Defining Git-related permissions and preconditions
Define Git-related permissions and preconditions.
Before you begin
You must have registered a Git repository.
You must be a member of either the JazzProjectAdmins group or the JazzAdmins group, or be assigned to a role that has access to change permissions in the project area or team area.
Procedure
-
Add roles and assign permissions to the roles. See Adding and
modifying roles and permissions. For Git, you can also set permissions for the actions (by
role or operation). Git Repository Access permissions apply to operations, such as Clone, Fetch,
Pull, and Push.
Note: If you create a refmapping for a Git branch, only permissions for the Push New Commits and Alter Commit History actions should be overridden in the team area. Permissions for the Create/Delete Git Branches and Create/Delete Git Tags actions should be inherited from the parent project area or team area.
-
Set preconditions and follow-up actions for the Git operations. See Setting
preconditions and follow-up actions.
Table 1. Git server-side preconditions Precondition Description Restrict Association to Closed Work Items Only allow push of commits that have work items in the commit comment that are not in a closed state. If no work items are provided in the commit comment, then the precondition does not block the push operation. To mandate that commit comments contain work items, enable the Require Work Item hint in Commit Comment precondition.
Prevent Associations to External Work Items Allow Git commits to be pushed only if the process area that governs the Git repository and the project area for IBM® Engineering Workflow Management (EWM) work items mentioned in the commit comment are the same or in the same project area hierarchy.
To further restrict associations to the same team area, select the Restrict work item linking to team area option.
The team area for the work item is retrieved by using the built-in filedAgainst attribute.
If no work items are provided in the commit comment, then the precondition does not block the push operation. To mandate that commit comments contain work items, enable the Require Work Item hint in Commit Comment precondition.Prevent Work Item linking if Author is Approver Ensures that the Git commit author and the approver in the EWM work items are different. If any of the approvals in the work item has an approver who is same as the Git commit author, the push operation is stopped.
The precondition only checks approvals of type Approval. If the work item contains no approvals of type Approval, the precondition does not perform any checks.
The precondition treats the Git commit committer as the author of the commit. It then retrieves a EWM contributor whose e-mail address is the same as the author's. If a EWM contributor cannot be retrieved by using the committer’s e-mail address, the push operation is stopped.
If no work items are provided in the commit comment, then the precondition does not block the push operation. To mandate that commit comments contain work items, enable the Require Work Item hint in Commit Comment precondition.Prevent Work Item linking if Author is not owner Allow push of commits only if the EWM work items mentioned in the comments are owned by the commit author.
Require Work Item hint in Commit Comment Allow push of commits only if they have valid EWM work items mentioned in their comments. If a work item is not a valid EWM work item, then the push operation is stopped.
For a list of valid keywords, see Associating work items with commits.Require Work Items to Match Query Allows push of commits only if the work items mentioned in the Git commit comments are in the results of a query. Click Select Query to choose the query to use. You can choose a query that belongs to a different project area. You can configure the precondition to run the query in the context of the query’s owning project area or the precondition’s project area. The work items that are mentioned in the Git commit comments are categorized as follows:
- Local work items: Work items that belong to the project area in which the query runs. Only these work items are compared to the query results.
- External work items: Work items that do not belong to the project area in which the query runs. These work items are not compared to the query results.
The precondition fails if either of these conditions is true:- At least one local work item is not included in the query results.
- No query has been configured in the precondition, or the configured query has been deleted.
Note: The categorization of work items as local or external depends on the project area context in which the query runs; it is not based on the query’s owning project area or precondition’s project area. You can configure whether the query runs in the precondition’s project area or in the query's owning project area, and whether external work items are allowed in the Git commit comment.When query is from a different project area. If the query is from a different project area, select one of the following options:- Run query in owning project area: The query runs in the query’s owning project area. All work items from the query’s project area are considered local work items. All other work items are treated as external work items.
- Run query in current project area: The query runs in the precondition’s project area. All work items from the precondition’s project area are considered local work items. All other work items are treated as external work items.
Work Items from Project Areas other than the Project Area the query will run in: Select one of the following options to control whether external work items are allowed in Git commit comments.- Prohibit work items from other project areas: Prevents the push operation if any of the Git commits has external work items in its comment.
- Allow work items from other project areas: Allows the push operation even if any of the Git commits has external work items in its comment.
Note: If the Git commit comment contains only external work items and if Allow work items from other project areas is selected, then the precondition allows the push operation.If you use #create syntax to create new work items from the Git commit comment, then the precondition allows the push of such commits. The precondition cannot validate such commits because the work item query result contains only work items that already exist in the repository.
Push Own Commits Allow push of commits only if they are created by the user. The precondition checks if the pusher of the commit and the author of the commit are the same EWM contributor.
The precondition treats the Git commit committer as the author of the commit.
The precondition checks if the pusher of the commit and the author’s name or e-mail match. If both do not match, then it derives a EWM contributor from the pusher and matches the contributor name with the author’s name. If a valid EWM contributor cannot be found or if the names do not match, the push operation is stopped.