Topic
7 replies Latest Post - ‏2013-07-09T13:21:06Z by GKellner
raygear
raygear
17 Posts
ACCEPTED ANSWER

Pinned topic Access Control on VOB and more

‏2013-07-01T03:59:47Z |

Can we control the user access at Views, Streams and Elements level other than VOB level?

I use 'protect' command on ProjA_DEV_View to set the access, the rest of the views got affect.

How to do if that is impossible? Possible to control at Stream level?

What i am trying to achieve is i want to allow users from YYY group to have full access in DEV, read only access for UAT and PROD?

ZZZ group to have read only access in DEV and SIT.

ProjA (VOB)

   -  DEV Stream

       - Library folder

             - abc.jar

   - SIT Stream

   ....

ProjA_DEV_View

 

  • benray
    benray
    74 Posts
    ACCEPTED ANSWER

    Re: Access Control on VOB and more

    ‏2013-07-01T18:42:16Z  in response to raygear

    One option would be to lock the stream & branch types where you'd like to restrict access and add the users who are allowed to work on that stream to the -nusers list on the lock.

    A more elegant solution might be a trigger on restricted operations (checkin/checkout/mkelem etc) that checks the user and stream to see if it should allow the operation to proceed.

    • raygear
      raygear
      17 Posts
      ACCEPTED ANSWER

      Re: Access Control on VOB and more

      ‏2013-07-02T00:50:50Z  in response to benray

      Hi Benray, I have quite a big team, what is the better way to add a group of users apart from using -nusers?

      I am not familiar with trigger, is it a clearcase function or a script that I need to write?

      • Dave-Robinson
        Dave-Robinson
        116 Posts
        ACCEPTED ANSWER

        Re: Access Control on VOB and more

        ‏2013-07-02T08:31:01Z  in response to raygear

        http://publib.boulder.ibm.com/infocenter/cchelp/v8r0m0/topic/com.ibm.rational.clearcase.cc_ref.doc/topics/ct_mktrtype.htm

        quote: "A trigger type defines a sequence of one or more trigger actions to be performed when a specified ClearCase operation occurs."

        Usually the "trigger action" is a script written by the ClearCase Administrator. You have complete control of what the trigger does, and what checks it does. Of course there is a performance overhead cost.

        So, for example, when a trigger fires for a checkout, it gets environment variable CLEARCASE_ACTIVITY.

        With that your script could find out what stream it is in, and it could use an operating system command to find out if the user has membership of a group that is allowed to checkout to that stream.

         

        • GKellner
          GKellner
          258 Posts
          ACCEPTED ANSWER

          Re: Access Control on VOB and more

          ‏2013-07-02T12:12:01Z  in response to Dave-Robinson

          Instead of writing old-style trigger, checking the new ACL feature would be the better choice.

  • marcdb
    marcdb
    16 Posts
    ACCEPTED ANSWER

    Re: Access Control on VOB and more

    ‏2013-07-02T06:10:21Z  in response to raygear

    ClearCase 8.0.1 (which has been released last month) provides access control lists (ACLs) to control access to objects in a VOB. Have a look at the 8.0.1 administration documentation and at the document Ensure effective administration and security in Rational ClearCase 8.0.1.

    Regards,

    Marc

    • benray
      benray
      74 Posts
      ACCEPTED ANSWER

      Re: Access Control on VOB and more

      ‏2013-07-02T13:21:58Z  in response to marcdb

      Just FYI, UCM objects such as streams are not objects that can be protected by ACLs (yet). Possibly in a later release.

      • GKellner
        GKellner
        258 Posts
        ACCEPTED ANSWER

        Re: Access Control on VOB and more

        ‏2013-07-09T13:21:06Z  in response to benray

        You can achieve it by control the access to the component, which is represented by a folder.

        If you have read-only access at component level, you can't modify any streams within this component.

         

        greetings georg.