Topic
  • 7 replies
  • Latest Post - ‏2013-07-09T13:21:06Z by GKellner
raygear
raygear
17 Posts

Pinned topic Access Control on VOB and more

‏2013-07-01T03:59:47Z |

Can we control the user access at Views, Streams and Elements level other than VOB level?

I use 'protect' command on ProjA_DEV_View to set the access, the rest of the views got affect.

How to do if that is impossible? Possible to control at Stream level?

What i am trying to achieve is i want to allow users from YYY group to have full access in DEV, read only access for UAT and PROD?

ZZZ group to have read only access in DEV and SIT.

ProjA (VOB)

   -  DEV Stream

       - Library folder

             - abc.jar

   - SIT Stream

   ....

ProjA_DEV_View

 

  • benray
    benray
    74 Posts

    Re: Access Control on VOB and more

    ‏2013-07-01T18:42:16Z  

    One option would be to lock the stream & branch types where you'd like to restrict access and add the users who are allowed to work on that stream to the -nusers list on the lock.

    A more elegant solution might be a trigger on restricted operations (checkin/checkout/mkelem etc) that checks the user and stream to see if it should allow the operation to proceed.

  • raygear
    raygear
    17 Posts

    Re: Access Control on VOB and more

    ‏2013-07-02T00:50:50Z  
    • benray
    • ‏2013-07-01T18:42:16Z

    One option would be to lock the stream & branch types where you'd like to restrict access and add the users who are allowed to work on that stream to the -nusers list on the lock.

    A more elegant solution might be a trigger on restricted operations (checkin/checkout/mkelem etc) that checks the user and stream to see if it should allow the operation to proceed.

    Hi Benray, I have quite a big team, what is the better way to add a group of users apart from using -nusers?

    I am not familiar with trigger, is it a clearcase function or a script that I need to write?

  • marcdb
    marcdb
    16 Posts

    Re: Access Control on VOB and more

    ‏2013-07-02T06:10:21Z  

    ClearCase 8.0.1 (which has been released last month) provides access control lists (ACLs) to control access to objects in a VOB. Have a look at the 8.0.1 administration documentation and at the document Ensure effective administration and security in Rational ClearCase 8.0.1.

    Regards,

    Marc

  • Dave-Robinson
    Dave-Robinson
    116 Posts

    Re: Access Control on VOB and more

    ‏2013-07-02T08:31:01Z  
    • raygear
    • ‏2013-07-02T00:50:50Z

    Hi Benray, I have quite a big team, what is the better way to add a group of users apart from using -nusers?

    I am not familiar with trigger, is it a clearcase function or a script that I need to write?

    http://publib.boulder.ibm.com/infocenter/cchelp/v8r0m0/topic/com.ibm.rational.clearcase.cc_ref.doc/topics/ct_mktrtype.htm

    quote: "A trigger type defines a sequence of one or more trigger actions to be performed when a specified ClearCase operation occurs."

    Usually the "trigger action" is a script written by the ClearCase Administrator. You have complete control of what the trigger does, and what checks it does. Of course there is a performance overhead cost.

    So, for example, when a trigger fires for a checkout, it gets environment variable CLEARCASE_ACTIVITY.

    With that your script could find out what stream it is in, and it could use an operating system command to find out if the user has membership of a group that is allowed to checkout to that stream.

     

  • GKellner
    GKellner
    259 Posts

    Re: Access Control on VOB and more

    ‏2013-07-02T12:12:01Z  

    http://publib.boulder.ibm.com/infocenter/cchelp/v8r0m0/topic/com.ibm.rational.clearcase.cc_ref.doc/topics/ct_mktrtype.htm

    quote: "A trigger type defines a sequence of one or more trigger actions to be performed when a specified ClearCase operation occurs."

    Usually the "trigger action" is a script written by the ClearCase Administrator. You have complete control of what the trigger does, and what checks it does. Of course there is a performance overhead cost.

    So, for example, when a trigger fires for a checkout, it gets environment variable CLEARCASE_ACTIVITY.

    With that your script could find out what stream it is in, and it could use an operating system command to find out if the user has membership of a group that is allowed to checkout to that stream.

     

    Instead of writing old-style trigger, checking the new ACL feature would be the better choice.

  • benray
    benray
    74 Posts

    Re: Access Control on VOB and more

    ‏2013-07-02T13:21:58Z  
    • marcdb
    • ‏2013-07-02T06:10:21Z

    ClearCase 8.0.1 (which has been released last month) provides access control lists (ACLs) to control access to objects in a VOB. Have a look at the 8.0.1 administration documentation and at the document Ensure effective administration and security in Rational ClearCase 8.0.1.

    Regards,

    Marc

    Just FYI, UCM objects such as streams are not objects that can be protected by ACLs (yet). Possibly in a later release.

  • GKellner
    GKellner
    259 Posts

    Re: Access Control on VOB and more

    ‏2013-07-09T13:21:06Z  
    • benray
    • ‏2013-07-02T13:21:58Z

    Just FYI, UCM objects such as streams are not objects that can be protected by ACLs (yet). Possibly in a later release.

    You can achieve it by control the access to the component, which is represented by a folder.

    If you have read-only access at component level, you can't modify any streams within this component.

     

    greetings georg.