Working with the IBM Rational Change project security feature: Part 2. Set up project security, create and manage rules

Project security is the new feature added to Rational Change 5.3. This makes user management for Rational Change 5.3 easy. Part 1 explained the feature and terminology. This part explains how to set up project security and then create and maintain project rules for your organization.


Ritesh Nigam (, Staff Software Engineer, I.B.M.

author photoRitesh Nigam is a senior software engineer with nearly eight years of experience in software development. He has been working as a senior developer for IBM Rational Change software for the past five years. He also has experience in Java, Java 2 Enterprise Edition (J2EE), Perl, and web technologies, such as Dojo toolkit, Ajax, web services, OSLC, and change and configuration management.

06 November 2012


The Project Security feature was added to IBM® Rational® Change Version 5.3 to manage user privileges. It introduces projects as a way to group CRs and roles as a way to group and organize privileges. Privileges are assigned dynamically, based on a grouping of Change Requests (CRs). When you enable project security, rather than assigning users static privileges that apply to all change requests (CRs) and tasks within a particular database, users are assigned dynamic privileges within the context of a set of related CRs.

This article explains how to get started and then how to create and maintain project rules.

User interface for managing project security

A new Project Security tab is in the Administrator panel under the User Management action panel. This new tab has the following sub-tabs:

Helps in enabling or disabling the project security feature on the Rational Change server
Helps in managing roles for project security
Global Assignments
Helps in managing global roles or privileges for users
Helps in managing projects
Provides a way to report on project security

The sections that follow provide detailed information on each of these sub-tabs.


Using this panel, a Rational Change administrator can perform two actions:

  1. Turn on (or turn off) dynamic privileges.
  2. Designate a CR-only database.

Turn on (or turn off) dynamic privileges

By default the Traditional Database Privilege option is selected, which means that the Rational Change server will manage user privileges as it did in previous versions. To turn on dynamic privileges on the Rational Change server:

  1. Select the Configuration tab within Project Security (Project Security > Configuration).
  2. Select the Dynamic privileges with Project Security radio button, as shown in Figure 1.

Designate a CR-only database

If the Rational Change server is running in stand-alone mode, you can use this interface to choose a CR-only database for this server.

You can manage CR-only databases through Add and Remove links. Clicking Remove with one or more databases selected removes them from the list.

Figure 1. Turning dynamic privileges on or off
Configuration tab options within Project Security


This section provides a way to manage roles for project security on the Rational Change server. An administrator can use it to create new roles or edit existing roles.

Figure 2. The Roles tab
add or delete Role Name and Privileges

To create a role:

  1. In the next open row, enter a name in the Role Name column (see Figure 3).
  2. Click the Add button at the end of any row to add a new role.
  3. Provide the role name.
  4. To add privileges to this role, click the icon next to the Privileges text field. Choose the privileges from the menu, and click Update to save your selections.
  5. Be sure to click Save to preserve what you added.
Figure 3. Adding a role
Roles tab showing privileges choices

You can modify an existing role in the same way. Don't forget to save your changes.

Global assignments

This tab helps in making global assignments, such as global privileges or roles. You can assign roles or privileges to either groups or users. These global assignments are not bound to any single project and they apply to all CRs across all databases.

To add a global assignment for a user or multiple users:

  1. In the Users tab, select the users.
  2. Click the Add link to add the user to the list.
  3. After the user is added the list, select that user and specific either Role or Privileges by clicking the check boxes from those respective lists.
  4. When you have finished, click Save.

You can handle global assignments for groups similarly by selecting the Groups tab, instead.

Figure 4. Managing global assignments
Users tab view within Global Assignments

To remove global assignment for a user:

  1. Within the Users tab, select the user.
  2. Click the Remove.
  3. Click Save at the bottom.


A project is the basic element of a dynamic privilege. A project defines a logical grouping for CRs and the users or groups that are members of this project. For these members, rules for the project are applied.

