Just what the title says: can I control what user is able to modify ClearCase attributes on a file-per-file basis based on some kind of permission system?
I am using Unix, but it also might be interesting to know if this is possible on Windows.
The default permission system is the one described with the cleartool command for modifying an attribute value: cleartool mkattr (which is not the same as creating a new attribute type: cleartool mkattype)
ACL authorization
If ACLs are enabled, the principal must have the following permissions:
- To attach an attribute to a policy, rolemap, or VOB: read-info on object, mod-attr on object, read-info on VOB object
- To attach an attribute to a version or element: mod-attr on element, read-info on element, read-info on VOB object
- Other operations: read-info on VOB object, one of the non-ACL authorization identities
Non-ACL authorization
You must have one of the following identities:
- Element owner
- Element group member
- Object owner
- Object group member
- VOB owner
- root (UNIX and Linux)
- Member of the ClearCase administrators group ( ClearCase on Windows)
That applies on Linux or Windows, but depends on your ClearCase version.
Starting with ClearCase 8.0.1, you can activate ACLs: see "ACL enforcement and enablement for VOBs and VOB objects".
In your case, enabling ACLs would be closer to what you are looking from: policies, and rolemaps
Policies
Policies have four sections:
- VOB,
- policy,
- rolemap, and
- element.
Each section specifies an access control list, or ACL, which is a list of ACEs.
Each ACE identifies a principal and the permissions granted to that principal.
Policies typically specify Role principals, thereby defining role names used in the policy. Policies can also list specific users or groups.Rolemaps
Rolemaps assign specific users or groups to the roles defined in the associated policy.