1

In my project I got to create users who are allowed to read only access to VOB. To accomplish this as per study and my understandings I have created different groups and directory wise I have changed root group to respective group. Example : Under VOB I have three directories dA, dB and dC I created 3 groups gA, gB and gC. Even after gving protecting directories by chmod 770 so that other groups could not do Checkin/Checkout - 1. Other groups users still could access directories. 2. And other groups are still able to do Checkin/Checkout.

Please do suggest on how I can restrict VOB components(directory basis) from checking ou/in by specified user in clearcase.

Onkar Gurav
  • 29
  • 4

1 Answers1

0

ClearCase 7.x:

chmod on the vob storage itself isn't enough to prevent checkout/checkins modification operations: you need to consider the CLEARCASE_PRIMARY_GROUP environment variable used by each user.

If that group is not part of the primary group or secondary groups declared in the vob, they wouldn't be able to checkout/checkin.

See also "About ClearCase permissions on Windows".

As mentioned in this thread:

Unless user is a member of the element's group, he or she would not be able to make any changes (checkouts/check-ins). It can be used to grant read-only access to a VOB, when elements "world" rights are not revoked.

BTW, even when required group membership is not granted, it would not prevent user from creating metadata, such as branch or label types. Triggers would be required to restrict these operations.

This thread confirms:

you are stuck with a pre-op trigger on checkout.
Add the "read-only" users to the group and only allow users in a list (either in the trigger itself or as an attribute on the VOB) to perform checkouts.

ClearCase 8.x

CC8 introduces the notion of access control lists (ACLs), which simplify the security of your versioned object bases (VOBs).

http://www.ibm.com/developerworks/rational/library/effective-governance-compliance-clear-case-ACLs/image001.png

See more with "Ensure effective administration and security in Rational ClearCase 8.0.1"

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Hi VonC, Thanks for your smart response. We are using Linux systems for both server and clients. I have installed CC Client in client machine. ClearCase I am using is 8.0.1. So I set the ACL, for components as readonly by root user at server. So I hope it would work but it didn't. Please suggest and I am confused about "CLEARCASE_PRIMARY_GROUP" whether it is useful only in windows or I could to use this in Linux also.Thanks in advance.. – Onkar Gurav Dec 29 '14 at 19:48
  • @OnkarGurav On Linux, you would not use `CLEARCASE_PRIMARY_GROUP`, but rely on the primary group of your account (the `gid` when you type `id -a`) – VonC Dec 29 '14 at 19:49
  • Requirement are like all groups should have access to all directories but only one group for each directory is allowed to do CO/CI. With this I created 3 grps and changed primary grp of associated directories to respective grps and I used to give 770 so that those grp should have wr access and other grps should have readonly access.But still all groups are able to CO/CI. Please direct to achieve this. – Onkar Gurav Dec 29 '14 at 20:18
  • @OnkarGurav my point is: with CC7 or CC8, using system groups only won't be enough. You need to take into account the primary group associated with the Vobs as well as the ClearCase ACL mechanism (for CC8) – VonC Dec 29 '14 at 20:21
  • Oh! Got it. In many of readings only system groups were considered which lead to this confusion. Thanks for you quick responses.. I couldn't try this now, tomorrow I will try and respond. – Onkar Gurav Dec 29 '14 at 20:29
  • Thanks a lot... It worked.. Could you help me in finding out ClearCase features over SVN..It would be very help full.. – Onkar Gurav Dec 30 '14 at 11:25
  • @OnkarGurav by "ClearCase features over SVN", do you mean features from ClearCase which are better than the ones in SVN? – VonC Dec 30 '14 at 11:26
  • Yeah exactly but with some common features also in which CC leads SVN. Thanks in advance.. You were very helpful... – Onkar Gurav Dec 30 '14 at 12:48
  • @OnkarGurav CC UCM is one: http://programmers.stackexchange.com/a/41568. Dynamic view is another (http://stackoverflow.com/a/2925378/6309, and second part of http://stackoverflow.com/a/1074785/6309). Merge is a third: http://www-01.ibm.com/support/knowledgecenter/SSSH27_7.1.1/com.ibm.rational.clearcase.cc_proj.doc/c_bcc_howmrgng.htm?lang=en vs http://programmers.stackexchange.com/q/171536/3915 or http://programmers.stackexchange.com/q/35074/3915) – VonC Dec 30 '14 at 12:54