A project has several sections:

Name of the project
Administrators are the normal users who has been given full administrator rights for this specific project. An administrator of a project can edit any section of the project including deleting project and creating a sub project under this projects.
Editors are special administrators of the project with restricted administrative rights. An editor can modify only the Members and Privileges section of the project.
Contents (CRs Included in this Project)
This is the section where you can define logical grouping of the CRs for this project.
Members and Privileges
This is the section where roles or privileges are assigned to a user or to a group. These apply only to the CRs that are grouped by the section "Contents (CRs Included in this Project)" section of this project. For all other CRs, these roles or privileges might not be applicable.
Figure 5. Project definition
Sections in the Projects dialog window

Logical grouping of change requests

The Contents (CRs Included in this Project) section defines the logical grouping of the CRs that are included in a project. This section has Attribute and Value columns. The combination of the attributes and values defined here forms a query, and the result of the query is the logical grouping of the CRs for this project.

How the attributes and values form a query

The admin can add attributes by using multiple rows, one attribute in each row. The attributes and their values that the admin defines in each row form an AND type of Boolean query. You can add a new row by clicking the Add link.

All attributes and their values defined in a row form an OR type of query. You can add a new values to an attribute in a single row by using + (plus sign) next to the attribute value.

This scenario is illustrated in Figure 6, using a project with few rules defined.

Figure 6. Sample query to group change requests for a project
Attributes and Values entered for two products

According to these settings, the query to group CRs will be formed as:
(cvtype='problem') and ((product_name= 'Product A)' or product_name= 'Product B' )) and (release='1.0')


A sub-project is like a project, but it is subordinate to and an extension of, another project. Rules for creation and modification are the same as for any other project. Remember these points while working on a sub-project:

  • A sub-project inherits Administrators and Editors from its parent project.
  • A sub-project adds an extension to the parent project query and makes it more specific.
  • Privileges or roles assigned to members apply only to the CRs grouped by this sub-project query. The users will not have access to any of the CRs that belong to the parent project.

Projects tab menu

  1. Main menu listing all top level projects
Screen segmentDefects is a sub-project of Release 1.0 for A or B


This tab section helps you generate useful reports on the dynamic privileges for a Rational Change 5.3 administrator. Two types of reports are included:

  • Users and Roles shows the selected users' roles and privileges in all projects.
  • Project Membership shows the members of the selected projects and includes their roles and privileges.

Users and Roles

This report takes user IDs as the input and generates a report that lists all of the projects that selected users have access to. If a user has a global assignment, all of the relevant projects defined will be listed.

To run this report:

  1. Click the Reports tab.
  2. Notice that in the Report On drop-down menu, Users and Roles is selected by default.
  3. Find the users, and select one or more users from the list.
  4. Click the Run Report button at the bottom (see Figure 9).

Results will be displayed in the section on the right side of the page.

Project Membership

This report takes a project name as an input and lists all of the users who are members of selected projects.

To run this report:

  1. Click the Reports tab.
  2. Check the Report On drop-down menu to see whether Project Membership is selected. Select it if it is not.
  3. Find the projects, and select one or more projects from the list.
  4. Click the Run Report button at the bottom.

Results will be displayed at the section at the right side of the page.

Figure 9. Reports tab view
Set filters, select options, and then run report

Perl API support for project security (data migration)

Project security data such as roles, projects, and global assignments are stored in the Rational Directory Server. Multiple Rational Change servers connected to a common directory server can share project security data. If two or more Rational Change servers are connected to different directory servers but need to work with the same project security data, a couple of Perl APIs are exposed by Rational Change 5.3 to migrate data between Rational Directory Servers:

  • ExportProjectSecurityData
  • ImportProjectSecurityData

For help with these APIs, see the Perl API help in Rational Change 5.3.



Get products and technologies



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Rational software on developerWorks

ArticleTitle=Working with the IBM Rational Change project security feature: Part 2. Set up project security, create and manage rules