I should have maybe mentioned that I'm still a beginner in Clearcase management, thus the following answers may reflect my level.
%% >> * As far as I understood, Clearcase access control is based on windows access control (right click on a vob folder, security and share...)
%% Yes and no. Windows access control is only part of the picture. Windows access control it what gets you to the containers in the pools, and what limits your ability to mount a VOB. Beyond that, you're looking strictly at ClearCase permissions, which are more unix-like.
%% >> * When I add a group through cleartool to the vob, I don't see any change in the windows security window.
%% Generally speaking, this is normal behavior. You may see the windows permissions on the pool directories change, but not on the .vbs itself. cleartool protect -add_group adds a group to the list of groups that can create or "own" elements within the VOB. That's essentially ALL it does. It does not control a user's ability to access elements in that VOB. The element permissions do that.
Ok, that's understood :)
%% >> * When I 'cleartool describe' a vob folder, I only get "User : UNKNOWN and Group: UNKNOWN" information
%% This shouldn't happen unless the user who owns that element can't be looked up from the host you're on. Are you using a non-domain system as the test system?
I am using a computer in the domain and everything; this may be due the different manipulations I did on the VOBs. Once I get the clean method to protect vobs, I will create new test VOBs and see if this problem remains.
%% >> * The only achievements to which I got today were by changing directly the accesses to the ".vbs" folders either for the PVOB or the VOB, without passing by cleartool.
%% Don't do this. You run a better than 90% chance of BREAKING the VOB storage directory permissions. You will become very familiar with the "fix_prot" utility if you persist in doing this.
Good to know. I actually got this kind of errors, and trying fix_prot returned me errors in the permissions messsage.
----
Now the hardest part for me.
%% If this is an all-Windows environment (yes), and you want only authorized users to be able to mount VOBs
I may not have used the correct method previously but so far what I'm doing is using the project explorer to display the different VOBs (from which I can already see the different activities that I would like to hide) and I never "mounted" a VOB, am I doing all wrong?
%%(If users can't mount the VOB, they can't access the contents) try setting up multiple project-specific shares on your VOB server.
"Multiple project specific shares". On my side I am creating One set of VOB/PVOB per project. Then creating "clearcase-named" projects per sub-project (Aouch...this isn't clear..let's say that I have one project to develop an airplane software and another one to develop a pong game, these would be two different VOBS, then if I have two sub-projects within the airplane software project, there I would create two clearcase projects within the VOB), is it the right way to do it?
%% You then grant ONLY the "ClearCase Server process Group" and the group of users access through that share using SHARE PERMISSIONS ONLY.
Are you here mentioning the SHARE PERMISSIONS on the windows environment or another way to handle it? Supposing I have a base cleacase group ccgroup and two other groups that shouldn't have access to every VOB (+ccgp1+ & +ccgp2+), shall I only give SHARE PERMISSIONS to ccgroup and not the others in other to avoid having them seeing the VOB? IS it really sufficient?
%% You may have users who try to get around this using snapshot views, but while they may be able to see the NAMES of the files in the directories, they won't be able to load any of those files into their views.
If they can create views then I suppose that they can see the activites?
%% If you want to limit that, you would have to work with element permissions. The biggest problem here is that you can only work with 16 or 32 groups, depending on the VOB storage platform, and this limits the number of options you have there.
Sorry for all these questions but I feel like I always did the wrong way since I discovered Clearcase...
No comments:
Post a Comment