We have 1 Linux clearcase 8.0.x server (including registry, host, license and vob server). Most of client OS's are Windows XP, 2K3 and Windows 7. A few client OS's are Linux.
Now, we intent to use this CC server to manage code of 2 different teams (team A and team B). We want that the vobs/code of team A cannot be mounted/showed by developer in team B and the vobs/code of team B cannot be mounted/showed by developer in team A.
Per my investigation, we can use samba configuration to prevent vobs access by each of teams.
Is this way feasible? Is there any better solution for this? Could you please share me the solution for the similar scenario?
This topic has been locked.
Pinned topic Using a vob server for 2 teams
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
pdubovitsky 100000N35Y189 Posts
Re: Using a vob server for 2 teams2013-01-30T13:50:44ZThis is the accepted answer. This is the accepted answer.Hello,
Using group-based permissions would be a better solution.
You can include team A and team B members into GroupA and GroupB correspondently, protect VOB elements and metadata with appropriate group (and both groups should be included in the VOB group list in case some users work on both projects simultaneously), and apply a post-mkelem (mkbrtype, mklbtype, etc) trigger that would set elements or metadata group ownership to the VOB primary group (in case users have different primary group set).
Then, you can revoke rwx permission for "others" on the VOB root directory element.
brcowan 2000005CYP763 Posts
Re: Using a vob server for 2 teams2013-01-30T15:40:03ZThis is the accepted answer. This is the accepted answer.The true joy of ClearCase is that there are multiple ways to accomplish this:
Create multiple registry regions.
This will prevent the teams from SEEING each other's VOBs:
- VOB server region -- this region will hold ALL the VOBs and views.
- Team 1 Unix clients -- holds unix vob/view tags for all of team 1's users
- Team 1 Windows region -- holds the windows VOB & view tags for Team 1's users
- Team 2 Unix clients -- holds unix vob/view tags for all of team 2's users
- Team 2 Windows region -- holds the windows VOB & view tags for Team 2's users
The only drawbacks are:
1) A knowledgeable user could create a VOB or view tag for the "invisible" VOBs
2) You would have to tag VOBs and Views in 2 additional regions after creating them. This isn't that much more than you already have to do in an Interop configuration anyway...
Use Samba and Unix permissions to prevent access to the VOB/View storage.
You can use this in conjunction with the above item to have multiple layers of protection. You would create 2 vob/view storage shares on the web server. One for Team 1 and another for team 2.
These directories, and NOT the .vbs directories, would be protected on Unix as 770 where the team group is the group on the directory. Your teams would need Unix accounts where that group is in the users group list for this to work.
You should also use the Samba share options to block access to the Samba shares if users are not in a particular group. If only for completeness.
If you put all the VOBs and/or views for both teams in the same shares/storage areas, this option will not work.
Advisory Software Engineer
ClearCase Software Advisory Team (SWAT)
IBM Software Group
550 King St
Littleton, MA 01460