Effective ACLs

When DevOps Code ClearCase® enforces access controls in a VOB, it uses an effective ACL for each metatype.

The effective ACL is computed by combining the rolemap and its policy, substituting the role mappings in the rolemap for the role in the policy's ACEs. The net result is an ACL that has no indirect principals and is easy to interpret during an access check.

For example, when this policy
[vob]
user:DOMAIN/backup read
Role:Manager read
Role:Developer read
Role:Integrator read
Role:Administrator Full
[element]
user:DOMAIN/backup read
Role:Manager read
Role:Developer change
Role:Integrator change
is combined with this rolemap
Role:Reader --> Group:DOMAIN/developers
Role:Manager --> Group:DOMAIN/mgrs
Role:Developer --> User:DOMAIN/danny
Role:Integrator --> Group:DOMAIN/integs
Role:Developer --> Group:DOMAIN/devs
Role:Administrator --> User:DOMAIN/vobadmin
resulting effective ACLs for the VOB are
User:DOMAIN/backup read
Group:DOMAIN/mgrs read
User:DOMAIN/danny read
Group:DOMAIN/devs read
Group:DOMAIN/integs read
User:DOMAIN/vobadmin Full
and the effective ACLs for elements are
User:DOMAIN/backup read
Group:DOMAIN/mgrs read
User:DOMAIN/danny change
Group:DOMAIN/devs change
Group:DOMAIN/integs change

You can display the effective ACL of an object using cleartool describe -eacl object-selector.