Search code examples
controlsclearcase

Access Control for a Component: Rational ClearCase

We have few components like

  • libraries

  • dlls

When initially created I ran the following command

cleartool> describe component:testcomponent@\res_pvob  
  component "testcomponent"  
  created 2010-03-11T12:07:47+05:30 by kadaba.CCUserGroup@user-b60d9d5638  
  owner: USER-B60D9D5638\kadaba  
  group: USER-B60D9D5638\CCUserGroup  
  Hyperlinks:  
cleartool: Warning: Unable to determine view for "component:testcomponent@\res_pvob".  
    ComponentRootDir -> <object not available>

I would like to restrict the component access to a few people only. I tried to use the protect command
I was able to change the owner and the group but when using -chmod it throws an error 

cleartool> protect -chmod 777 component:testcomponent@\res_pvob  
cleartool: Error: Cannot perform operation for activity:  "component:testcomponent@\res_pvob".
  1. How do I solve this error?
  2. I would also like to mention the other group, how do I do that?

Suppose I have this folder structure inside the component library say 

Apache  
Quartz

Since I access this through a view, is it possible to provide permissions for these folders.

I am hoping to get a clarity on how the access control can be defined.

Thanks in advance.

Solution

  • First, when you do operation on an UCM component, it is best to do it in a view referencing said component:

    cleartool: Warning: Unable to determine view for "component:testcomponent@\res_pvob".  
ComponentRootDir -> <object not available>

    That means your current location is unable to see the VOB where the component is defined.
    And that can explain your error message.

    Second: true access restriction is not easily done with ClearCase, since it depends entirely on the OS.

    One way we managed to do it is at the VOB level (not at the component level), by making a chmod 770 on the .vbs (vob storage) directly on the VOB server.

    The article VOB and view access control can bring a more detailed explanation.

    When a process requests access to VOB or view data, the process's credentials are evaluated by Rational ClearCase to determine whether the requested form of access is authorized. The following process credentials are important in making this determination:

    • User. The name of the user who starts the process.
    • Primary group. The primary group of the user who starts the process.
    • Supplemental group list. Other groups of which the user who starts the process is a member.

    That means you need to:

    • restrict the list of groups associated with a VOB (protectvob)
    • restrict the list of groups a user is part of (OS-related management)