article and how to proceed.
- Follow Rational software on Facebook, Twitter (@ibmrational), and YouTube, and add your comments and requests.
- Ask and answer questions and increase your expertise when you get involved in the Rational forums, cafés, and wikis.
- Get connected. Join the Rational community to share your Rational software expertise and get connected with your peers.