Topic
  • 3 replies
  • Latest Post - ‏2013-01-31T02:26:44Z by SystemAdmin
SystemAdmin
SystemAdmin
47293 Posts

Pinned topic Using a vob server for 2 teams

‏2013-01-30T07:22:43Z |
Dear all,

We have 1 Linux clearcase 8.0.x server (including registry, host, license and vob server). Most of client OS's are Windows XP, 2K3 and Windows 7. A few client OS's are Linux.

Now, we intent to use this CC server to manage code of 2 different teams (team A and team B). We want that the vobs/code of team A cannot be mounted/showed by developer in team B and the vobs/code of team B cannot be mounted/showed by developer in team A.

Per my investigation, we can use samba configuration to prevent vobs access by each of teams.
Is this way feasible? Is there any better solution for this? Could you please share me the solution for the similar scenario?

Thanks,
Noel Nguyen
Updated on 2013-01-31T02:26:44Z at 2013-01-31T02:26:44Z by SystemAdmin
  • pdubovitsky
    pdubovitsky
    189 Posts

    Re: Using a vob server for 2 teams

    ‏2013-01-30T13:50:44Z  
    Hello,

    Using group-based permissions would be a better solution.
    You can include team A and team B members into GroupA and GroupB correspondently, protect VOB elements and metadata with appropriate group (and both groups should be included in the VOB group list in case some users work on both projects simultaneously), and apply a post-mkelem (mkbrtype, mklbtype, etc) trigger that would set elements or metadata group ownership to the VOB primary group (in case users have different primary group set).
    Then, you can revoke rwx permission for "others" on the VOB root directory element.

    Pavel
  • brcowan
    brcowan
    741 Posts

    Re: Using a vob server for 2 teams

    ‏2013-01-30T15:40:03Z  
    The true joy of ClearCase is that there are multiple ways to accomplish this:

    Create multiple registry regions.


    This will prevent the teams from SEEING each other's VOBs:
    - VOB server region -- this region will hold ALL the VOBs and views.
    - Team 1 Unix clients -- holds unix vob/view tags for all of team 1's users
    - Team 1 Windows region -- holds the windows VOB & view tags for Team 1's users
    - Team 2 Unix clients -- holds unix vob/view tags for all of team 2's users
    - Team 2 Windows region -- holds the windows VOB & view tags for Team 2's users

    The only drawbacks are:
    1) A knowledgeable user could create a VOB or view tag for the "invisible" VOBs
    2) You would have to tag VOBs and Views in 2 additional regions after creating them. This isn't that much more than you already have to do in an Interop configuration anyway...

    Use Samba and Unix permissions to prevent access to the VOB/View storage.


    You can use this in conjunction with the above item to have multiple layers of protection. You would create 2 vob/view storage shares on the web server. One for Team 1 and another for team 2.

    These directories, and NOT the .vbs directories, would be protected on Unix as 770 where the team group is the group on the directory. Your teams would need Unix accounts where that group is in the users group list for this to work.

    You should also use the Samba share options to block access to the Samba shares if users are not in a particular group. If only for completeness.

    If you put all the VOBs and/or views for both teams in the same shares/storage areas, this option will not work.
    =================================================================
    Brian Cowan
    Advisory Software Engineer
    ClearCase Software Advisory Team (SWAT)
    Rational Software
    IBM Software Group
    550 King St
    Littleton, MA 01460

    Phone: 1.978.899.5436
    Web: http://www.ibm.com/software/rational/support/
  • SystemAdmin
    SystemAdmin
    47293 Posts

    Re: Using a vob server for 2 teams

    ‏2013-01-31T02:26:44Z  
    • brcowan
    • ‏2013-01-30T15:40:03Z
    The true joy of ClearCase is that there are multiple ways to accomplish this:

    Create multiple registry regions.


    This will prevent the teams from SEEING each other's VOBs:
    - VOB server region -- this region will hold ALL the VOBs and views.
    - Team 1 Unix clients -- holds unix vob/view tags for all of team 1's users
    - Team 1 Windows region -- holds the windows VOB & view tags for Team 1's users
    - Team 2 Unix clients -- holds unix vob/view tags for all of team 2's users
    - Team 2 Windows region -- holds the windows VOB & view tags for Team 2's users

    The only drawbacks are:
    1) A knowledgeable user could create a VOB or view tag for the "invisible" VOBs
    2) You would have to tag VOBs and Views in 2 additional regions after creating them. This isn't that much more than you already have to do in an Interop configuration anyway...

    Use Samba and Unix permissions to prevent access to the VOB/View storage.


    You can use this in conjunction with the above item to have multiple layers of protection. You would create 2 vob/view storage shares on the web server. One for Team 1 and another for team 2.

    These directories, and NOT the .vbs directories, would be protected on Unix as 770 where the team group is the group on the directory. Your teams would need Unix accounts where that group is in the users group list for this to work.

    You should also use the Samba share options to block access to the Samba shares if users are not in a particular group. If only for completeness.

    If you put all the VOBs and/or views for both teams in the same shares/storage areas, this option will not work.
    =================================================================
    Brian Cowan
    Advisory Software Engineer
    ClearCase Software Advisory Team (SWAT)
    Rational Software
    IBM Software Group
    550 King St
    Littleton, MA 01460

    Phone: 1.978.899.5436
    Web: http://www.ibm.com/software/rational/support/
    Thank Brian Cowan and Pavel for your prompt responses. This helps me much.