Search code examples
clearcase

How to know which user has write access to Clearcase database?

How to know which user has write access to Clearcase database? It mainly means authorization to perform check-in but not only, for example modify a Clearcase value of a defined attribute...

How to have a list of all the user identifiers who modify something in a given VOB? In any of the VOBs?

Does exist specific roles and profile in Clearcase? Or just the Unix root?

For information: - ClearCase 8.0.1.4 (AIX 1 7) - BASE CLEARCASE only is used, not UCM.

Solution

  • Start with "VOB and view access control"; the main access criteria is user and groups:

    A user's name and group memberships are the principal credentials evaluated by Rational® ClearCase® when access is requested.

    So any user which is has, as a primary group (first group when typing id -a) the same group as the one of a Vob can access that Vob. See for example "ClearCase won't allow Check-In" (note: the view itself must be correctly protected as well)

    On AIX, you can use lsuser to list users of a given group.

    See more with "Access control for elements".

    But since ClearCase 9, you also have ACL authorization:

    You can use ACLs to protect the VOB object, policies, rolemaps, and elements (other object types, such as branch types and label types, must be secured by the protection mechanisms of the operating system

    You can setup policies (see cleartool lspolicy), and rolemaps

    You use a rolemap to specify the principals that take on roles listed in a policy, and to apply the access controls to one or more VOB objects.

    The intention is that you can define a small number of policies that determine ‘how' you apply permissions to objects. You then define a number of rolemaps for each policy describing ‘who' takes on the roles in the policy.

    By listing rolemaps (cleartool lsrolemap), you can back a list of groups, from which you can deduce the list of users:

    Role:Reader --> Group:DOMAIN/developers
Role:Manager --> Group:DOMAIN/mgrs
Role:Developer --> User:DOMAIN/danny
Role:Integrator --> Group:DOMAIN/integs
Role:Developer --> Group:DOMAIN/devs
Role:Administrator --> User:DOMAIN/vobadmin